Solved

Apache doesn't return REMOTE_USER variable

Posted on 2009-05-15
15
2,341 Views
Last Modified: 2013-12-13
Ubuntu Linux 8.04 Apache 2.2 mod_auth_kerb php5 (non-cgi)

Apache's httpd.conf:

<Files ~ "^/WordPress/wp-admin/">
AuthType Kerberos
Require valid-user
</Files>

(SUCCESS) UnitTest1: kinit, klist both tested successfully as myUserName.
(SUCCESS)  UnitTest2: Can access the files only when logged into Windows Vista as a Domain User.
(FAILURE)  UnitTest3: phpinfo() function does not show an Apache REMOTE_USER variable.

Please share your knowledge of where my configuration is missing.
0
Comment
Question by:whittet
  • 4
  • 3
  • 2
  • +1
15 Comments
 
LVL 27

Expert Comment

by:caterham_www
ID: 24413802
> <Files ~ "^/WordPress/wp-admin/">
AuthType Kerberos
Require valid-user
</Files>

Files is to match against filenames, use DirectoryMatch to match against a directory.
<DirectoryMatch "^/var/www/WordPress/wp-admin">

AuthType Kerberos

Require valid-user

</DirectoryMatch>

Open in new window

0
 
LVL 1

Author Comment

by:whittet
ID: 24413963
As I tried to say above.  The permissions piece works, but the REMOTE_USER has no value in phpinfo().
Here is my syntax.

<Directory /wordpress>
  <IfModule mod_auth_kerb>
    AuthType Kerberos
    AuthName "MYDOMAIN Login"
    KrbAuthRealms MYDOMAIN.LOCAL
    KrbServiceName HTTP
    Krb5Keytab /etc/krb5.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    KrbSaveCredentials on
    KrbAuthoritative on
  </IfModule>

  <Files ~ "^(wp-admin/|(wp-login|wp-register)\.php)">
    Order allow,deny
    Allow from all

    Require valid-user
  </Files>
</Directory>

0
 
LVL 21

Expert Comment

by:Julian Matz
ID: 24414486
Hi whittet,

Please try the following two variables:

echo $_SERVER['PHP_AUTH_USER'] . '<br />';
echo $_SERVER['PHP_AUTH_PW'] . '<br />';

0
 
LVL 21

Expert Comment

by:Julian Matz
ID: 24414507
Or try the full snippet below...


<?php

if (!isset($_SERVER['PHP_AUTH_USER'])) {

    header('WWW-Authenticate: Basic realm="TEST"');

    header('HTTP/1.0 401 Unauthorized');

    echo 'Text to send if user hits Cancel button';

    exit;

} else {

    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";

    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";

}

?>

Open in new window

0
 
LVL 1

Author Comment

by:whittet
ID: 24414670
julianmatz - Those values are not set.

I tried all the suggestions from this http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Apache/Q_23840099.html, but was under the impression that mod_auth_kerb was an alternative to mod_ntlm or winbind.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 50

Expert Comment

by:Steve Bink
ID: 24416489
Are you running safe mode?
0
 
LVL 1

Author Comment

by:whittet
ID: 24418137
No safe mode.
0
 
LVL 50

Accepted Solution

by:
Steve Bink earned 500 total points
ID: 24424999
According to the PHP docs, those values are only available under basic and digest authentication types.  There are other things to check (such as the cgi.rfc2616_headers configuration item), but I think kerberos counts as external authentication.

http://www.php.net/manual/en/features.http-auth.php
0
 
LVL 50

Expert Comment

by:Steve Bink
ID: 25986888
I provided an answer to the question of why the values are not populated.  Granted, the user never came back to confirm they could be matched in a different location, but the original question was about "why".
0
 
LVL 50

Expert Comment

by:Steve Bink
ID: 26005395
I believe my comment at #24424999 answered the original question.  Further input from the OP could have taken this a little further, but the solution was provided.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now