Mailing List Archive

mod_auth_kerb deprecate
Hi all,

We are planning to configure Kerberos with Apache HTTPD Server 2.4.37
installed on RHEL 8.5. As per RHEL, mod_auth_kerb module has been
deprecated and has been replaced by mod_auth_gssapi. We have Virtual host
configuration of Kerberos(from old setup) but don't know what will be the
equivalent settings to do with gssapi module.

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule proxy_ajp_module /usr/lib/apache2/modules/mod_proxy_ajp.so
LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so

<VirtualHost *:10080>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
ServerName mywebserver.intdomain.local
<Location />
Order allow,deny
Allow from all
AuthType Kerberos
KrbServiceName
HTTP/mywebserver.intdomain.local@INTDOMAIN.LOCAL
AuthName "Domain login"
KrbAuthRealms INTDOMAIN.LOCAL
Krb5KeyTab /etc/apache2/kerberos.keytab
require valid-user
KrbMethodNegotiate On
KrbMethodK5Passwd Off
#KrbLocalUserMapping On

# Below directives put logon name of authenticated user
into http header X-User-Global-ID
RequestHeader unset X-User-Global-ID
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule /.* - [E=RU:%1,L,NS]
RequestHeader set X-User-Global-ID %{RU}e

# Remove domain suffix to get the simple logon name
# RequestHeader edit X-User-Global-ID "@INTDOMAIN.LOCAL$"
""

</Location>
</VirtualHost>
Listen 10080

Cheers
-Vicky
RE: mod_auth_kerb deprecate [ In reply to ]
Hi,
Just checking, are you interested acquiring the list of attendees? Please respond my email. I'm waiting for your response.
We are discussing about Prices And, provide the discount cost.
Thank you.


From: vicky chb <vkychb04@gmail.com>
Sent: Tuesday, December 6, 2022 4:25 PM
To: users@httpd.apache.org
Subject: [users@httpd] mod_auth_kerb deprecate

Hi all,

We are planning to configure Kerberos with Apache HTTPD Server 2.4.37 installed on RHEL 8.5. As per RHEL, mod_auth_kerb module has been deprecated and has been replaced by mod_auth_gssapi. We have Virtual host configuration of Kerberos(from old setup) but don't know what will be the equivalent settings to do with gssapi module.

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule proxy_ajp_module /usr/lib/apache2/modules/mod_proxy_ajp.so
LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so

<VirtualHost *:10080>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
ServerName mywebserver.intdomain.local
<Location />
Order allow,deny
Allow from all
AuthType Kerberos
KrbServiceName HTTP/mywebserver.intdomain.local@INTDOMAIN.LOCAL<mailto:HTTP/mywebserver.intdomain.local@INTDOMAIN.LOCAL>
AuthName "Domain login"
KrbAuthRealms INTDOMAIN.LOCAL
Krb5KeyTab /etc/apache2/kerberos.keytab
require valid-user
KrbMethodNegotiate On
KrbMethodK5Passwd Off
#KrbLocalUserMapping On

# Below directives put logon name of authenticated user into http header X-User-Global-ID
RequestHeader unset X-User-Global-ID
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule /.* - [E=RU:%1,L,NS]
RequestHeader set X-User-Global-ID %{RU}e

# Remove domain suffix to get the simple logon name
# RequestHeader edit X-User-Global-ID "@INTDOMAIN.LOCAL$" ""

</Location>
</VirtualHost>
Listen 10080

Cheers
-Vicky