dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
12582752e7
lemonldap-ng/doc/pages/documentation/1.4/authapache.html

372 lines
14 KiB
HTML
Raw Normal View History

Update doc.pl script to use the current documentation version (#442)
2012-02-25 23:45:20 +01:00
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1><a name="apache" id="apache">Apache</a></h1>
<div class="level1">
<table class="inline">
<tr class="row0 roweven">
<th class="col0">Authentication </th><th class="col1"> Users </th><th class="col2"> Password </th>
</tr>
<tr class="row1 rowodd">
<td class="col0 centeralign"></td><td class="col1"> </td><td class="col2"> </td>
</tr>
</table>
</div>
<!-- SECTION "Apache" [1-73] -->
<h2><a name="presentation" id="presentation">Presentation</a></h2>
<div class="level2">
<p>
<acronym title="LemonLDAP::NG">LL::NG</acronym> can delegate authentication to Apache, so it is possible to use any <a href="http://httpd.apache.org/docs/current/howto/auth.html" class="urlextern" title="http://httpd.apache.org/docs/current/howto/auth.html" rel="nofollow">Apache authentication module</a>, for example:
</p>
<ul>
<li class="level1"><div class="li"> <a href="http://modauthkerb.sourceforge.net/" class="urlextern" title="http://modauthkerb.sourceforge.net/" rel="nofollow">Kerberos</a></div>
</li>
<li class="level1"><div class="li"> <a href="http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm" class="urlextern" title="http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm" rel="nofollow">NTLM</a></div>
</li>
<li class="level1"><div class="li"> <a href="http://freeradius.org/mod_auth_radius/" class="urlextern" title="http://freeradius.org/mod_auth_radius/" rel="nofollow">Radius</a></div>
</li>
<li class="level1"><div class="li"></div>
</li>
</ul>
<p>
<p><div class="notetip">Apache authentication module will set the <code>REMOTE_USER</code> environment variable, which will be used by <acronym title="LemonLDAP::NG">LL::NG</acronym> to get authenticated user.
</div></p>
</p>
<p>
<p><div class="noteclassic">This documentation will focus on Kerberos authentication module, that can allow for example to set transparent authentication for Active Directory users (as Active Directory is a Kerberos server).
</div></p>
</p>
<p>
The following sample parameters will be used:
</p>
<ul>
<li class="level1"><div class="li"> <strong>EXAMPLE.COM</strong>: Kerberos realm</div>
</li>
<li class="level1"><div class="li"> <strong><acronym title="Hyper Text Transfer Protocol">HTTP</acronym></strong>: Service name</div>
</li>
<li class="level1"><div class="li"> <strong>auth.example.com</strong>: <acronym title="Domain Name System">DNS</acronym> of the portal</div>
</li>
<li class="level1"><div class="li"> <strong>ad.example.com</strong>: <acronym title="Domain Name System">DNS</acronym> of Active Directory</div>
</li>
<li class="level1"><div class="li"> <strong>cn=ssokerberos,cn=users,dc=example,dc=com</strong>: <acronym title="Distinguished Name">DN</acronym> of AD technical account</div>
</li>
<li class="level1"><div class="li"> <strong>complicatedpassword</strong>: Password of AD technical account</div>
</li>
</ul>
</div>
<!-- SECTION "Presentation" [74-1180] -->
<h2><a name="configuration" id="configuration">Configuration</a></h2>
<div class="level2">
</div>
<!-- SECTION "Configuration" [1181-1207] -->
<h3><a name="apache_kerberos_module" id="apache_kerberos_module">Apache Kerberos module</a></h3>
<div class="level3">
<p>
The module can be found <a href="http://modauthkerb.sourceforge.net/" class="urlextern" title="http://modauthkerb.sourceforge.net/" rel="nofollow">here</a>.
</p>
<p>
On CentOS/RHEL:
</p>
<pre class="code shell">yum install mod_auth_kerb</pre>
<p>
On Debian/Ubuntu:
</p>
<pre class="code shell">apt-get install libapache2-mod-auth-kerb</pre>
<p>
The module must be loaded by Apache (LoadModule directive).
