Support for basic and kerberos authentication
diff --git a/README.rst b/README.rst
index a06d296..822dea5 100644
--- a/README.rst
+++ b/README.rst
@@ -98,6 +98,35 @@
max: 64
max_requests: 4000
+Apache kerberos authentication:
+
+.. code-block:: yaml
+
+ parameters
+ apache:
+ server:
+ site:
+ auth:
+ engine: kerberos
+ name: "Kerberos Authentication"
+ require:
+ - "ldap-attribute memberOf='cn=somegroup,cn=groups,cn=accounts,dc=example,dc=com'"
+
+ kerberos:
+ realms:
+ - EXAMPLE.COM
+ # Bellow is optional
+ keytab: /etc/apache2/ipa.keytab
+ service: HTTP
+ method:
+ negotiate: true
+ k5passwd: true
+
+ ldap:
+ url: "ldaps://idm01.example.com/dc=example,dc=com?krbPrincipalName"
+ # mech is optional
+ mech: GSSAPI
+
Example pillar
==============
diff --git a/apache/files/_auth.conf b/apache/files/_auth.conf
new file mode 100644
index 0000000..f4a287c
--- /dev/null
+++ b/apache/files/_auth.conf
@@ -0,0 +1,51 @@
+{%- from "apache/map.jinja" import server with context %}
+{%- if site.auth.engine == 'basic' %}
+
+ AuthType Basic
+{%- if site.auth.htpasswd is defined %}
+ AuthUserFile {{ server.htpasswd_dir }}/{{ site.auth.htpasswd }}
+{%- else %}
+ AuthUserFile {{ server.htpasswd_dir }}/htpasswd
+{%- endif %}
+
+{%- elif site.auth.engine == 'kerberos' %}
+
+ AuthType Kerberos
+ KrbMethodNegotiate {% if site.auth.kerberos.get("method", {}).get("negotiate", True) %}on{% else %}off{% endif %}
+ KrbMethodK5Passwd on
+ KrbMethodK5Passwd {% if site.auth.kerberos.get("method", {}).get("k5passwd", True) %}on{% else %}off{% endif %}
+ KrbServiceName {{ site.auth.kerberos.get("service", "HTTP") }}
+ KrbAuthRealms {{ site.auth.kerberos.realms|join(' ') }}
+ Krb5KeyTab {{ site.auth.kerberos.get("keytab", "/etc/apache2/ipa.keytab") }}
+ KrbSaveCredentials on
+ KrbConstrainedDelegation on
+
+ # Ensure X-Forwarded-User is correctly set
+ RequestHeader unset X-Forwarded-User
+ RewriteEngine On
+ RewriteCond %{LA-U:REMOTE_USER} (.+)@(.+)
+ RewriteRule .* - [E=RU:%1,NS]
+ RequestHeader set X-Forwarded-User %{RU}e
+
+{%- if site.auth.ldap is defined %}
+ AuthLDAPBindSASLMech {{ site.auth.ldap.get("mech", "GSSAPI") }}
+{%- if site.auth.ldap.interact is defined %}
+ AuthLDAPBindSASLInteract "{{ site.auth.ldap.interact }}"
+{%- else %}
+ AuthLDAPBindSASLInteract "/usr/bin/kinit -k -t {{ site.auth.kerberos.get("keytab", "/etc/apache2/ipa.keytab") }} {{ site.auth.kerberos.service }}/{{ site.host.name }}"
+{%- endif %}
+ AuthLDAPURL "ldaps://<%=scope.function_hiera(['ipa_servers'])%>/dc=intgdc,dc=com?krbPrincipalName"
+{%- endif %}
+
+{%- endif %}
+
+ AuthName "{{ salt.auth.get("name", "Authentication required") }}"
+{%- if salt.auth.require is defined %}
+{%- for require in salt.auth.require %}
