summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
5e72093)
Add symlink to .md so the markdown is picked up.
Updated styling and fixed a couple of typos.
Simo: Changed rename into a symlink. Reworded commit message
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #51
-----
This module has been built as a replacement for the aging mod_auth_kerb.
-----
This module has been built as a replacement for the aging mod_auth_kerb.
-It's aim is to use only GSSAPI calls and be as much as possible agnostic
+Its aim is to use only GSSAPI calls and be as much as possible agnostic
of the actual mechanism used.
Dependencies
of the actual mechanism used.
Dependencies
is necessary to achieve full functionality. Reduced functionality is
provided without these extensions.
is necessary to achieve full functionality. Reduced functionality is
provided without these extensions.
-krb5 (>=1.11)
-Apache (>=2.4)
+ krb5 (>=1.11)
+ Apache (>=2.4)
Installation
------------
Installation
------------
-./configure
-make
-make install
+ ./configure
+ make
+ make install
location of the keytab.
#### Example
location of the keytab.
#### Example
-<Location /private>
- AuthType GSSAPI
- AuthName "GSSAPI Single Sign On Login"
- GssapiCredStore keytab:/etc/httpd.keytab
- Require valid-user
-</Location>
+ <Location /private>
+ AuthType GSSAPI
+ AuthName "GSSAPI Single Sign On Login"
+ GssapiCredStore keytab:/etc/httpd.keytab
+ Require valid-user
+ </Location>
Your Apache server need read access to the keytab configured.
If your Kerberos implementation does not support the credential store
Your Apache server need read access to the keytab configured.
If your Kerberos implementation does not support the credential store
Forces the authentication attempt to fail if the connection is not being
established over TLS
Forces the authentication attempt to fail if the connection is not being
established over TLS
however the complete client principal name is also made available in the
GSS_NAME variable.
however the complete client principal name is also made available in the
GSS_NAME variable.
enable incomplete context are store in the connection and retrieved on the next
request for continuation.
enable incomplete context are store in the connection and retrieved on the next
request for continuation.
For clients that make use of Persistent-Auth header, send the header according
to GssapiConnectionBound setting.
For clients that make use of Persistent-Auth header, send the header according
to GssapiConnectionBound setting.
GssapiSignalPersistentAuth On
GssapiSignalPersistentAuth On
[mod_sessions](http://httpd.apache.org/docs/current/mod/mod_session.html)
documentation for more information.
[mod_sessions](http://httpd.apache.org/docs/current/mod/mod_session.html)
documentation for more information.
GssapiUseSessions On
Session On
SessionCookieName gssapi_session path=/private;httponly;secure;
GssapiUseSessions On
Session On
SessionCookieName gssapi_session path=/private;httponly;secure;
When GssapiUseSessions is enabled a key use to encrypt and MAC the session
data will be automatically generated at startup, this means session data will
When GssapiUseSessions is enabled a key use to encrypt and MAC the session
data will be automatically generated at startup, this means session data will
-become unreadable if the server is restarted or multiple serves are used and
+become unreadable if the server is restarted or multiple servers are used and
the client is load balanced from one to another. To obviate this problem the
admin can choose to install a permanent key in the configuration so that
session data remain accessible after a restart or by multiple servers
the client is load balanced from one to another. To obviate this problem the
admin can choose to install a permanent key in the configuration so that
session data remain accessible after a restart or by multiple servers
The key must be a base64 encoded raw key of 32 bytes of length.
The key must be a base64 encoded raw key of 32 bytes of length.
GssapiSessionKey key:VGhpcyBpcyBhIDMyIGJ5dGUgbG9uZyBzZWNyZXQhISE=
GssapiSessionKey key:VGhpcyBpcyBhIDMyIGJ5dGUgbG9uZyBzZWNyZXQhISE=
The GssapiCredStore option allows to specify multiple credential related
options like keytab location, client_keytab location, ccache location etc.
The GssapiCredStore option allows to specify multiple credential related
options like keytab location, client_keytab location, ccache location etc.
GssapiCredStore keytab:/etc/httpd.keytab
GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
GssapiCredStore keytab:/etc/httpd.keytab
GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
principal and the subprocess environment variable KRB5CCNAME will be set
to point to that file.
principal and the subprocess environment variable KRB5CCNAME will be set
to point to that file.
