FYI deb11 users with apache2 + sso

Hey there,

for anyone running bullseye who needed to backport the libapache2-mod-auth-kerb package from sid:
I moved to libapache2-mod-auth-gssapi with (currently) no problems.

Since it doesn’t seem like they’re still putting a lot of work into that package (libapache-mod-auth-kerb - Debian Package Tracker) this could be a “more secure” sso approach for now.

The process is pretty simple and can be done in even under 1 minute. You can try it on your own if you’d like to but keep in mind that this is probably in no way supported by zammad itself (and most of all not by me :slight_smile: ). If stuff goes downtown - you’re on your own.

Danger Zone
The following will only work if you're already running SSO via mod-auth-kerb
As already said: I'm sharing this As-Is. I simply can't provide any troubleshooting if needed
  1. Install the GSSAPI package: apt install libapache2-mod-auth-gssapi

  2. Edit the <LocationMatch "/auth/sso"> part in your apache2 conf to look like this:

<LocationMatch "/auth/sso">
  AuthType GSSAPI
  AuthName "Your Zammad"
  GssapiBasicAuth On
  GssapiCredStore keytab:/etc/zammad.keytab # wherever it is located on your end
  GssapiLocalName On
  require valid-user
  RewriteEngine On
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule . - [E=RU:%1,NS]
  RequestHeader set X-Forwarded-User "%{RU}e" env=RU
  1. Restart the apache2 service: systemctl restart apache2.service

Now you should be done. You’re free to remove the old libapache2-mod-auth-kerb package now.


1 Like

Yes, that’s the best route. I threw quite some time onto this topic and can confirm. Either you have to backport the deprecated package or use gssapi instead.

1 Like

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.