Thursday, February 17, 2011

Apache Basic Authentication over SSL with PAM Kerberos/LDAP

Suppose you already have a web site serving multiple subversion repositories over SSL (see here) and you would like add security on top of that, namely use Kerberos for authentication and LDAP for authorization. Before we proceed please ensure your machine is capable to authenticate against Kerberos/LDAP (see here). I will assume you saw the following:
  • Serving Multiple SVN Repositories with Apache (see here)
  • Debian OpenLDAP client with Kerberos (see here)
Once above is done, here we go:
  1. Let add http principal to kerberos:
    kadmin -p admin -q "addprinc -randkey http/scm1.dev.local"
    kadmin -p admin -q "ktadd -k /etc/apache2/http.keytab http/scm1.dev.local"
    chown root:www-data /etc/apache2/http.keytab
    chmod g=r,o= /etc/apache2/http.keytab
    
  2. The apache process is run under user www-data (id = 33), we need obtain kerberos ticket so it can authenticate users to ldap (file /etc/inittab).
    KA:2345:respawn:/usr/bin/k5start -f /etc/apache2/http.keytab -u http/scm1.dev.local -K 10 -l 24h -o www-data -k /tmp/krb5cc_33
    
    Send init signal to reload the changes we made:
    kill -HUP 1
    
  3. Install apache PAM modules:
    apt-get install libapache2-mod-auth-pam libapache2-mod-auth-sys-group
    
  4. Let setup default policy that applies to each project (file /var/lib/svn/conf/default_policy.conf), here we require :
    <Location /svn/>
            Dav svn
            SVNParentPath /var/lib/svn/repos
    
            SVNListParentPath On
            SVNAutoVersioning On
    
            AuthPAM_Enabled on
            AuthName "DEV.LOCAL"
            AuthType basic
            AuthBasicAuthoritative off
            AuthPAM_Fallthrough off
            AuthUserFile /dev/null
    
            Require group svnusers
    
            <LimitExcept GET PROPFIND OPTIONS REPORT>
                Order deny,allow
                Deny from all
    
                Allow from 192.168.10.0/24
            </LimitExcept>
    </Location>
    
  5. Now that we have default policy, let setup a project one (the only users from group project1 have access here, file /var/lib/svn/conf/policies/project1_policy.conf):
    <Location /svn/project1>
            Require group project1
    </Location>
    
  6. Finally restart apache so our changes take place:
    /etc/init.t/apache restart
    
Now when you visit /svn you will be prompted to enter your credentials and you will get access only if you are a member of svnusers group. The only members of group project1 will get access to /svn/projec1.

No comments:

Post a Comment