diff --git a/apache_diary.conf b/apache_diary.conf
index a438da7..c049fa3 100644
--- a/apache_diary.conf
+++ b/apache_diary.conf
@@ -3,6 +3,38 @@
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
 
+<Directory *>
+	# Allows the request only if both requirements are met (auth AND access)
+	Satisfy All
+
+	# GSSAPI authentication module configuration
+	AuthType GSSAPI
+	AuthName "Private access"
+	GssapiCredStore keytab:/etc/apache2/web.keytab
+	# Connection MUST be established over TLS
+	GssapiSSLonly Off
+	# Kerberos5 is the only allowed mechanism
+	GssapiAllowedMech krb5
+	# Allow to use basic authentication with Kerberos5 mechanism
+	GssapiBasicAuth On
+	GssapiBasicAuthMech krb5
+	# Enable negotiate once since it is intended for password-only auth
+	GssapiNegotiateOnce On
+	# Suppress negotiation for 'reviewboard' and 'safari'
+	BrowserMatch reviewboard safari gssapi-no-negotiate
+	# ???
+	GssapiLocalName On
+
+	Options FollowSymLinks
+	AllowOverride None
+
+	AuthLDAPURL "ldap://ldap.example.com/ou=People,dc=example,dc=com?uid,mail,cn,o?sub?"
+	<RequireAll>
+		Require ldap-filter uid=*
+		Require valid-user
+	</RequireAll>
+</Directory>
+
 ScriptAlias /cgi-bin/ /var/www/cgi-bin/
 <Directory "/var/www/cgi-bin">
 	AllowOverride None
@@ -18,6 +50,11 @@ Alias /main/diary/favicon.css /var/www/cgi-bin/diary/favicon.css
 Alias /main/diary/diary_next.png /var/www/cgi-bin/diary/diary_next.png
 Alias /main/diary/diary_prev.png /var/www/cgi-bin/diary/diary_prev.png
 Alias /public/logo-small.gif /var/www/cgi-bin/diary/logo-small.gif
-<Location "/cgi-bin/diary">
-	Require ldap-filter o=People
+
+<Location "/">
+	Require ldap-filter uid=*
 </Location>
+
+<Location "/cgi-bin/diary">
+	Require ldap-filter o=*
+</Location>
\ No newline at end of file