Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

How can I configure mod_auth_kerb to honor a local password file in addition to Kerberos?

The mod_auth_kerb module for Apache makes web site authentication convenient by using Kerberos; see the Kerberos Module for Apache. However, sometimes users who are not in Kerberos need to access an authenticated web site. The KrbAuthAuthoritative directive lets you tell mod_auth_kerb to authenticate against a local password file if the user does not exist in Kerberos. When you use this directive (by setting it to "off"), mod_auth_kerb will try Kerberos first, and if the user does not exist, it will try the local password file.

Note: You must configure your web server to use SSL when using any kind of password authentication. Otherwise, passwords will be sent across the network unencrypted and could be stolen. For more information, see What are secure web sites and SSL certificates? and At IU, how do I obtain an SSL certificate for my web server?

To allow both Kerberos and password file authentication:

  1. Install mod_auth_kerb according to steps 1, 2, and 3 in At IU, how can I configure Apache to use mod_auth_kerb for authentication?

  2. Configure a restricted directory and password file according to the instructions in How do I limit access to my World Wide Web pages? ("Setting up the restricted directory" and "Setting up the password file").

  3. Using .htaccess files or <Directory> or <Location> directives in your httpd.conf file, enable Kerberos authentication for the appropriate portions of your site. The only mod_auth_kerb directives you should need are:
    AuthName "IU Network ID or Local Account"
    AuthType Basic
    AuthUserFile /opt/apache/etc/passwd
    KrbAuthAuthoritative off
    Require valid-user
    SSLRequireSSL  

    Note the main differences between this configuration and the one shown in At IU, how can I configure Apache to use mod_auth_kerb for authentication? Most importantly, KrbAuthAuthoritative is turned off to indicate that mod_auth_kerb should allow other authentication modules to try to authenticate users who don't exist in Kerberos. Its default value is "on", which allows only Kerberos authentication. Also, the AuthType has been changed to Basic to allow the stock mod_auth to take over when a user doesn't exist in Kerberos. One final difference is that you must specify the AuthUserFile where the local passwords are stored.

    See also the Apache documentation for version 2.0 and version 1.3 on runtime configuration directives, particularly Allow, Deny, Order, Require, and Satisfy.

Users should now be able to authenticate to protected areas of the site using Kerberos passwords or local passwords. Check your Apache error log if it doesn't work.

This is document alrl in domain all.
Last modified on September 29, 2009.

Comments/Questions/Corrections

Use this form to offer suggestions, corrections, and additions to the Knowledge Base. We welcome your input!

If you are affiliated with Indiana University and would like assistance with a specific computing problem, please use the Ask a Consultant form, or contact your campus Support Center.

Contact Information

Note: We will reply to your comment at this address. If your message concerns a problem receiving email, please enter an alternate email address.