Apache kerberos header "X-Authenticated-User"

Question

Apache kerberos header "X-Authenticated-User"

We configured Apache to use Kerberos authentication. Apache simply sends the "X-Authenticated-User" header with the username. For instance:

AD domain login: smith_j@c.foo.example.com
Request Header name: 'x-authenticated-user' value: '[Smith_j@FOO.EXAMPLE.COM]'

AD domain login: dibley_j@division.foo.example.com
Request Header name: 'x-authenticated-user' value: '[dibley_j.division@FOO.EXAMPLE.COM]'

My question is: how to get the original AD username, for example " smith_j@c.foo.example.com ", " dibley_j@division.foo.example.com " in the apache header?

Here is my configuration:

[root@server]$ sudo cat /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = 
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 FOO.EXAMPLE.COM = {
  kdc = foo.example.com
  admin_server = foo.example.com
 }

[domain_realm]
 .foo.example.com = FOO.EXAMPLE.COM
 foo.example.com = FOO.EXAMPLE.COM

==================================================== =====================

[root@server]$ sudo cat server.conf

<VirtualHost *:80>

.....
.....
.....

RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-Authenticated-User %{RU}e
Header set X-Authenticated-User %{RU}e
RequestHeader set Host "site.foo.example.com"

<Location />
    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    Krb5KeyTab /etc/httpd/conf/http.keytab
    require valid-user
</Location>

.....
.....
.....

</VirtualHost>

+4

authentication http-headers apache kerberos

Eldar May 08 '15 at 9:40

source share

1 answer

Michael-o · Answer 1 · 2015-05-13T13:47:56+0000

Use mod_spnegoand it will work.

Apache kerberos header "X-Authenticated-User"

More articles: