I'm using rhel5 running a LAMP stack to create an intranet with. I'm attempting to achieve SSO with users on our network using IE and Firefox. Using the following module I'm able to successfully do it:
mod_auth_kerb
I would like to take it a step further and only allow access to certain locations based on group membership. I was able to achieve this with mod_authz_ldap. Is there a way to utilize both together and if so does anyone have any examples?
Below is the SSO kerberos setup:
<Location /sso/location>
AuthType Kerberos
AuthName "Please Login"
KrbServiceName HTTP
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.LOCAL
Krb5KeyTab /etc/httpd/keytab
require valid-user
</Location>
Below is the setup for allowing only members of a group access:
<Location /allowed/only/for/group>
AuthType Basic
AuthName "Please Login"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://dc.domain.local:389/OU=Domain Users,DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=ldapbinduser,CN=Users,DC=domain,DC=local"
AuthLDAPBindPassword ldapbinduserpass
require ldap-group CN=Staff,CN=Users,DC=domain,DC=local
require ldap-group CN=Faculty,CN=Users,DC=domain,DC=local
Satisfy any
</Location>
I've read about using kerberos to authenticate then using some PHP code to do a group lookup but I'm hoping this can be achieved strictly with apache configurations and no need for altering web page code.
Any help is greatly appreciated. Thanks.
…Google just showed me the following, anyone using it:
http://www.stanford.edu/services/webauth/
Best Answer
This allows all users who are members of either the Students/Staff AD groups access to pages behind http://intranetsite/students without needing to specify login credentials provided their IE/Firefox are configured properly.
The userPrincipalName was used instead of sAMAccountName because the kerberos module was passing the username@REALM to the ldap module.
Now I have the problem where if someone isn't authorized they are presented with:
Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
Does anyone know how to have it pop up a username/password dialog box so they could try alternate credentials? After unsuccessfully gaining authorization, the only way I can get it to ask for credentials is to clear out my cache. If I am logged in to the PC as an authenticated user but one that isn't authorized to this resource I have no way of suppying alternate credentials (which may be a good thing).