Apache Basic Authentication over SSL with PAM Kerberos/LDAP

Suppose you already have a web site serving multiple subversion repositories over SSL (see here) and you would like add security on top of that, namely use Kerberos for authentication and LDAP for authorization. Before we proceed please ensure your machine is capable to authenticate against Kerberos/LDAP (see here). I will assume you saw the following:

• Serving Multiple SVN Repositories with Apache (see here)
• Debian OpenLDAP client with Kerberos (see here)

Once above is done, here we go:

1. Let add http principal to kerberos:

   kadmin -p admin -q "addprinc -randkey http/scm1.dev.local"
   kadmin -p admin -q "ktadd -k /etc/apache2/http.keytab http/scm1.dev.local"
   chown root:www-data /etc/apache2/http.keytab
   chmod g=r,o= /etc/apache2/http.keytab
   

2. The apache process is run under user www-data (id = 33), we need obtain kerberos ticket so it can authenticate users to ldap (file /etc/inittab).

   KA:2345:respawn:/usr/bin/k5start -f /etc/apache2/http.keytab -u http/scm1.dev.local -K 10 -l 24h -o www-data -k /tmp/krb5cc_33
   

   Send init signal to reload the changes we made:

   kill -HUP 1
   

3. Install apache PAM modules:

   apt-get install libapache2-mod-auth-pam libapache2-mod-auth-sys-group
   

4. Let setup default policy that applies to each project (file /var/lib/svn/conf/default_policy.conf), here we require :

   <Location /svn/>
           Dav svn
           SVNParentPath /var/lib/svn/repos
   
           SVNListParentPath On
           SVNAutoVersioning On
   
           AuthPAM_Enabled on
           AuthName "DEV.LOCAL"
           AuthType basic
           AuthBasicAuthoritative off
           AuthPAM_Fallthrough off
           AuthUserFile /dev/null
   
           Require group svnusers
   
           <LimitExcept GET PROPFIND OPTIONS REPORT>
               Order deny,allow
               Deny from all
   
               Allow from 192.168.10.0/24
           </LimitExcept>
   </Location>
   

5. Now that we have default policy, let setup a project one (the only users from group project1 have access here, file /var/lib/svn/conf/policies/project1_policy.conf):

   <Location /svn/project1>
           Require group project1
   </Location>
   

6. Finally restart apache so our changes take place:

   /etc/init.t/apache restart
   

Now when you visit /svn you will be prompted to enter your credentials and you will get access only if you are a member of svnusers group. The only members of group project1 will get access to /svn/projec1.