GssapiDelegCcacheDir /var/run/httpd/clientcaches
GssapiDelegCcacheDir /var/run/httpd/clientcaches
A user foo@EXAMPLE.COM delegating its credentials would cause the server to
create a ccache file named /var/run/httpd/clientcaches/foo@EXAMPLE.COM
A user foo@EXAMPLE.COM delegating its credentials would cause the server to
create a ccache file named /var/run/httpd/clientcaches/foo@EXAMPLE.COM
### GssapiUseS4U2Proxy
Enables the use of the s4u2Proxy Kerberos extension also known as
### GssapiUseS4U2Proxy
Enables the use of the s4u2Proxy Kerberos extension also known as
populated with the user's provided ticket which is later used as evidence
ticket by the application.
populated with the user's provided ticket which is later used as evidence
ticket by the application.
GssapiUseS4U2Proxy On
GssapiCredStore keytab:/etc/httpd.keytab
GssapiCredStore client_keytab:/etc/httpd.keytab
GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
GssapiDelegCcacheDir /var/run/httpd/clientcaches
GssapiUseS4U2Proxy On
GssapiCredStore keytab:/etc/httpd.keytab
GssapiCredStore client_keytab:/etc/httpd.keytab
GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
GssapiDelegCcacheDir /var/run/httpd/clientcaches
-NOTE: The client keytab is necessary to allow GSSAPI to initate via keytab
+**NOTE:** The client keytab is necessary to allow GSSAPI to initiate via keytab
on its own. If not present an external mechanism needs to kinit with the
keytab and store a ccache in the configured ccache file.
on its own. If not present an external mechanism needs to kinit with the
keytab and store a ccache in the configured ccache file.
If the browser fails to use Negotiate is will instead fallback to Basic and
the username and password will be used to try to acquire credentials in the
module via GSSAPI. If credentials are acquire successfully then they are
If the browser fails to use Negotiate is will instead fallback to Basic and
the username and password will be used to try to acquire credentials in the
module via GSSAPI. If credentials are acquire successfully then they are
-validated agaist the server's keytab.
+validated against the server's keytab.
-Enable with: GssapiBasicAuth On
-Default: GssapiBasicAuth Off
+- **Enable with:** GssapiBasicAuth On
+- **Default:** GssapiBasicAuth Off
-Example:
-<Location /gssapi>
- AuthType GSSAPI
- AuthName "Login"
- GssapiBasicAuth On
- GssapiCredStore keytab:/etc/httpd/http.keytab
- Require valid-user
-</Location>
+#### Example
+ <Location /gssapi>
+ AuthType GSSAPI
+ AuthName "Login"
+ GssapiBasicAuth On
+ GssapiCredStore keytab:/etc/httpd/http.keytab
+ Require valid-user
+ </Location>
By default no mechanism is set, this means all locally available mechanisms
are allowed. The recognized mechanism names are: krb5, iakerb, ntlmssp
By default no mechanism is set, this means all locally available mechanisms
are allowed. The recognized mechanism names are: krb5, iakerb, ntlmssp
GssapiAllowedMech krb5
GssapiAllowedMech ntlmssp
GssapiAllowedMech krb5
GssapiAllowedMech ntlmssp
### GssapiBasicAuthMech
List of mechanisms against which Basic Auth is attempted. This is useful to
### GssapiBasicAuthMech
List of mechanisms against which Basic Auth is attempted. This is useful to
-restrict the mechanisms that can be used to attaempt password auth.
+restrict the mechanisms that can be used to attempt password auth.
By default no mechanism is set, this means all locally available mechanisms
are allowed, unless GssapiAllowedMech is set, in which case those are used.
By default no mechanism is set, this means all locally available mechanisms
are allowed, unless GssapiAllowedMech is set, in which case those are used.
-GssapiBasicAuthMech always takes precendence over GssapiAllowedMech.
+GssapiBasicAuthMech always takes precedence over GssapiAllowedMech.
The recognized mechanism names are: krb5, iakerb, ntlmssp
The recognized mechanism names are: krb5, iakerb, ntlmssp
--- /dev/null
+README
\ No newline at end of file