I've been considering deploying mod_auth_kerb
on our internal web servers to enable SSO. The one obvious problem I can see is that it's an all-or-nothing approach, either all your domain users can access a site or not.
Is it possible to combine mod_auth_kerb
with something like mod_authnz_ldap
to check for group membership in a particular group in LDAP? I'm guessing the KrbAuthoritative
option would have something to do with this?
Also, as I understand it, the module sets the username to be username@REALM
after authentication, but of course in the directory the users are stored as the username only. Furthermore, some internal sites we run such as trac already have a user profile linked to each username. Is there a way to resolve this, perhaps by stripping off the realm bit after authentication somehow?
It is now possible in mod_auth_kerb 5.4 to strip the realm from REMOTE_USER with the following config directive:
KrbLocalUserMapping On
It's the whole point of the authn/authz separation in 2.2 that you can authenticate with one mechanism, and authorize with another. Authentication provides you with a setting of REMOTE_USER, which you then can use authz_ldap against. In addition, authn_ldap searches then for a user (converting the REMOTE_USER to a DN if found, using search criteria you have to specify - e.g. searching for CN). Then, when a DN has been found, you can specify requirements on the LDAP object. E.g. if all users accessing a resource must be in the same OU, you specify
require ldap-dn ou=Managers, o=The Company
Debian stable now ships with version 5.4 of mod_auth_kerb.
If you're stuck with an older version, this page explains how mod_map_user can be used in combination with mod_auth_kerb and mod_authnz_ldap.