|
Packit Service |
466431 |
mod_auth_gssapi
|
|
Packit Service |
466431 |
===============
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Intro
|
|
Packit Service |
466431 |
-----
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
This module has been built as a replacement for the aging mod_auth_kerb.
|
|
Packit Service |
466431 |
Its aim is to use only GSSAPI calls and be as much as possible agnostic
|
|
Packit Service |
466431 |
of the actual mechanism used.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Dependencies
|
|
Packit Service |
466431 |
------------
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
A modern version of MIT's Krb5 distribution or any GSSAPI implementation
|
|
Packit Service |
466431 |
that supports the [credential store
|
|
Packit Service |
466431 |
extension](http://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions)
|
|
Packit Service |
466431 |
is necessary to achieve full functionality. Reduced functionality is
|
|
Packit Service |
466431 |
provided without these extensions.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
MIT krb5 (>=1.11)
|
|
Packit Service |
466431 |
Apache httpd (>=2.4.11)
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### Tests
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
To run tests, you also need:
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
* The Kerberos 5 Key-Distribution-Center (`krb5-kdc` package on Debian,
|
|
Packit Service |
466431 |
`krb5-server` on Fedora)
|
|
rpm-build |
741f8f |
* Packages `mod_session`, `krb5-workstation`, `python3-requests-gssapi`,
|
|
rpm-build |
741f8f |
and `python3-gssapi` on Fedora
|
|
Packit Service |
466431 |
* Some tests require `krb5-pkinit` package on fedora and krb5 >= 1.15.
|
|
Packit Service |
466431 |
* [nss_wrapper](https://cwrap.org/nss_wrapper.html), packaged in Fedora
|
|
Packit Service |
466431 |
* [socket_wrapper](https://cwrap.org/socket_wrapper.html), packaged in Fedora
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Installation
|
|
Packit Service |
466431 |
------------
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
autoreconf -fi
|
|
Packit Service |
466431 |
./configure
|
|
Packit Service |
466431 |
make
|
|
Packit Service |
466431 |
make install
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Configuration
|
|
Packit Service |
466431 |
-------------
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Apache authentication modules are usually configured per location, see the
|
|
Packit Service |
466431 |
[mod_authn_core](https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html)
|
|
Packit Service |
466431 |
documentation for the common directives
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### Basic configuration
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
The simplest configuration scheme specifies just one directive, which is the
|
|
Packit Service |
466431 |
location of the keytab.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
<Location /private>
|
|
Packit Service |
466431 |
AuthType GSSAPI
|
|
Packit Service |
466431 |
AuthName "GSSAPI Single Sign On Login"
|
|
Packit Service |
466431 |
GssapiCredStore keytab:/etc/httpd.keytab
|
|
Packit Service |
466431 |
Require valid-user
|
|
Packit Service |
466431 |
</Location>
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Your Apache server need read access to the keytab configured.
|
|
Packit Service |
466431 |
If your Kerberos implementation does not support the credential store
|
|
Packit Service |
466431 |
extensions you can also simply set the KRB5_KTNAME environment variable in the
|
|
Packit Service |
466431 |
Apache init script and skip the GssapiCredStore option completely.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Environment Variables
|
|
Packit Service |
466431 |
---------------------
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
(Note: these are not process environment variables, but rather Apache
|
|
Packit Service |
466431 |
environment variables, as described
|
|
Packit Service |
466431 |
[in the apache docs](https://httpd.apache.org/docs/2.4/env.html).)
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### gssapi-no-negotiate
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
This environment variable is used to suppress setting Negotiate headers. Not
|
|
Packit Service |
466431 |
sending these headers is useful to work around browsers that do not handle
|
|
Packit Service |
466431 |
them properly (and incorrectly show authentication popups to users).
