Table of Contents

Kerberos

Authentification Utilisateurs Mot-de-passe

Présentation

Kerberos is a network authentication protocol used to authenticate users based on their desktop session.

LL::NG uses GSSAPI module to validate Kerberos ticket against a local keytab.

LLNG Configuration

In Manager, go in General Parameters > Authentication modules and choose Kerberos for authentication. Then go to “Kerberos parameters” and configure the following parameters:

  • Due to a perl GSSAPI issue, you may need to copy the keytab in /etc/krb5.keytab which is the default location hardcoded in the library
  • As Kerberos ticket is passed inside Authorization header, you may need to set CGIPassAuth on in Apache (with old Apache, use RewriteCond %{HTTP:Authorization} followed by RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}])

Kerberos configuration

La configuration Kerberos est assez complexe. On peut trouver quelques éléments de configuration dans cette page.

Web Server Kerberos module

If you want to let Web Server Kerberos module validates the Kerberos ticket, set the according option to “enabled” and configure the portal virtual host to launch the module if “kerberos” GET parameter is in the request.

Example with Apache and mod_auth_kerb:

  <If "%{QUERY_STRING} =~ /kerberos=/">
    <IfModule auth_kerb_module>
      AuthType Kerberos
      KrbMethodNegotiate On
      KrbMethodK5Passwd Off
      KrbAuthRealms EXAMPLE.COM
      Krb5KeyTab /etc/lemonldap-ng/auth.keytab
      KrbVerifyKDC On
      KrbServiceName Any
      require valid-user
    </IfModule>
  </If>