From 0d5d8095194d62771f28c6044a1c3267f2b86e24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Thu, 26 Nov 2009 10:22:34 +0200
Subject: [PATCH] Added mod_auth_kerb module to apache.

---
 apache/manifests/init.pp            | 41 +++++++++++++++++++++++++++++
 apache/templates/auth_kerb.conf.erb | 31 ++++++++++++++++++++++
 2 files changed, 72 insertions(+)
 create mode 100644 apache/templates/auth_kerb.conf.erb

diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp
index 28877c8..c1749e0 100644
--- a/apache/manifests/init.pp
+++ b/apache/manifests/init.pp
@@ -311,6 +311,47 @@ define apache::sslsite($root="none", $config="none",
 }
 
 
+# Install mod_auth_kerb.
+#
+class apache::mod::auth_kerb {
+
+    package { "mod_auth_kerb":
+        ensure  => installed,
+        require => Package["httpd"],
+    }
+
+    file { "/etc/httpd/conf.d/auth_kerb.conf":
+        ensure  => present,
+        content => template("apache/auth_kerb.conf.erb"),
+        mode    => 0644,
+        owner   => root,
+        group   => root,
+        require => Package["mod_auth_kerb"],
+    }
+
+    if defined(Service["httpd"]) {
+        file { "/etc/httpd/conf.http.d/auth_kerb.conf":
+            ensure    => link,
+            target    => "/etc/httpd/conf.d/auth_kerb.conf",
+            require   => Package["mod_auth_kerb"],
+            notify    => Service["httpd"],
+            subscribe => File["/etc/httpd/conf.d/auth_kerb.conf"],
+        }
+    }
+
+    if defined(Service["httpsd"]) {
+        file { "/etc/httpd/conf.https.d/auth_kerb.conf":
+            ensure    => link,
+            target    => "/etc/httpd/conf.d/auth_kerb.conf",
+            require   => Package["mod_auth_kerb"],
+            notify    => Service["httpsd"],
+            subscribe => File["/etc/httpd/conf.d/auth_kerb.conf"],
+        }
+    }
+
+}
+
+
 # Install mod_perl.
 #
 class apache::mod::perl {
diff --git a/apache/templates/auth_kerb.conf.erb b/apache/templates/auth_kerb.conf.erb
new file mode 100644
index 0000000..3bfa0fb
--- /dev/null
+++ b/apache/templates/auth_kerb.conf.erb
@@ -0,0 +1,31 @@
+#
+# The mod_auth_kerb module implements Kerberos authentication over
+# HTTP, following the "Negotiate" protocol.
+# 
+
+LoadModule auth_kerb_module modules/mod_auth_kerb.so
+
+#
+# Sample configuration: Kerberos authentication must only be
+# used over SSL to prevent replay attacks.  The keytab file
+# configured must be readable only by the "apache" user, and
+# must contain service keys for "HTTP/www.example.com", where
+# "www.example.com" is the FQDN of this server.
+#
+
+KrbAuthRealms <%= kerberos_realm %>
+Krb5KeyTab /etc/httpd/conf/httpsd.keytab
+KrbMethodNegotiate On
+KrbAuthoritative On
+KrbMethodK5Passwd Off
+
+#<Location /private>
+#  SSLRequireSSL
+#  AuthType Kerberos
+#  AuthName "Kerberos Login"
+#  KrbMethodNegotiate On
+#  KrbMethodK5Passwd Off
+#  KrbAuthRealms EXAMPLE.COM
+#  Krb5KeyTab /etc/httpd/conf/keytab
+#  require valid-user
+#</Location>