How can I configure mod_auth_kerb to honor a local password file in addition to Kerberos?

The mod_auth_kerb module for Apache makes website authentication convenient by using Kerberos; see the Kerberos Module for Apache. However, sometimes users who are not in Kerberos need to access an authenticated website. The KrbAuthAuthoritative directive lets you tell mod_auth_kerb to authenticate against a local password file if the user does not exist in Kerberos. When you use this directive (by setting it to "off"), mod_auth_kerb will try Kerberos first, and if the user does not exist, it will try the local password file.

Note:
You must configure your web server to use SSL when using any kind of password authentication. Otherwise, passwords will be sent across the network unencrypted and could be stolen. For more information, see About secure websites and SSL/TLS certificates and At IU, how do I obtain an SSL certificate for my web server?

To allow both Kerberos and password file authentication:

  1. Install mod_auth_kerb according to steps 1, 2, and 3 in At IU, how can I configure Apache to use mod_auth_kerb for authentication?
  2. Configure a restricted directory and password file; see Controlling web page access.
  3. Using .htaccess files or <Directory> or <Location> directives in your httpd.conf file, enable Kerberos authentication for the appropriate portions of your site. The only mod_auth_kerb directives you should need are:
    AuthName
    "IU Network ID or Local Account"
    AuthType Basic
    AuthUserFile /opt/apache/etc/passwd
    KrbAuthAuthoritative off
    Require valid-user
    SSLRequireSSL  

    Note that there are a few main differences between this configuration and the one shown in At IU, how can I configure Apache to use mod_auth_kerb for authentication? Most important, KrbAuthAuthoritative is turned off to indicate that mod_auth_kerb should allow other authentication modules to try to authenticate users who don't exist in Kerberos. Its default value is "on", which allows only Kerberos authentication. Also, the AuthType has been changed to Basic to allow the stock mod_auth to take over when a user doesn't exist in Kerberos. One final difference is that you must specify the AuthUserFile where the local passwords are stored.

    See also the Apache documentation for version 2.0 and version 1.3 on runtime configuration directives, particularly Allow, Deny, Order, Require, and Satisfy.

Users should now be able to authenticate to protected areas of the site using Kerberos passwords or local passwords. Check your Apache error log if this procedure doesn't work.

This is document alrl in the Knowledge Base.
Last modified on 2015-11-10 00:00:00.

Contact us

For help or to comment, email the UITS Support Center.