Apache mod_auth_kerb and LDAP user groups

Solution 1:

It is now possible in mod_auth_kerb 5.4 to strip the realm from REMOTE_USER with the following config directive:

KrbLocalUserMapping On

Solution 2:

It's the whole point of the authn/authz separation in 2.2 that you can authenticate with one mechanism, and authorize with another. Authentication provides you with a setting of REMOTE_USER, which you then can use authz_ldap against. In addition, authn_ldap searches then for a user (converting the REMOTE_USER to a DN if found, using search criteria you have to specify - e.g. searching for CN). Then, when a DN has been found, you can specify requirements on the LDAP object. E.g. if all users accessing a resource must be in the same OU, you specify

require ldap-dn ou=Managers, o=The Company

Solution 3:

Debian stable now ships with version 5.4 of mod_auth_kerb.

If you're stuck with an older version, this page explains how mod_map_user can be used in combination with mod_auth_kerb and mod_authnz_ldap.