Skip to content

REMOTE_USER variable empty with Apache and PHP-FPM #297

New issue
New issue
Closed
Closed
REMOTE_USER variable empty with Apache and PHP-FPM#297
@aukfood

Description

@aukfood
aukfood
opened on Feb 13, 2024

Hello,

we’re circling around a problem and maybe we missed something in the setup. All our configuration with kerberos and Active Directory works fine in linux system console. But when we try to use this configuration to connect application (Wordpress with SSO module) it's not works.

In phpinfo page we don't have REMOTE_USER variable with user id and so Worpress SSO modules does not works it needs this variable to works

Our Apache vhost is like that

 <Directory /var/www/site/www/>
  #  Require all granted
    AllowOverride All
    DirectoryIndex index.php


#.svn & .git directories must be avoided!!
    RedirectMatch 404 /\.svn(/|$)
    RedirectMatch 404 /\.git(/|$)
    RewriteCond %{REQUEST_URI} !^/robots.txt$
    RewriteRule \.txt$ - [F]

    AuthType GSSAPI
    AuthName "GSSAPI Single Sign On Login"
    GssapiSSLonly On
    GssapiAllowedMech krb5
    BrowserMatch Windows gssapi-no-negotiate
    GssapiLocalName On
    GssapiBasicAuth Off
    GssapiImpersonate On
    GssapiNegotiateOnce On
    GssapiCredStore keytab:/etc/apache2/site.keytab
    Require valid-user
   </Directory>


   <Location /kerb/>
    AuthType GSSAPI
    AuthName "GSSAPI Single Sign On Login"
    GssapiSSLonly On
    #GssapiAllowedMech krb5
    BrowserMatch Windows gssapi-no-negotiate
    GssapiLocalName On
    GssapiBasicAuth On
    GssapiImpersonate On
    GssapiNegotiateOnce On
    GssapiCredStore keytab:/etc/apache2/intranetv2.keytab
    GssapiCredStore client_keytab:/etc/apache2/intranetv2.keytab

    RequestHeader set REMOTE_USER %{REMOTE_USER}s
    RequestHeader set AUTH_TYPE %{AUTH_TYPE}s
    RequestHeader set KRB5CCNAME %{KRB5CCNAME}s
    GssapiConnectionBound On
    Header set Persistent-Auth "true"

    Require valid-user
   </Location>

We test in https://site/kerb

krb5.conf is like that

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_realm = VILLE.LOCAL
        dns_lookup_realm = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true
        rdns = false

[realms]
        VILLE.LOCAL = {
                kdc = cdssrv5.ville.local
                kdc = cdssrv6.ville.local
                admin_server = cdssrv5.ville.local
        }

[domain_realm]
        .ville.local = VILLE.LOCAL
        ville.local = VILLE.LOCAL

System informations

  • debian 12
  • Apache 2.4.57
  • php8.2 fpm

Thanks for you're help

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions