在RH 5.3,Apache / 2.2.15,mod_auth_kerb已加载,Active Directory 2008,我们希望控制对具有AD组成员的身份验证用户的URL的访问,而无需提示用户/密码。
实际上,我们可以通过提示用户/密码来控制访问权限 - 但是我们还没有看到必须更改哪些参数才能获得提示。
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
#default_tkt_enctypes = RC4-HMAC,DES-CBC-CRC,DES3-CBC-SHA1,DES-CBC-MD5
#default_tgs_enctypes = RC4-HMAC,DES-CBC-CRC,DES3-CBC-SHA1,DES-CBC-MD5
#dns_lookup_realm = false
#dns_lookup_kdc = false
#ticket_lifetime = 24h
#forwardable = true
# default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
# default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
# permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
domain.local = {
kdc = MyServer.domain.local
admin_server = MyServer.domain.local
default_domain = domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
/etc/httpd/conf/httpd.conf中
<Directory /var/www/html/test_CTI/>
order deny,allow
deny from all
AuthType basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl "ldap://MyServer.domain.local:3268/OU=myOU,DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "cn=KerbPHPEXP,OU=MyOU,DC=domain,DC=local"
AuthLDAPBindPassword "PWD!"
Require ldap-group cn=G151401-DSUP,OU=myOU,DC=domain,DC=local
# AuthType kerberos
AuthName "Authentification DSUP test "
Krb5Keytab /etc/httpd/conf/kerb5.ktab
KrbAuthRealms DOMAIN.LOCAL
KrbMethodNegotiate on
KrbServiceName Any
KrbMethodK5Passwd on
satisfy any
</Directory>