ARCHIVED: Configure mod_auth_kerb to honor a local password file in addition to Kerberos
The mod_auth_kerb
module for Apache makes website
authentication convenient by using Kerberos;
see the Kerberos Module for
Apache. However, sometimes users who are not in Kerberos need to access
an authenticated website. The KrbAuthAuthoritative directive lets
you tell mod_auth_kerb
to authenticate against a local
password file if the user does not exist in Kerberos. When you use
this directive (by setting it to "off"),
mod_auth_kerb
will try Kerberos first, and if the user
does not exist, it will try the local password file.
To allow both Kerberos and password file authentication:
- Install
mod_auth_kerb
according to steps 1, 2, and 3 in Configure Apache to use mod_auth_kerb for authentication. - Configure a restricted directory and password file; see Control web page access for Pages.
- Using
.htaccess
files or <Directory> or <Location> directives in yourhttpd.conf
file, enable Kerberos authentication for the appropriate portions of your site. The onlymod_auth_kerb
directives you should need are:AuthName "IU Network ID or Local Account"AuthType Basic AuthUserFile /opt/apache/etc/passwd KrbAuthAuthoritative off Require valid-user SSLRequireSSL Note that there are a few main differences between this configuration and the one shown in Configure Apache to use mod_auth_kerb for authentication. Most important, KrbAuthAuthoritative is turned off to indicate that
mod_auth_kerb
should allow other authentication modules to try to authenticate users who don't exist in Kerberos. Its default value is "on", which allows only Kerberos authentication. Also, the AuthType has been changed to Basic to allow the stockmod_auth
to take over when a user doesn't exist in Kerberos. One final difference is that you must specify the AuthUserFile where the local passwords are stored.See also the Apache documentation for version 2.0 and version 1.3 on runtime configuration directives, particularly Allow, Deny, Order, Require, and Satisfy.
Users should now be able to authenticate to protected areas of the site using Kerberos passwords or local passwords. Check your Apache error log if this procedure doesn't work.
This is document alrl in the Knowledge Base.
Last modified on 2019-11-20 13:58:20.