ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

EIM and kerberos authentication in http

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    EIM and kerberos authentication in http

    I need to know the username of remote users who accesses to the webserver via browser

    I configured EIM on MYAS400 and the entries listed below are in keytab

    krbsvr400/MYAS400@SOCIETA.IT
    HTTP/MYAS400@SOCIETA.IT
    HOST/MYAS400@SOCIETA.IT
    cifs/MYAS400@SOCIETA.IT
    krbsvr400/MYAS400.societa.it@SOCIETA.IT
    HTTP/MYAS400.SOCIETA.IT@SOCIETA.IT
    HOST/MYAS400.societa.it@SOCIETA.IT
    cifs/MYAS400.societa.it@SOCIETA.IT


    I have configured a webserver in /QOpenSys
    /QOpenSys/test
    and in /QOpenSys/test/appl/bin I put a script testcgi.sh to run


    Script testcgi.sh:

    #!/QOpenSys/usr/bin/sh
    echo "Content-type: text/plain\n\n<HTML>\n"
    echo "---- test environment variable REMOTE_USER ----"
    echo REMOTE_USER=[$REMOTE_USER] "\n"


    I entered in httpd.conf the entries for kerberos authentication

    <Directory /QOpenSys/test/appl/bin>
    order allow,deny
    allow from all
    AuthType Kerberos
    PasswdFile %%KERBEROS%%
    UserID %%CLIENT%%
    Require valid-user
    </Directory>
    ScriptAlias /testcgi/ /QOpenSys/test/appl/bin/


    when I run the script http://MYAS400/testcgi/testcgi.sh
    I get the error
    You don't have permission to access this resource

    removing the entrances for KERBEROS authentication the script works correctly but REMOTE_USER variable is not set


    can anyone help my ?
    thanks













    Tags: None
  • #2
    Maybe your EIM config is not complete ( Identifier + Association , user home directories, etc.)
    But you could try in http config:

    AuthType KerberosOrBasic
    PasswdFile %%SYSTEM%%

    Then it should ask for login...

    I my http config ,there is Access logs where I can see who's using it

    Comment

    • #3
      I tried,
      if I use the directives

      AuthType KerberosOrBasic
      PasswdFile %%SYSTEM%%

      it asks for login ... but the user I have to enter is the iseries user
      I have to recover remote user connected (in my case the Windows user who connect to webserver)

      Comment

      • #4
        Ok,
        for me it seems that your EIM Identifiers, associations and user home directories are not properly configured.
        In my config with AuthType KerberosOrBasic , it uses kerberos(EIM) and if that's not found it asks iseries user/pwd.
        And also directory authorities have to be ok.

        Comment

        • #5
          It appears the REMOTE_USER environment variable isn't set when Apache uses EIM.

          Comment

          Previous template Next
          Working...
          X