Open HamburgerJungeJr opened 1 year ago
What mod_auth_gssapi can do is to prepare a ticket valid for impersonation, but it is not built to try and perform "middle man" authentication when used in a proxy.
So I would say you misunderstood what it can do on its own. However I guess you could have some other code use the ticket created by mod_auth_gssapi to perform a Negoiate authentication request against the target service. A simple python script using requests-gssapi would probably be enough.
Hi,
I try to get the option GssapiImpersonate working.
Situation: User -----> Apache Proxy --------> Service with Kerberos
My goal is that the user is authenticated on the proxy and the proxy the impersonates the user to provide access to the service. For the sake of simplicity currently the user should authenticate with Basic Auth to the proxy, but this could be replaced by some central auth with MFA or equal.
The docs for GssapiImpersonate state:
So if I understand this correctly: I have an Apache module which sets the variable r->user. mod_auth_gssapi then queries the KDC (in my case MS AD) and gets a kerberos ticket for the username from r->user
My problem is that I get a ticket for the username in GssapiDelegCcacheDir but the proxy request passes the Basic Auth header instead of a kerberos header.
My config: site.conf
(The auth module sharedsecret is this module: https://codeberg.org/HamburgerJungeJr/mod_authn_sharedsecret it just puts the username in r->user and accepts the same password for all users, so I dont have to add users for testing)
/etc/krb5.conf
cache ticket - klist -c /var/run/httpd/krbcache/myuser@MYREALM (German system)
I set the user to be allowed for delegation any authentication protocol on the AD.
Did I minsunderstand the function of GssapiImpersonate or do I have an error in my configuration?