httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Yves Avenard <>
Subject [users@httpd] Multiple authentication backend... how?
Date Tue, 21 Sep 2010 07:00:02 GMT

I am trying to get mod_auth_kerb and mod_authnz_ldap to work together
; in such a way that it first tries to authenticate the user using
Kerberos, and if mod_auth_kerb can not authenticate the user, then it
tries using mod_authnz_ldap.

That way I could provide password protected site, where if people have
setup kerberos, they get a single-sign-on experience, if not , they
get the usual prompt for a username and password.

mod_auth_kerb has an option so it's not authoritative ( KrbAuthoritative off).

When trying to login using Google Chrome (which doesn't support
Kerberos), I get prompted for a user id and password. Which then fails
with an error 401.

And tracing the mod_auth_kerb module code, as expected, it returns
DECLINED if it can't authenticate the user.

>From then, the theory would be that it is passed on to lower
authentication module.

[Tue Sep 21 16:47:01 2010] [debug] src/mod_auth_kerb.c(1667): [client] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Sep 21 16:47:01 2010] [debug] src/mod_auth_kerb.c(1001): [client] Using Any/ as
server principal for password verification
[Tue Sep 21 16:47:01 2010] [debug] src/mod_auth_kerb.c(698): [client] Trying to get TGT for user avenardj@M.DOMAIN.COM
[Tue Sep 21 16:47:01 2010] [error] [client]
krb5_get_init_creds_password() failed: Client not found in Kerberos
[Tue Sep 21 16:47:01 2010] [debug] src/mod_auth_kerb.c(1080): [client] kerb_authenticate_user_krb5pwd ret=-1 user=(NULL)
[Tue Sep 21 16:47:01 2010] [error] [client] access to
/test/ failed, reason: verification of user id '<null>' not configured

That last line shows that the module that get used after is
mod_authn_default (from searching in the source code)

Alias /test /usr/local/www/test
<Directory /usr/local/www/test>
        AuthLDAPURL ldaps://blah?uid
        AuthLDAPGroupAttributeIsDN off
        AuthLDAPGroupAttribute  memberUid
        AuthLDAPRemoteUserAttribute uid
        AuthLDAPRemoteFirstUserAttribute on
        AuthzLDAPRemoteUserAttribute on
 AllowOverride all
 AuthType Kerberos
 AuthName "Kerberos Login"
 KrbMethodNegotiate On
 KrbMethodK5Passwd On
 KrbAuthRealms M.DOMAIN.COM
 Krb5KeyTab /usr/local/etc/apache22/server4.keytab
 KrbServiceName Any
 KrbLocalUserMapping on
 KrbAuthoritative off

 AuthBasicProvider      ldap
 require ldap-user uid=jeanyves_avenard,cn=users,dc=m,dc=company,dc=com)

        Order allow,deny
        Allow from all

The module loading order in httpd.conf is:

LoadModule authnz_ldap_module libexec/apache22/
LoadModule auth_kerb_module   libexec/apache22/

So mod_authnz_ldap has a lower priority than mod_auth_kerb

If I am to use Kerberos it works fine, and if I change AuthType
Kerberos into AuthType Basic ; then login using the ldap user
credentials is fine...

Is there anything I am missing ?
How could I trace the order in which modules are called for authentication?


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message