</p>
</div>
<!-- SECTION "Apache Kerberos module" [1208-1518] -->
<h3><a name="kerberos_client_for_linux" id="kerberos_client_for_linux">Kerberos client for Linux</a></h3>
<div class="level3">
<p>
Edit <code>/etc/krb5.conf</code>:
</p>
<pre class="file">
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = ad.example.com
admin_server = ad.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
</pre>
</div>
<!-- SECTION "Kerberos client for Linux" [1519-1796] -->
<h3><a name="connection_between_linux_and_active_directory_-_method_1" id="connection_between_linux_and_active_directory_-_method_1">Connection between Linux and Active Directory - method 1</a></h3>
<div class="level3">
<p>
<p><div class="notetip">This method requires to execute a command on the Active Directory server, and then transfer the keytab on Linux server.
</div></p>
</p>
<p>
You have to run this command on Active Directory:
</p>
<pre class="code">
ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser EXAMPLE.COM\ssokerberos -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set +DesOnly -pass complicatedpassword -out c:\auth.keytab
</pre>
<p>
The file <code>auth.keytab</code> should then be copied (with a secure media) to the Linux server (for example in <code>/etc/lemonldap-ng</code>).
</p>
<p>
Then on Linux server:
</p>
<pre class="code shell">kinit HTTP/auth.example.com
kvno HTTP/auth.example.com@EXAMPLE.COM
klist -e
kinit -k -t /etc/lemonldap-ng/auth.keytab HTTP/auth.example.com</pre>
</div>
<!-- SECTION "Connection between Linux and Active Directory - method 1" [1797-2577] -->
<h3><a name="connection_between_linux_and_active_directory_-_method_2" id="connection_between_linux_and_active_directory_-_method_2">Connection between Linux and Active Directory - method 2</a></h3>
<div class="level3">
<p>
<p><div class="notetip">This method requires the <code>msktutil</code> program on Linux server. You should be able to find a package for your distribution with a little search on the web.
</div></p>
</p>
<p>
Initiate the Kerberos connection:
</p>
<pre class="code">
kinit ssokerberos@EXAMPLE.COM
</pre>
<p>
Then create the keytab.
</p>
<ul>
<li class="level1"><div class="li"> Windows 2003 server:</div>
</li>
</ul>
<pre class="code">
rm -f /etc/lemonldap-ng/auth.keytab
msktutil -c -b &quot;cn=COMPUTERS&quot; -s HTTP/auth.example.com -h auth.example.com -k /etc/lemonldap-ng/auth.keytab --computer-name portalsso --upn HTTP/auth.example.com --server ad.example.com --verbose
</pre>
<ul>
<li class="level1"><div class="li"> Windows 2008 server:</div>
</li>
</ul>
<pre class="code">
rm -f /etc/lemonldap-ng/auth.keytab
msktutil -c -b &quot;cn=COMPUTERS&quot; -s HTTP/auth.example.com -h auth.example.com -k /etc/lemonldap-ng/auth.keytab --computer-name portalsso --upn HTTP/auth.example.com --server ad.example.com --verbose --enctypes 28
</pre>
<p>
<p><div class="noteimportant">Option <code>enctypes</code> requires msktutil &gt; 0.4
</div></p>
</p>
<p>
Close kerberos connection:
</p>
<pre class="code">
kdestroy
</pre>
<p>
Change rights on keytab file:
</p>
<pre class="code">
chown apache /etc/lemonldap-ng/auth.keytab
</pre>
</div>
<!-- SECTION "Connection between Linux and Active Directory - method 2" [2578-3693] -->
<h3><a name="configuration_of_lemonldapng" id="configuration_of_lemonldapng">Configuration of LemonLDAP::NG</a></h3>
<div class="level3">
<p>
In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modules</code> and choose Apache for authentication.
</p>
<p>
<p><div class="notetip">You can then choose any other module for users and password.
</div></p>
</p>
<p>
You can also configure the authentication level for this module.
