Apache mod_auth_kerb and LDAP user groups

I've been considering deploying mod_auth_kerb on our internal web servers to enable SSO. The one obvious problem I can see is that it's an all-or-nothing approach, either all your domain users can access a site or not.

Is it possible to combine mod_auth_kerb with something like mod_authnz_ldap to check for group membership in a particular group in LDAP? I'm guessing the KrbAuthoritative option would have something to do with this?

Also, as I understand it, the module sets the username to be username@REALM after authentication, but of course in the directory the users are stored as the username only. Furthermore, some internal sites we run such as trac already have a user profile linked to each username. Is there a way to resolve this, perhaps by stripping off the realm bit after authentication somehow?

Solution 1:

It is now possible in mod_auth_kerb 5.4 to strip the realm from REMOTE_USER with the following config directive:

KrbLocalUserMapping On

Solution 2:

It's the whole point of the authn/authz separation in 2.2 that you can authenticate with one mechanism, and authorize with another. Authentication provides you with a setting of REMOTE_USER, which you then can use authz_ldap against. In addition, authn_ldap searches then for a user (converting the REMOTE_USER to a DN if found, using search criteria you have to specify - e.g. searching for CN). Then, when a DN has been found, you can specify requirements on the LDAP object. E.g. if all users accessing a resource must be in the same OU, you specify

require ldap-dn ou=Managers, o=The Company

Solution 3:

Debian stable now ships with version 5.4 of mod_auth_kerb.

If you're stuck with an older version, this page explains how mod_map_user can be used in combination with mod_auth_kerb and mod_authnz_ldap.