Indiana University
University Information Technology Services
  
What are archived documents?

At IU, how can I configure Apache to use mod_auth_kerb for authentication?

UITS recommends the Central Authentication Service (CAS) for password-protecting university web sites. If for some reason you can't use CAS, and Apache is your web server, mod_auth_kerb is one alternative for authentication.

Note: You must configure your web server to use SSL when using any kind of password authentication. Otherwise, passwords will be sent across the network unencrypted and could be stolen. For more information, see What are secure web sites and SSL certificates? and At IU, how do I obtain an SSL certificate for my web server?

To use mod_auth_kerb on your site, follow these steps:

  1. Install Kerberos on your web server (for instructions, see At IU, how do I set up a Unix computer as a Kerberized application server?). Instead of installing the keytab file in /etc/krb5.keytab, you may want to install it in the same location as your web server configuration files, for example, /opt/apache/etc/krb5.keytab. Use the chown(1) and chmod(1) commands to make this keytab file readable by the web server user. The following example assumes a web server user of www: $ sudo chown root:www krb5.keytab $ sudo chmod 640 krb5.keytab $ ls -l krb5.keytab -rw-r----- 1 root www 134 Apr 9 10:43 krb5.keytab
  2. Download the mod_auth_kerb Apache module from: http://modauthkerb.sourceforge.net/

    There are build instructions on the web site. When building, you should set the KRB5_VERIFY_TICKET option and specify the location of the keytab file with KRB5_DEFAULT_KEYTAB. For example, when building mod_auth_kerb as a dynamic shared object (DSO), use something like:

    apxs -c -DKRB5 -DKRB5_VERIFY_TICKET \ -DKRB5_DEFAULT_KEYTAB=\"\\\"FILE:/opt/apache/etc/krb5.keytab\\\"\" \ -I/opt/krb5/include -L/opt/krb5/lib -lkrb5 \ -ldl -lcom_err -lk5crypto mod_auth_kerb.c

    This example assumes your keytab is in /opt/apache/etc/krb5.keytab and Kerberos 5 is installed in /opt/krb5.

    For more information about DSOs in Apache 2.0, see:

    http://httpd.apache.org/docs/2.0/dso.html

    For Apache 1.3, see:

    http://httpd.apache.org/docs/1.3/dso.html
  3. Finish installing mod_auth_kerb according to the instructions on the Kerberos Module for Apache web site.

  4. Using .htaccess files or Directory or Location directives in your httpd.conf file, enable Kerberos authentication for the appropriate portions of your site. The only mod_auth_kerb directives you should need are: AuthName "IU Network ID" AuthType KerberosV5 KrbServiceName HTTP Require valid-user SSLRequireSSL

    The Require valid-user directive will allow anyone with a valid IU Network ID to authenticate. You can restrict this further by replacing valid-user with user followed by a list of usernames, for example:

    Require user bunbury jack earnest

    See also the Apache documentation on runtime configuration directives, particularly Allow, Deny, Order, Require, and Satisfy. For more information on Apache 2.0, see:

    http://httpd.apache.org/docs/2.0/mod/directives.html

    For information about Apache 1.3, see:

    http://httpd.apache.org/docs/1.3/mod/directives.html

You should now be able to authenticate to protected areas of the site using your IU Network ID. Check your Apache error log if it doesn't work. The following error may mean your krb5.keytab file is not in the right place:

"reason: krb5_rd_req(): No such file or directory"

If the file is not readable by the web server user, you may see the following error:

"reason: krb5_rd_req(): Permission denied"

Syntax errors relating to the SSLRequireSSL directive may mean you have not built an SSL-capable version of Apache. For more information, see:

http://www.modssl.org/

If you're still having problems at this point, send mail to  kerberos-admin@iu.edu  with a detailed description of the problem.

Also see:

This is document alpm in domain all.
Last modified on June 25, 2008.
Please tell us, did you find the answer to your question?