I use Apache as a reverse proxy to check the authorization of incoming requests. Until now only Kerberos was provided as authentication method for "/" and client certificates for "/api". See code below.
Now I need to have both methods (either, or) available for "/".
In words: A user/machine may access "/" if he:
- either has a matching certificate (machine user)
- or has a matching kereberos ticket and is member of a LDAP group (human user)
This appears to be a very special case and I can't find sufficient documentation which I am able to understand.
Any ideas how to achieve this?
Kerberos
Define tpl-host localhost:8042
ProxyPass / http://${tpl-host}/
ProxyPassReverse / http://${tpl-host}/
<Location />
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
Header set X-Remote-User expr=%{REMOTE_USER}
Header setifempty Access-Control-Allow-Origin *
RequestHeader set X-PROXY-URL expr=%{HTTP_HOST}/
# remove Authorization due to its immense length
RequestHeader set Authorization expr=
# kerberos authentication
AuthType GSSAPI
AuthName "GSSAPI SSO Login"
GssapiLocalName on
GssapiAllowedMech krb5
GssapiCredStore keytab:/usr/local/apache2/host.keytab
# LDAP
AuthzSendForbiddenOnFailure On
AuthLDAPURL ...
AuthLDAPRemoteUserAttribute samaccountname
AuthLDAPBindDN ...
AuthLDAPSubGroupClass group
AuthLDAPBindPassword ...
# Group member
require ldap-group CN=...
</Location>
Client certificates
<Location /api>
SSLEngine on
SSLCertificateFile "/certs/server-localhost.pem"
SSLCertificateKeyFile "/certs/server-localhost-key.pem"
SSLCertificateChainFile "/certs/cert-bundle.crt"
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /certs/cert-bundle.crt
SSLUserName SSL_CLIENT_S_DN_CN
</Location>
