I’m not very experienced with webservers (apache2), so please forgive if this is a stupid question
I have a Icinga setup were I have enabled Kerberos for the Icinga Web 2 login, thus users are automatically logged in when accessing the monitoring web interface.
Now I (or the customer) would like to enable a non-domain user (no ActiveDirectory account) to login to Icinga Web 2.
Is this possible?
A quick search suggested adding Satisfy any to the config.
This works, but disables the “auto-login”, so everyone has to enter the login credentials by hand.
But this “only” has the same effect as the stuff in my first post. I always get the Icinga Web 2 login page.
Do I need to create the location URLs? If yes, how ?
Alias /icingaweb2 "/usr/share/icingaweb2/public"
<Directory "/usr/share/icingaweb2/public">
Options SymLinksIfOwnerMatch
AllowOverride None
Order allow,deny
Allow from All
Deny from something.de internal-subnet1 internal-subnet2
SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"
EnableSendfile Off
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /icingaweb2/
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
</IfModule>
<IfModule !mod_rewrite.c>
DirectoryIndex error_norewrite.html
ErrorDocument 404 /error_norewrite.html
</IfModule>
#Kerberos Auth
AuthType Kerberos
AuthName "something Monitoring"
KrbAuthRealms something.DE
KrbServiceName HTTP/monitoring-something.de
Krb5Keytab /etc/apache2/keytabs/monitoring.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbVerifyKDC on
Require valid-user
Satisfy any
</Directory>
The significant lines were:
Order allow,deny
Allow from All
Deny from something.de internal-subnet1 internal-subnet2
KrbMethodK5Passwd Off
Require valid-user
Satisfy any
This way I get the Icinga Web 2 login page when accessing from our external support system (S2S-VPN) to the customers monitoring. When accessing from inside the customers network/domain I am logged on via SSO