Configure Apache to use mod_auth_kerb for authentication
To password-protect university websites, UITS recommends using IU Login. If for some reason you cannot, and Apache is your web server, mod_auth_kerb
is one alternative for authentication.
To use mod_auth_kerb
on your site:
- Install Kerberos on your web server; see Set up a Unix computer as a Kerberized application server. Instead of installing the keytab file in
/etc/krb5.keytab
, you may want to install it in the same location as your web server configuration files (for example,/opt/apache/etc/krb5.keytab
). Use thechown(1)
andchmod(1)
commands to make this keytab file readable by the web server user. The following example assumes a web server user ofwww
:$ sudo chown root:www krb5.keytab $ sudo chmod 640 krb5.keytab $ ls -l krb5.keytab -rw-r----- 1 root www 134 Apr 9 10:43 krb5.keytab
- Download the
mod_auth_kerb
Apache module from http://modauthkerb.sourceforge.net/.The website includes build instructions. When building, set the
KRB5_VERIFY_TICKET
option and specify the location of the keytab file withKRB5_DEFAULT_KEYTAB
. For example, when buildingmod_auth_kerb
as a dynamic shared object (DSO), use something like:apxs -c -DKRB5 -DKRB5_VERIFY_TICKET \ -DKRB5_DEFAULT_KEYTAB=\"\\\"FILE:/opt/apache/etc/krb5.keytab\\\"\" \ -I/opt/krb5/include -L/opt/krb5/lib -lkrb5 \ -ldl -lcom_err -lk5crypto mod_auth_kerb.c
This example assumes your keytab is in
/opt/apache/etc/krb5.keytab
and Kerberos 5 is installed in/opt/krb5
.For more about DSOs in Apache 2.4, see Dynamic Shared Object (DSO) Support. For older versions of Apache, see the resources at Apache HTTP Server Documentation.
- Finish installing
mod_auth_kerb
according to the instructions on the Kerberos Module for Apache website. - Using
.htaccess
files orDirectory
orLocation
directives in yourhttpd.conf
file, enable Kerberos authentication for the appropriate portions of your site. The onlymod_auth_kerb
directives you should need are:AuthName "IU Network ID" AuthType KerberosV5 KrbServiceName HTTP Require valid-user SSLRequireSSL
The
Require valid-user
directive will allow anyone with a valid IU Network ID to authenticate. You can restrict this further by replacingvalid-user
withuser
followed by a list of usernames, for example:Require user bunbury jack ernest
See also the Apache documentation on runtime configuration directives, particularly
Allow
,Deny
,Order
,Require
, andSatisfy
, in the Directive Index for your version of Apache.
You should now be able to authenticate to protected areas of the site using your IU Network ID. Check your Apache error log if it doesn't work. The following error may mean your krb5.keytab
file is not in the right place:
reason: krb5_rd_req(): No such file or directory
If the file is not readable by the web server user, you may see the following error:
reason: krb5_rd_req(): Permission denied
Syntax errors relating to the SSLRequireSSL
directive may mean you have not built an SSL-capable version of Apache. For more, see Apache Module mod_ssl.
If you're still having problems at this point, contact your campus Support Center.
Related documents
This is document alpm in the Knowledge Base.
Last modified on 2023-07-12 11:15:52.