Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Apache Realms to OD/Kerb

Hi, folks. I had written something about this before, thinking that the problem was in WebDAV, but after some more testing I find that I am not able to get an Apache Realm tied to Open Directory, period. I am using 10.4.2 on both the server and the testing client.

I set up a host on SSL (here referred to as munged.dom.com), using a self-signed certificate (which I tell my browser to trust).

I set up a realm (authenticated by Kerberos) to the root path of the host. In Users, I turned off both Authoring and Browsing for Everyone. In Groups, I added one of my OD groups, and allow it to both Browse and Author.

In my experience, that means that when trying to hit that host, everyone should be challenged with a browser dialog asking for authentication to the realm. From the way I set it up, I would then expect that any member of that OD group could then enter their user/ pass and enter the realm.

Instead, in both Safari and Firefox, I get the following message from Apache:
"Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."

Even if I add myself to Users and allow myself to Browse, I still get the same error.

The access log shows a 401 (authorization failure), the error log shows nothing, and I'm seeing this in ssl_engine_log:

[10/Aug/2005 15:49:29 18259] [info] Connection to child 4 established (server munged.dom.com:443, client 192.168.1.1)
[10/Aug/2005 15:49:29 18259] [info] Seeding PRNG with 1160 bytes of entropy
[10/Aug/2005 15:49:29 18259] [info] Spurious SSL handshake interrupt [Hint: Usually just one of those OpenSSL confusions!?]
[10/Aug/2005 15:49:31 18258] [info] Connection to child 3 established (server munged.dom.com :443, client 192.168.1.1)
[10/Aug/2005 15:49:31 18258] [info] Seeding PRNG with 1160 bytes of entropy
[10/Aug/2005 15:49:32 18258] [info] Connection: Client IP: 192.168.1.1, Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits)
[10/Aug/2005 15:49:32 18258] [info] Initial (No.1) HTTPS request received for child 3 (server munged.dom.com:443)
[10/Aug/2005 15:49:32 18258] [info] Connection to child 3 closed with standard shutdown (server munged.dom.com:443, client 192.168.1.1)

If I allow everyone to browse the realm, it loads with no problem and no authentication dialog (of course).

Am I doing something wrong? Does everyone have this issue? Is it that web browsers can't authenticate against Kerberos? Any clues or duh's would be greatly appreciated. I feel like I'm missing something obvious, but what I set up seems pretty straight-forward.

Thanks!
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.