+ Require {{ require }}
+{%- endfor %}
+{%- else %}
+ Require valid-user
+{%- endif %}
+
+{%- endif %}
diff --git a/apache/files/_locations.conf b/apache/files/_locations.conf
index ebfb1e1..bbf4a6e 100644
--- a/apache/files/_locations.conf
+++ b/apache/files/_locations.conf
@@ -6,5 +6,10 @@
{%- else %}
Alias {{ location.uri }} {{ location.path }}
{%- endif %}
+ {%- if location.auth is defined %}
+ <Location {{ location.uri }}>
+ {%- include "apache/files/_auth.conf" %}
+ </Location>
+ {%- endif %}
{%- endfor %}
{%- endif %}
diff --git a/apache/files/static.conf b/apache/files/static.conf
index 4e39bb8..e561fd0 100644
--- a/apache/files/static.conf
+++ b/apache/files/static.conf
@@ -15,5 +15,12 @@
Order allow,deny
allow from all
</Directory>
+
+ {%- if site.auth is defined %}
+ <Location />
+ {%- include "apache/files/_auth.conf" %}
+ </Location>
+ {%- endif %}
+
{%- include "apache/files/_locations.conf" %}
</VirtualHost>
diff --git a/apache/map.jinja b/apache/map.jinja
index b697c8d..2f06421 100644
--- a/apache/map.jinja
+++ b/apache/map.jinja
@@ -7,6 +7,7 @@
'mod_php': 'libapache2-mod-php5',
'mod_perl': 'libapache2-mod-perl2',
'mod_xsendfile': 'libapache2-mod-xsendfile',
+ 'htpasswd_dir': '/etc/apache2',
'vhost_dir': '/etc/apache2/sites-available',
'conf_dir': '/etc/apache2/conf.d',
'conf_ext': '.conf',
@@ -19,6 +20,7 @@
'mod_wsgi': 'wsgi-apache',
'mod_php': 'php-apache',
'vhost_dir': '/etc/httpd/conf/extra',
+ 'htpasswd_dir': '/etc/httpd',
'conf_dir': '/etc/httpd/conf',
'conf_ext': '.conf',
'log_dir': '/var/log/httpd',
@@ -29,6 +31,7 @@
'service': 'httpd',
'mod_wsgi': 'mod_wsgi',
'vhost_dir': '/etc/httpd/conf.d',
+ 'htpasswd_dir': '/etc/httpd',
'conf_dir': '/etc/httpd/conf.d',
'conf_ext': '.conf',
'log_dir': '/var/log/httpd',
@@ -39,6 +42,7 @@
'service': 'apache22',
'mod_wsgi': 'ap22-mod_wsgi3',
'vhost_dir': '/usr/local/etc/apache22/Includes',
+ 'htpasswd_dir': '/usr/local/etc/apache22',
'conf_dir': '/usr/local/etc/apache22/Includes',
'conf_ext': '',
'log_dir': '/var/log/',
diff --git a/tests/pillar/apache_server.sls b/tests/pillar/apache_server.sls
index 5b24819..37c1f7d 100644
--- a/tests/pillar/apache_server.sls
+++ b/tests/pillar/apache_server.sls
@@ -13,6 +13,22 @@
locations:
- uri: /admin
path: /usr/share/postfixadmin
+ auth:
+ engine: kerberos
+ name: "Kerberos Authentication"
+ require:
+ - "ldap-attribute memberOf='cn=jenkins,cn=groups,cn=accounts,dc=example,dc=eu'"
+ kerberos:
+ realms:
+ - EXAMPLE.EU
+ keytab: /etc/apache2/ipa.keytab
+ service: HTTP
+ method:
+ negotiate: true
+ k5passwd: true
+ ldap:
+ url: "ldaps://idm01.example.eu/dc=example,dc=eu?krbPrincipalName"
+ mech: GSSAPI
- uri: /mailman
path: /usr/lib/cgi-bin/mailman
script: true