I am trying to setup an Apache SVN repository with Kerberos authentication and LDAP group membership authorization, so that only users that belong to a specific group can access it. Kerberos auth on its own is working OK, as LDAP on its own does. But I'd like to combine them in such way, so that I have no plain-text credentials to bind to the LDAP directory in the apache configuration. My current config (which does not work) is:
LDAPVerifyServerCert Off
<Location /svn01>
DAV svn
SVNParentPath /var/www/svn01
AuthType Kerberos
Authname "Test Repo"
KrbMethodK5Passwd On
KrbAuthRealms KOUKOU.LOCAL
KrbSaveCredentials On
KrbServiceName HTTP
Krb5KeyTab /etc/httpd/conf.d/svnusr.http.keytab
AuthLDAPUrl ldaps://ad01.koukou.local:636/dc=koukou,dc=local?krbPrincipalName
Require ldap-group CN=admins,CN=Users,DC=koukou,DC=local
</Location>
I've seen this kind of configuration on the internet, but it does not work for me. What I'm getting in browser is "Unauthorized" and in apache error log I get:
[Thu Mar 02 09:55:21.817559 2017] [authnz_ldap:debug] [pid 10314] mod_authnz_ldap.c(838): [client 172.21.11.13:57737] AH01711: auth_ldap authorise: User DN not found, User not found
and
[Thu Mar 02 09:55:21.817605 2017] [authz_core:error] [pid 10314] [client XXX.XXX.XXX.XXX:57737] AH01631: user username@KOUKOU.LOCAL: authorization failure for "/svn01/repo":
Am I getting something wrong? Even if a add a segment to bind with credentials in the config, I'm still getting the above errors.
Apache version is 2.4.6, Centos is 7.2 and Windows AD is 2012R2 with 2008 functional level.
Thanks in advance,
Nick
Best Answer
For this particular issue this is working for me:
You need at least this version for this: mod_auth_kerb-5.4
More to this:
https://bugzilla.redhat.com/show_bug.cgi?id=970678
And I'm using this as well:
More to this:
https://cwiki.apache.org/confluence/display/HTTPD/PasswordBasicAuth