httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joel Johnson" <mrj...@lixil.net>
Subject [users@httpd] Only require satisfaction of one AuthType in 2.2
Date Tue, 25 Sep 2007 02:44:31 GMT
I'm setting up a site using Apache httpd 2.2 and an existing Kerberos
infrastructure and would like to optionally allow users to have single
sign-on with an existing Kerberos ticket. I'm using the Debian packaged [1]
mod_auth_kerb [2] to accomplish the authentication which is all working
smoothly.

The problem I'm running into is in designating the authentication as
*optional*. For example, I'd like to setup a wiki at wiki.and have the
contents publicly accessible, but require authentication for edits. I'd like
to first offer Kerberos authentication, but if that fails than still allow
access. The application would then check REMOTE_USER and honor its value if
set, or fallback to internal authentication if desired. This will also allow
me to configure the server such that if a user is local and has Kerberos
credentials they are seamlessly authenticated, but if not than I can have a
login screen authenticating internally against the same source. There are
several different ways that I will use this, but they all rely on optional
authentication support.

The working exclusively-Kerberos relevant config is simply:
    AuthType Kerberos
    require valid-user

I've tried using a "Satisfy any" directive as follows, but the "Allow from
all" seems to take precedence over any other method:
    AuthType Kerberos
    require valid-user
    Allow from all
    Satisfy any

I've also considered using a "KrbAuthoritative Off" directive to allow
checking to fallthrough to the next module, but I can't find an
authentication module with "accept all" semantics.

One option does look promising, but it only available in trunk/2.3 which I
can't switch to for this project, but the following should work (corrections
on assumption are welcome) by using two authorization providers with a
single authentication method:
    AuthType Kerberos
    <SatisfyOne>
        Require valid-user
        Require all allowed
    </SatisfyOne>

My goals are that I'd like the location to be available to all, and if
authorized that is an extra bonus and allows seamlessness, customized
content and others, but it should *not* be a requirement. Additionally, I
want the content to be available under a single canonical URI which will be
well-known, so symlinking directories with different <Location>s is not an
option.

If I've missed something simple, I'd love to have it pointed out, or if
there is a best practice for this sort of setup please share!


Many thanks for any guidance or pointers!


The script that I'm using to do basic testing on the authentication is
(basically, I also have some logic to remove the Kerberos realm that isn't
included):

<? if (empty($_SERVER['REMOTE_USER'])) {
    echo "You weren't automatically logged in, we'll have to do it locally.";
  } else {
    echo "Congratulations $username, you've logged on successfully!";
    echo "REMOTE_USER = {$_SERVER['REMOTE_USER']} <br>";
  }
?>

[1] http://packages.debian.org/etch/libapache2-mod-auth-kerb
[2] http://modauthkerb.sourceforge.net/

--
Joel Johnson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message