At IU, how can I configure Apache to use mod_auth_kerb for authentication?
To password-protect university web sites, UITS recommends
using the Central Authentication Service (CAS). If for some
reason you can't use CAS, and Apache is your web server,
mod_auth_kerb is one alternative for
authentication.
Note: You must configure your web server to use SSL when using any kind of password authentication. Otherwise, passwords will be sent across the network unencrypted and could be stolen. For more information, see What are secure web sites and SSL certificates? and At IU, how do I obtain an SSL certificate for my web server?
To use mod_auth_kerb on your site:
- Install Kerberos on your web server; see At IU, how do I set up a Unix computer as a Kerberized application server? Instead of installing the keytab file in
/etc/krb5.keytab, you may want to install it in the same location as your web server configuration files (e.g.,/opt/apache/etc/krb5.keytab). Use thechown(1)andchmod(1)commands to make this keytab file readable by the web server user. The following example assumes a web server user ofwww: $ sudo chown root:www krb5.keytab $ sudo chmod 640 krb5.keytab $ ls -l krb5.keytab -rw-r----- 1 root www 134 Apr 9 10:43 krb5.keytab - Download the
mod_auth_kerbApache module from: http://modauthkerb.sourceforge.net/The web site includes build instructions. When building, set the
apxs -c -DKRB5 -DKRB5_VERIFY_TICKET \ -DKRB5_DEFAULT_KEYTAB=\"\\\"FILE:/opt/apache/etc/krb5.keytab\\\"\" \ -I/opt/krb5/include -L/opt/krb5/lib -lkrb5 \ -ldl -lcom_err -lk5crypto mod_auth_kerb.cKRB5_VERIFY_TICKEToption and specify the location of the keytab file withKRB5_DEFAULT_KEYTAB. For example, when buildingmod_auth_kerbas a dynamic shared object (DSO), use something like:This example assumes your keytab is in
/opt/apache/etc/krb5.keytaband Kerberos 5 is installed in/opt/krb5.For more information about DSOs in Apache 2.0, see Dynamic Shared Object (DSO) Support. For Apache 1.3, see Apache 1.3 Dynamic Shared Object (DSO) Support.
- Finish installing
mod_auth_kerbaccording to the instructions on the Kerberos Module for Apache web site.
- Using
.htaccessfiles orDirectoryorLocationdirectives in yourhttpd.conffile, enable Kerberos authentication for the appropriate portions of your site. The onlymod_auth_kerbdirectives you should need are: AuthName "IU Network ID" AuthType KerberosV5 KrbServiceName HTTP Require valid-user SSLRequireSSLThe
Require user bunbury jack ernestRequire valid-userdirective will allow anyone with a valid IU Network ID to authenticate. You can restrict this further by replacingvalid-userwithuserfollowed by a list of usernames, for example:See also the Apache documentation on runtime configuration directives, particularly
Allow,Deny,Order,Require, andSatisfy, in the directive index for your version of Apache:
You should now be able to authenticate to protected areas of the site
using your IU Network ID. Check your Apache error log if it doesn't
work. The following error may mean your krb5.keytab file
is not in the right place:
"reason: krb5_rd_req(): No such file or directory"
If the file is not readable by the web server user, you may see the following error:
"reason: krb5_rd_req(): Permission denied"
Syntax errors relating to the SSLRequireSSL directive may
mean you have not built an SSL-capable version of Apache. For more
information, see:
If you're still having problems at this point, contact your campus Support Center.
Last modified on September 28, 2009.