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
For instance, to suppress negotiation on Windows browsers, one could set:
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
BrowserMatch Windows gssapi-no-negotiate
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Configuration Directives
|
|
Packit Service |
466431 |
------------------------
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### Alphabetic List of Directives
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
[GssapiAcceptorName](#gssapiacceptorname)
|
|
Packit Service |
466431 |
[GssapiAllowedMech](#gssapiallowedmech)
|
|
Packit Service |
466431 |
[GssapiBasicAuth](#gssapibasicauth)
|
|
Packit Service |
466431 |
[GssapiBasicAuthMech](#gssapibasicauthmech)
|
|
rpm-build |
8f3b0f |
[GssapiBasicTicketTimeout](#gssapibasicticketvalidity)
|
|
Packit Service |
466431 |
[GssapiConnectionBound](#gssapiconnectionbound)
|
|
Packit Service |
466431 |
[GssapiCredStore](#gssapicredstore)
|
|
Packit Service |
466431 |
[GssapiDelegCcacheDir](#gssapidelegccachedir)
|
|
Packit Service |
466431 |
[GssapiDelegCcacheEnvVar](#gssapidelegccacheenvvar)
|
|
Packit Service |
466431 |
[GssapiDelegCcachePerms](#gssapidelegccacheperms)
|
|
Packit Service |
466431 |
[GssapiDelegCcacheUnique](#gssapidelegccacheunique)
|
|
Packit Service |
466431 |
[GssapiImpersonate](#gssapiimpersonate)
|
|
Packit Service |
466431 |
[GssapiLocalName](#gssapilocalname)
|
|
Packit Service |
466431 |
[GssapiNameAttributes](#gssapinameattributes)
|
|
Packit Service |
466431 |
[GssapiNegotiateOnce](#gssapinegotiateonce)
|
|
Packit Service |
466431 |
[GssapiPublishErrors](#gssapipublisherrors)
|
|
Packit Service |
466431 |
[GssapiRequiredNameAttributes](#gssapirequirednameattributes)
|
|
Packit Service |
466431 |
[GssapiSessionKey](#gssapisessionkey)
|
|
Packit Service |
466431 |
[GssapiSignalPersistentAuth](#gssapisignalpersistentauth)
|
|
Packit Service |
466431 |
[GssapiSSLonly](#gssapisslonly)
|
|
Packit Service |
466431 |
[GssapiUseS4U2Proxy](#gssapiuses4u2proxy)
|
|
Packit Service |
466431 |
[GssapiUseSessions](#gssapiusesessions)
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiSSLonly
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Forces the authentication attempt to fail if the connection is not being
|
|
Packit Service |
466431 |
established over TLS
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiSSLonly On
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiLocalName
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Tries to map the client principal to a local name using the gss_localname()
|
|
Packit Service |
466431 |
call. This requires configuration in the /etc/krb5.conf file in order to allow
|
|
Packit Service |
466431 |
proper mapping for principals not in the default realm (for example a user
|
|
Packit Service |
466431 |
coming from a trusted realm).
|
|
Packit Service |
466431 |
See the 'auth_to_local' option in the [realms] section of krb5.conf(5)
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
When this options is used the resolved name is set in the REMOTE_USER variable
|
|
Packit Service |
466431 |
however the complete client principal name is also made available in the
|
|
Packit Service |
466431 |
GSS_NAME variable.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiLocalName on
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiConnectionBound
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
When using GSS mechanisms that require more than one round-trip to complete
|
|
Packit Service |
466431 |
authentication (like NTLMSSP) it is necessary to bind to the authentication to
|
|
Packit Service |
466431 |
the connection in order to keep the state between round-trips. With this option
|
|
Packit Service |
466431 |
enable incomplete context are store in the connection and retrieved on the next
|
|
Packit Service |
466431 |
request for continuation.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiConnectionBound On
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiSignalPersistentAuth
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
For clients that make use of Persistent-Auth header, send the header according
|
|
Packit Service |
466431 |
to GssapiConnectionBound setting.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiSignalPersistentAuth On
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiUseSessions
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
In order to avoid constant and costly re-authentication attempts for every
|
|
Packit Service |
466431 |
request, mod_auth_gssapi offers a cookie based session method to maintain
|
|
Packit Service |
466431 |
authentication across multiple requests. GSSAPI uses the mod_sessions module
|
|
Packit Service |
466431 |
to handle cookies so that module needs to be activated and configured.
|
|
Packit Service |
466431 |
GSSAPI uses a secured (encrypted + MAC-ed) payload to maintain state in the
|
|
Packit Service |
466431 |
session cookie. The session cookie lifetime depends on the lifetime of the
|
|
Packit Service |
466431 |
GSSAPI session established at authentication.