</p>
</div>
<!-- SECTION "Configuration of LemonLDAP::NG" [3694-3989] -->
<h3><a name="configuration_of_apache_virtual_host" id="configuration_of_apache_virtual_host">Configuration of Apache virtual host</a></h3>
<div class="level3">
<p>
Modify the portal virtual host:
</p>
<pre class="code file apache">&lt;<span class="kw3">VirtualHost</span> *&gt;
<span class="kw1">ServerName</span> auth.example.com
&nbsp;
<span class="kw1">DocumentRoot</span> /var/lib/lemonldap-ng/portal/
&nbsp;
&lt;<span class="kw3">Directory</span> /var/lib/lemonldap-ng/portal/&gt;
<span class="kw1">Order</span> <span class="kw1">allow</span>,<span class="kw1">deny</span>
<span class="kw1">Allow</span> from <span class="kw2">all</span>
<span class="kw1">Options</span> +ExecCGI
&nbsp;
&lt;<span class="kw3">IfModule</span> auth_kerb_module&gt;
<span class="kw1">AuthType</span> Kerberos
KrbMethodNegotiate <span class="kw2">On</span>
KrbMethodK5Passwd <span class="kw2">Off</span>
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/lemonldap-ng/auth.keytab
KrbVerifyKDC <span class="kw2">Off</span>
Update documentation
2013-03-08 12:04:44 +01:00
KrbServiceName HTTP/auth.example.com
Update doc.pl script to use the current documentation version (#442)
2012-02-25 23:45:20 +01:00
<span class="kw1">require</span> valid-<span class="kw1">user</span>
&lt;/<span class="kw3">IfModule</span>&gt;
&nbsp;
&lt;/<span class="kw3">Directory</span>&gt;
&nbsp;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
Update documentation
2013-07-21 18:37:21 +02:00
</div>
<!-- SECTION "Configuration of Apache virtual host" [3990-4634] -->
<h3><a name="use_kerberos_with_multiple_authentication_backend" id="use_kerberos_with_multiple_authentication_backend">Use Kerberos with Multiple authentication backend</a></h3>
<div class="level3">
Update doc.pl script to use the current documentation version (#442)
2012-02-25 23:45:20 +01:00
<p>
Update documentation
2013-07-21 18:37:21 +02:00
Update doc to 1.4
2013-11-02 22:09:55 +01:00
You may want to use the <a href="../../documentation/1.4/authmulti.html" class="wikilink1" title="documentation:1.4:authmulti">Mutliple authentication backend</a> to fail back to another authentication for user without Kerberos ticket.
Update documentation
2013-07-21 18:37:21 +02:00
</p>
<p>
This needs some hacking because the Apache Kerberos authentication module do not work if <code>require valid-user</code> is not set.
</p>
<p>
To achieve this, follow these steps:
Update doc.pl script to use the current documentation version (#442)
2012-02-25 23:45:20 +01:00
</p>
Update documentation
2013-07-21 18:37:21 +02:00
<ul>
<li class="level1"><div class="li"> Create a symlink on portal/index.pl to define the kerberos authentication end point:</div>
</li>
</ul>
<pre class="code">
ln -s /var/lib/lemonldap-ng/portal/index.pl /var/lib/lemonldap-ng/portal/kerberos.pl
</pre>
<ul>
<li class="level1"><div class="li"> Create a redirection script, called login.pl:</div>
</li>
</ul>
<pre class="code">
vi /var/lib/lemonldap-ng/portal/login.pl
</pre>
<pre class="code file perl"><span class="co1">#!/usr/bin/perl</span>
<span class="kw2">use</span> CGI <span class="st_h">':cgi-lib'</span><span class="sy0">;</span>
<span class="kw2">use</span> strict<span class="sy0">;</span>
<span class="kw2">use</span> MIME<span class="sy0">::</span><span class="me2">Base64</span><span class="sy0">;</span>
<span class="kw2">use</span> CGI<span class="sy0">::</span><span class="me2">Carp</span> <span class="st_h">'fatalsToBrowser'</span><span class="sy0">;</span>
