Apache 401 redirect for kerberos authentication

apache-2.4kerberos

For our helpdesk we use the GLPI package with Kerberos SSO for our active directory users.

Right now if someone does not have a valid kerberos ticket, we redirect them to GLPI login page on another domain.

The SSO domaine is servicedesk.domain, the non SSO is sd.domain

Our users receive such a link, where "redirect" points to a specific ticket:

https://servicedesk.domain/index.php?redirect=ticket_20600_Ticket

In the SSO virtualhost definition in Apache, we redirect invalid connections with: 

ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://sd.domain\"></html>"

Unfortunately, that strips the remainder of the URL, which means the users get sent to the home page of the website instead of the right ticket after manual authentication.

Is there any way to dynamically redirect to something like this instead?

https://sd.domain/index.php?redirect=ticket_20600_Ticket

Best Answer

So in answer to the question it seems like the following will work

ErrorDocuemt 401 /path/to/my401.cgi

And then use the CGI to look for the referrer. In answer to your other question I wouldn't use a rewriterule to do that at all. Just add an http vhost

<VirtualHost *:80>
  # The Server name in both directives should be the same as your https vhost
  ServerName example.com
  Redirect permanent / https://example.com/
</Virtualhost>
Related Topic