|
|
Packit Service |
466431 |
**NOTE**: It is important to correctly set the SessionCookieName option.
|
|
Packit Service |
466431 |
See the
|
|
Packit Service |
466431 |
[mod_sessions](http://httpd.apache.org/docs/current/mod/mod_session.html)
|
|
Packit Service |
466431 |
documentation for more information.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiUseSessions On
|
|
Packit Service |
466431 |
Session On
|
|
Packit Service |
466431 |
SessionCookieName gssapi_session path=/private;httponly;secure;
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiSessionKey
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
When GssapiUseSessions is enabled a key use to encrypt and MAC the session
|
|
Packit Service |
466431 |
data will be automatically generated at startup, this means session data will
|
|
Packit Service |
466431 |
become unreadable if the server is restarted or multiple servers are used and
|
|
Packit Service |
466431 |
the client is load balanced from one to another. To obviate this problem the
|
|
Packit Service |
466431 |
admin can choose to install a permanent key in the configuration so that
|
|
Packit Service |
466431 |
session data remain accessible after a restart or by multiple servers
|
|
Packit Service |
466431 |
sharing the same key.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Two schemes to read persistent keys are provided, 'key' and 'file'.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
- 'key'
|
|
Packit Service |
466431 |
A key is read from the configuration directive.
|
|
Packit Service |
466431 |
The key must be a base64 encoded raw key of 32 bytes of length.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
- 'file'
|
|
Packit Service |
466431 |
A file on the file system is used to store the key. If the file does not
|
|
Packit Service |
466431 |
exists one is created with a randomly generated key during the first
|
|
Packit Service |
466431 |
execution.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Examples
|
|
Packit Service |
466431 |
GssapiSessionKey key:VGhpcyBpcyBhIDMyIGJ5dGUgbG9uZyBzZWNyZXQhISE=
|
|
Packit Service |
466431 |
GssapiSessionKey file:/var/lib/httpd/secrets/session.key
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiCredStore
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
The GssapiCredStore option allows to specify multiple credential related
|
|
Packit Service |
466431 |
options like keytab location, client_keytab location, ccache location etc.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiCredStore keytab:/etc/httpd.keytab
|
|
Packit Service |
466431 |
GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiDelegCcacheDir
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
If delegation of credentials is desired credentials can be exported in a
|
|
Packit Service |
466431 |
private directory accessible by the Apache process.
|
|
Packit Service |
466431 |
The delegated credentials will be stored in a file named after the client
|
|
Packit Service |
466431 |
principal and a request environment variable (`KRB5CCNAME` by default) will be
|
|
Packit Service |
466431 |
set to point to that file.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiDelegCcacheDir /var/run/httpd/clientcaches
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
A user foo@EXAMPLE.COM delegating its credentials would cause the server to
|
|
Packit Service |
466431 |
create a ccache file named /var/run/httpd/clientcaches/foo@EXAMPLE.COM
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiDelegCcacheUnique
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Enables using unique ccache names for delegation. ccache files will be placed
|
|
Packit Service |
466431 |
in GssapiDelegCcacheDir and named using the principal and a six-digit unique
|
|
Packit Service |
466431 |
suffix.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
**Note:** Consuming application must delete the ccache otherwise it will
|
|
Packit Service |
466431 |
litter the filesystem if sessions are used. An example sweeper can be found
|
|
Packit Service |
466431 |
in the contrib directory.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiDelegCcacheUnique On
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiDelegCcacheEnvVar
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Set the name of the request environment variable that will receive the
|
|
Packit Service |
466431 |
credential cache name. If unspecified, defaults to `KRB5CCNAME`.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiDelegCcacheEnvVar AJP_KRB5CCNAME
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiUseS4U2Proxy
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Enables the use of the s4u2Proxy Kerberos extension also known as
|
|
Packit Service |
466431 |
[constrained delegation](https://ssimo.org/blog/id_011.html)
|
|
Packit Service |
466431 |
This option allows an application running within Apache to operate on
|
|
Packit Service |
466431 |
behalf of the user against other servers by using the provided ticket
|
|
Packit Service |
466431 |
(subject to KDC authorization).
|
|
Packit Service |
466431 |
This options requires GssapiDelegCcacheDir to be set. The ccache will be
|
|
Packit Service |
466431 |
populated with the user's provided ticket which is later used as evidence
|
|
Packit Service |
466431 |
ticket by the application.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
**Note:** This flag has no effect when Basic-Auth is used since user's
|
|
Packit Service |
466431 |
credentials are delegated anyway when GssapiDelegCcacheDir is set.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiUseS4U2Proxy On
|
|
Packit Service |
466431 |
GssapiCredStore keytab:/etc/httpd.keytab
|
|
Packit Service |
466431 |
GssapiCredStore client_keytab:/etc/httpd.keytab
|
|
Packit Service |
466431 |
GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
|
|
Packit Service |
466431 |
GssapiDelegCcacheDir /var/run/httpd/clientcaches
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
**NOTE:** The client keytab is necessary to allow GSSAPI to initiate via keytab
|
|
Packit Service |
466431 |
on its own. If not present an external mechanism needs to kinit with the
|
|
Packit Service |
466431 |
keytab and store a ccache in the configured ccache file.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiBasicAuth
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Allows the use of Basic Auth in conjunction with Negotiate.
