Flavoured for a Debian 10 IPA-joined web server, and based on these pages from the FreeIPA wiki:
# Install pre-requisites
sudo apt install libapache2-mod-authnz-pam libapache2-mod-auth-kerb libapache2-mod-auth-gssapi
# libapache2-mod-nss isn't packaged for Buster for some reason, but oldstable package works fine:
wget http://ftp.us.debian.org/debian/pool/main/liba/libapache2-mod-nss/libapache2-mod-nss_1.0.14-1+b1_amd64.deb && \
sudo dpkg -i libapache2-mod-nss_1.0.14-1+b1_amd64.deb
By default, the package creates a new-format (cert9+key4) NSS database, which mod-nss doesn't appear to support. Create an old, berkley-based database:
sudo certutil -N -d dbm:/etc/apache2/ipa_nssdb
# It will prompt for a password to protect the database, which can be blank.
# Set permissions:
sudo chmod 640 /etc/apache2/nssdb/key3.db /etc/apache2/nssdb/cert8.db /etc/apache2/nssdb/secmod.db
sudo chgrp www-data /etc/apache2/nssdb/cert8.db /etc/apache2/nssdb/key3.db /etc/apache2/nssdb/secmod.db
# Activate NSS apache module and restart apache
sudo a2enmod nss
sudo systemctl restart apache2
If apache crashes, you can revert the above changes and check your logs: sudo a2dismod nss && sudo systemctl restart apache2
(B.N.: mod_nss probably isn't actually required here - certmonger can always generate bare certificate files with the -k option, for instance, and mod_ssl should be able to do the rest - but it's what FreeIPA on a RHEL client would do so I'm sticking with that for now)
We start out with an allow_all rule, so it's ok to skip this for testing.
# TODO
# See also:
ipa help hbacsvc
ipa help hbacrule
ipa help hbactest