<span class="kw1">my</span> <span class="re0">$uri</span> <span class="sy0">=</span> <span class="re0">$ENV</span><span class="br0">&#123;</span><span class="st0">&quot;REDIRECT_QUERY_STRING&quot;</span><span class="br0">&#125;</span><span class="sy0">;</span>
<a href="http://perldoc.perl.org/functions/print.html"><span class="kw3">print</span></a> CGI<span class="sy0">::</span><span class="me2">header</span><span class="br0">&#40;</span><span class="sy0">-</span>Refresh <span class="sy0">=&gt;</span> <span class="st_h">'0; URL=http://auth.example.com/?'</span><span class="sy0">.</span><span class="re0">$uri</span><span class="br0">&#41;</span><span class="sy0">;</span>
<a href="http://perldoc.perl.org/functions/exit.html"><span class="kw3">exit</span></a><span class="br0">&#40;</span>0<span class="br0">&#41;</span><span class="sy0">;</span></pre>
<ul>
<li class="level1"><div class="li"> Modify the Apache virtual host to separate the Kerberos Authentication module:</div>
</li>
</ul>
<pre class="code file apache">&lt;<span class="kw3">VirtualHost</span> *&gt;
<span class="kw1">ServerName</span> auth.example.com
&nbsp;
<span class="kw1">DocumentRoot</span> /var/lib/lemonldap-ng/portal/
&nbsp;
&lt;<span class="kw3">Directory</span> /var/lib/lemonldap-ng/portal/&gt;
<span class="kw1">Order</span> <span class="kw1">allow</span>,<span class="kw1">deny</span>
<span class="kw1">Allow</span> from <span class="kw2">all</span>
<span class="kw1">Options</span> +ExecCGI +<span class="kw2">FollowSymLinks</span>
&lt;/<span class="kw3">Directory</span>&gt;
&nbsp;
<span class="kw1">ErrorDocument</span> 401 /login.pl
&lt;<span class="kw3">Location</span> /kerberos.pl&gt;
&lt;<span class="kw3">IfModule</span> auth_kerb_module&gt;
<span class="kw1">AuthType</span> Kerberos
KrbMethodNegotiate <span class="kw2">On</span>
KrbMethodK5Passwd <span class="kw2">Off</span>
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/lemonldap-ng/auth.keytab
KrbVerifyKDC <span class="kw2">Off</span>
KrbServiceName HTTP/auth.example.com
&lt;/<span class="kw3">IfModule</span>&gt;
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
<ul>
<li class="level1"><div class="li"> Modify LemonLDAP::NG Portal <acronym title="Uniform Resource Locator">URL</acronym> trough Manager to: <a href="http://auth.example.com/kerberos.pl" class="urlextern" title="http://auth.example.com/kerberos.pl" rel="nofollow">http://auth.example.com/kerberos.pl</a></div>
</li>
<li class="level1"><div class="li"> Configure Multiple authentication backend (for example: Apache;<acronym title="Lightweight Directory Access Protocol">LDAP</acronym>)</div>
</li>
<li class="level1"><div class="li"> Restart Apache</div>
</li>
</ul>
Update doc.pl script to use the current documentation version (#442)
2012-02-25 23:45:20 +01:00
</div>
Update documentation
2013-07-21 18:37:21 +02:00
<!-- SECTION "Use Kerberos with Multiple authentication backend" [4635-6422] -->
Update doc.pl script to use the current documentation version (#442)
2012-02-25 23:45:20 +01:00
<h3><a name="time_to_test" id="time_to_test">Time to test</a></h3>
<div class="level3">
<p>
Configure <acronym title="Internet Explorer">IE</acronym> or Firefox to trust <code><a href="http://auth.example.com" class="urlextern" title="http://auth.example.com" rel="nofollow">http://auth.example.com</a></code>, and then it should work!
</p>
</div>
Update documentation
2013-07-21 18:37:21 +02:00
<!-- SECTION "Time to test" [6423-] --></div><!-- closes <div class="dokuwiki export">-->
Reference in New Issue Copy Permalink