|
|
Packit Service |
466431 |
If the browser fails to use Negotiate it will instead fallback to Basic and
|
|
Packit Service |
466431 |
the username and password will be used to try to acquire credentials in the
|
|
Packit Service |
466431 |
module via GSSAPI. If credentials are acquired successfully then they are
|
|
Packit Service |
466431 |
validated against the server's keytab.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
- **Enable with:** GssapiBasicAuth On
|
|
Packit Service |
466431 |
- **Default:** GssapiBasicAuth Off
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
<Location /gssapi>
|
|
Packit Service |
466431 |
AuthType GSSAPI
|
|
Packit Service |
466431 |
AuthName "Login"
|
|
Packit Service |
466431 |
GssapiBasicAuth On
|
|
Packit Service |
466431 |
GssapiCredStore keytab:/etc/httpd/http.keytab
|
|
Packit Service |
466431 |
Require valid-user
|
|
Packit Service |
466431 |
</Location>
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiAllowedMech
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
List of allowed mechanisms. This is useful to restrict the mechanism that
|
|
Packit Service |
466431 |
can be used when credentials for multiple mechanisms are available.
|
|
Packit Service |
466431 |
By default no mechanism is set, this means all locally available mechanisms
|
|
Packit Service |
466431 |
are allowed. The recognized mechanism names are: krb5, iakerb, ntlmssp
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiAllowedMech krb5
|
|
Packit Service |
466431 |
GssapiAllowedMech ntlmssp
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiBasicAuthMech
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
List of mechanisms against which Basic Auth is attempted. This is useful to
|
|
Packit Service |
466431 |
restrict the mechanisms that can be used to attempt password auth.
|
|
Packit Service |
466431 |
By default no mechanism is set, this means all locally available mechanisms
|
|
Packit Service |
466431 |
are allowed, unless GssapiAllowedMech is set, in which case those are used.
|
|
Packit Service |
466431 |
GssapiBasicAuthMech always takes precedence over GssapiAllowedMech.
|
|
Packit Service |
466431 |
The recognized mechanism names are: krb5, iakerb, ntlmssp
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiBasicAuthMech krb5
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiNameAttributes
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Enables the module to source Name Attributes from the client name
|
|
Packit Service |
466431 |
(authorization data associated with the established context) and exposes them
|
|
Packit Service |
466431 |
as environment variables.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Value format: ENV_VAR_NAME ATTRIBUTE_NAME
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
This option can be specified multiple times, once for each attribute to expose.
|
|
Packit Service |
466431 |
The Special value "json" is used to expose all attributes in a json formatted
|
|
Packit Service |
466431 |
string via the special environment variable GSS_NAME_ATTRS_JSON
|
|
Packit Service |
466431 |
The environment variable GSS_NAME_ATTR_ERROR is set with the Gssapi returned
|
|
Packit Service |
466431 |
error string in case the inquire name function fails to retrieve attributes,
|
|
Packit Service |
466431 |
and with the string "0 attributes found", if no attributes are set.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
**Note**: These variables are NOT saved in the session data stored in the
|
|
Packit Service |
466431 |
cookie so they are available only on the first authenticated request when
|
|
Packit Service |
466431 |
GssapiUseSessions is used.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
**Note:** It is recommended but not required to use only capital letters and
|
|
Packit Service |
466431 |
underscores for environment variable names.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiNameAttributes json
|
|
Packit Service |
466431 |
GssapiNameAttributes RADIUS_NAME urn:ietf:params:gss:radius-attribute_1
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiRequiredNameAttributes
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
This option allows specifying one or more Name Attributes that the client must
|
|
Packit Service |
466431 |
possess in order to be authorized to access the location. The required Name
|
|
Packit Service |
466431 |
Attributes are specified by name=value pairs (name being the ATTRIBUTE_NAME as
|
|
Packit Service |
466431 |
mentioned above, and value being a Null-terminated string. Alternately, if a
|
|
Packit Service |
466431 |
Name Attribute produces binary values or is expected to contain a space
|
|
Packit Service |
466431 |
character, the desired value can be specified by a ':=' and a base64-encoded
|
|
Packit Service |
466431 |
string).
