Added mod_auth_kerb module to apache.

2009-11-26 10:22:34 +02:00 · 2009-11-26 10:22:34 +02:00 · 0d5d809519
commit 0d5d809519
parent e75a38070a
2 changed files with 72 additions and 0 deletions
--- a/apache/manifests/init.pp
+++ b/apache/manifests/init.pp
@ -311,6 +311,47 @@ define apache::sslsite($root="none", $config="none",
 }


+# Install mod_auth_kerb.
+#
+class apache::mod::auth_kerb {
+
+    package { "mod_auth_kerb":
+        ensure  => installed,
+        require => Package["httpd"],
+    }
+
+    file { "/etc/httpd/conf.d/auth_kerb.conf":
+        ensure  => present,
+        content => template("apache/auth_kerb.conf.erb"),
+        mode    => 0644,
+        owner   => root,
+        group   => root,
+        require => Package["mod_auth_kerb"],
+    }
+
+    if defined(Service["httpd"]) {
+        file { "/etc/httpd/conf.http.d/auth_kerb.conf":
+            ensure    => link,
+            target    => "/etc/httpd/conf.d/auth_kerb.conf",
+            require   => Package["mod_auth_kerb"],
+            notify    => Service["httpd"],
+            subscribe => File["/etc/httpd/conf.d/auth_kerb.conf"],
+        }
+    }
+
+    if defined(Service["httpsd"]) {
+        file { "/etc/httpd/conf.https.d/auth_kerb.conf":
+            ensure    => link,
+            target    => "/etc/httpd/conf.d/auth_kerb.conf",
+            require   => Package["mod_auth_kerb"],
+            notify    => Service["httpsd"],
+            subscribe => File["/etc/httpd/conf.d/auth_kerb.conf"],
+        }
+    }
+
+}
+
+
 # Install mod_perl.
 #
 class apache::mod::perl {
--- a/apache/templates/auth_kerb.conf.erb
+++ b/apache/templates/auth_kerb.conf.erb
@ -0,0 +1,31 @@
+#
+# The mod_auth_kerb module implements Kerberos authentication over
+# HTTP, following the "Negotiate" protocol.
+# 
+
+LoadModule auth_kerb_module modules/mod_auth_kerb.so
+
+#
+# Sample configuration: Kerberos authentication must only be
+# used over SSL to prevent replay attacks.  The keytab file
+# configured must be readable only by the "apache" user, and
+# must contain service keys for "HTTP/www.example.com", where
+# "www.example.com" is the FQDN of this server.
+#
+
+KrbAuthRealms <%= kerberos_realm %>
+Krb5KeyTab /etc/httpd/conf/httpsd.keytab
+KrbMethodNegotiate On
+KrbAuthoritative On
+KrbMethodK5Passwd Off
+
+#<Location /private>
+#  SSLRequireSSL
+#  AuthType Kerberos
+#  AuthName "Kerberos Login"
+#  KrbMethodNegotiate On
+#  KrbMethodK5Passwd Off
+#  KrbAuthRealms EXAMPLE.COM
+#  Krb5KeyTab /etc/httpd/conf/keytab
+#  require valid-user
+#</Location>