I am trying to get a VirtualHost (well multiple VirutalHosts) up and running with kerberos authentication and group requirements.
My latest configuration within the <Directory>
directive looks like this:
AllowOverride None
Order allow,deny
allow from all
AuthType Kerberos
AuthName "Kerberos Realm Login"
KrbAuthRealm LAN
Krb5KeyTab /etc/apache2/auth/apache2.keytab
KrbMethodK5Passwd On
KrbSaveCredentials On
KrbLocalUserMapping On
AuthzLDAPAuthoritative On
Require ldap-group devel
Testing this, after entering correct credentials, I get the following error:
access to / failed, reason:
require directives present and no Authoritative handler.
When entering wrong Kerberos credentials, it will deny access altogether. So authentication works, but it seems to not be able to check for the group requirement.
The server also has PAM configured to work with the same Kerberos realm and LDAP database.
I have found that "Require valid-user"
gives the same error, but "Require user username"
does not.
How can I properly configure this to keep authenticating against Kerberos and authorize it again LDAP?
I am using apache2.2.20 on Ubuntu 11.10 x64.
Best Answer
The documentation for mod_authnz_ldap suggests that
AuthzLDAPAuthoritative
is for authentication:You should try toggling this off to see if that will allow the kerberos authentication to succeed (yet still require the group membership).