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
A combination of Name Attributes (including multiple values from a single Name
|
|
Packit Service |
466431 |
Attribute type) can be specified with an expression that separates each
|
|
Packit Service |
466431 |
name=value pair with the "and" or "or" logical operators. Operator precedence
|
|
Packit Service |
466431 |
can be influenced by parenthesized statements.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
foo=bar
|
|
Packit Service |
466431 |
foo:=YmFy
|
|
Packit Service |
466431 |
foo=bar or foo=baz
|
|
Packit Service |
466431 |
foo=bar and foo=baz and bar=baz
|
|
Packit Service |
466431 |
(foo=bar and foo=baz) or bar:=YmFy
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
If the Name Attributes associated with the client do not satisfy the given
|
|
Packit Service |
466431 |
expression, or no Name Attributes are present, a 403 response is returned.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiRequiredNameAttributes "auth-indicators=high"
|
|
Packit Service |
466431 |
GssapiRequiredNameAttributes "auth-indicators=high or other-attr=foo"
|
|
Packit Service |
466431 |
GssapiRequiredNameAttributes "((auth-indicators=low and auth-indicators=med) or auth-indicators=high)"
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiNegotiateOnce
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
When this option is enabled the Negotiate header will not be resent if
|
|
Packit Service |
466431 |
Negotiation has already been attempted but failed.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Normally when a client fails to use Negotiate authentication, a HTTP 401
|
|
Packit Service |
466431 |
response is returned with a WWW-Authenticate: Negotiate header, implying that
|
|
Packit Service |
466431 |
the client can retry to use Negotiate with different credentials or a
|
|
Packit Service |
466431 |
different mechanism.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Consider enabling GssapiNegotiateOnce when only one single sign on mechanism
|
|
Packit Service |
466431 |
is allowed, or when GssapiBasicAuth is enabled.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
**NOTE:** if the initial Negotiate attempt fails, some browsers will fallback
|
|
Packit Service |
466431 |
to other Negotiate mechanisms, prompting the user for login credentials and
|
|
Packit Service |
466431 |
reattempting negotiation. This situation can mislead users - for example if
|
|
Packit Service |
466431 |
krb5 authentication failed and no other mechanisms are allowed, a user could
|
|
Packit Service |
466431 |
be prompted for login information even though any login information provided
|
|
Packit Service |
466431 |
cannot succeed. When this occurs, some browsers will not fall back to a Basic
|
|
Packit Service |
466431 |
Auth mechanism. Enable GssapiNegotiateOnce to avoid this situation.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
- **Enable with:** GssapiNegotiateOnce On
|
|
Packit Service |
466431 |
- **Default:** GssapiNegotiateOnce Off
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiImpersonate
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
This option can be used even if AuthType GSSAPI is not used for given
|
|
Packit Service |
466431 |
Location or LocationMatch, to obtain service ticket for a user that was
|
|
Packit Service |
466431 |
already authenticated by different module.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
The principal of the user is retrieved from the internal r->user
|
|
Packit Service |
466431 |
identifier which typically holds the username from the authentication
|
|
Packit Service |
466431 |
results.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Make sure the server principal is set to allow to acquire forwardable
|
|
Packit Service |
466431 |
tickets to itself from arbitrary users, for use with constrained
|
|
Packit Service |
466431 |
delegation, for example with the option +ok_to_auth_as_delegate.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
- **Enable with:** GssapiImpersonate On
|
|
Packit Service |
466431 |
- **Default:** GssapiImpersonate Off
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiDelegCcachePerms
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
This option is used to set alternative ownership and permission for delegated
|
|
Packit Service |
466431 |
ccache files stored in the GssapiDelegCcacheDir location. It is a multivalue
|
|
Packit Service |
466431 |
configuration directive that can accept the following three settings:
|
|
Packit Service |
466431 |
- mode
|
|
Packit Service |
466431 |
- uid
|
|
Packit Service |
466431 |
- gid
|
|
Packit Service |
466431 |
If a setting is not present the relative file property will not be modified and
|
|
Packit Service |
466431 |
the default owners and/or mode will be retained.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### mode
|
|
Packit Service |
466431 |
This option allows to set the file mode, the format used is a numeric mode
|
|
Packit Service |
466431 |
with the same semantics of the chmod unix command for mapping numbers to
|
|
Packit Service |
466431 |
permissions.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### uid
|
|
Packit Service |
466431 |
A user id number or name, an attempt to change the user owner of the file
|
|
Packit Service |
466431 |
to the uid number specified will be made. If a user name has been
|
|
Packit Service |
466431 |
specified, it will be resolved at startup time and the user's id number
|
|
Packit Service |
466431 |
stored internally for all subsequent operations.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### gid
|
|
Packit Service |
466431 |
A group id number or name, an attempt to change the group owner of the
|
|
Packit Service |
466431 |
file to the gid number specified will be made. If a group name has been
|
|
Packit Service |
466431 |
specified, it will be resolved at startup time and the group's id number
|
|
Packit Service |
466431 |
stored internally for all subsequent operations.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiDelegCcachePerms mode:0660 gid:webuiworkers
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiPublishErrors
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
This option is used to publish errors as Environment Variables for use by
|
|
Packit Service |
466431 |
httpd processes.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
A general error type is provided in the MAG_ERROR variable, and can have the
|
|
Packit Service |
466431 |
following values: "GSS ERROR", "INTERNAL ERROR", "AUTH NOT ALLOWED"
|
|
Packit Service |
466431 |
Additionally, in the variable named MAG_ERROR_TEXT there may be a free form
|
|
Packit Service |
466431 |
error message.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
When the error type is "GSS ERROR" the variables GSS_ERROR_MAJ and
|
|
Packit Service |
466431 |
GSS_ERROR_MIN contain the numeric errors returned by GSSAPI, and the
|
|
Packit Service |
466431 |
MAG_ERROR_TEXT will contain a GSS Error message, possibly prepended by
|
|
Packit Service |
466431 |
an additional message that provides more context.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
- **Enable with:** GssapiPublishErrors On
|
|
Packit Service |
466431 |
- **Default:** GssapiPublishErrors Off
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
### GssapiAcceptorName
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
This option is used to force the server to accept only for a specific name.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
This allows, for example to select to use a specific credential when multiple
|
|
Packit Service |
466431 |
keys are provided in a keytab.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
A special value of {HOSTNAME} will make the code use the name apache sees in
|
|
Packit Service |
466431 |
the httpd request to select the correct name to use. This may be useful to
|
|
Packit Service |
466431 |
allow multiple names and multiple keys to be used on the same apache instance.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Note: By default no name is set and any name in a keytab or mechanism specific
|
|
Packit Service |
466431 |
acceptor credential will be allowed.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Note: Global gssapi options set in krb5.conf like 'ignore_acceptor_hostname'
|
|
Packit Service |
466431 |
may affect the ability to restrict names.
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
Note: The GSS_C_NT_HOSTBASED_SERVICE format is used for names (see example).
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
#### Example
|
|
Packit Service |
466431 |
GssapiAcceptorName HTTP@www.example.com
|
|
Packit Service |
466431 |
|
|
Packit Service |
466431 |
|
|
rpm-build |
8f3b0f |
### GssapiBasicTicketTimeout
|
|
rpm-build |
8f3b0f |
|
|
rpm-build |
8f3b0f |
This option controls the ticket validity time requested for the user TGT by the
|
|
rpm-build |
8f3b0f |
Basic Auth method.
|
|
rpm-build |
8f3b0f |
|
|
rpm-build |
8f3b0f |
Normally basic auth is repeated by the browser on each request so a short
|
|
rpm-build |
8f3b0f |
validity period is used to reduce the scope of the ticket as it will be
|
|
rpm-build |
8f3b0f |
replaced quickly.
|
|
rpm-build |
8f3b0f |
However in cases where the authentication page is separate and the session
|
|
rpm-build |
8f3b0f |
is used by other pages the validity can be changed to arbitrary duration.
|
|
rpm-build |
8f3b0f |
|
|
rpm-build |
8f3b0f |
Note: the validity of a ticket is still capped by KDC configuration.
|
|
rpm-build |
8f3b0f |
|
|
rpm-build |
8f3b0f |
Note: the value is specified in seconds.
|
|
rpm-build |
8f3b0f |
|
|
rpm-build |
8f3b0f |
- **Default:** GssapiBasicTicketTimeout 300
|
|
rpm-build |
8f3b0f |
|
|
rpm-build |
8f3b0f |
#### Example
|
|
rpm-build |
8f3b0f |
GssapiBasicTicketTimeout 36000
|
|
rpm-build |
8f3b0f |
|
|
rpm-build |
8f3b0f |
Sets ticket/session validity to 10 hours.
|
|
rpm-build |
8f3b0f |
|
|
rpm-build |
8f3b0f |
|