<acronymtitle="LemonLDAP::NG">LL::NG</acronym> can delegate authentication to Apache, so it is possible to use any <ahref="http://httpd.apache.org/docs/current/howto/auth.html"class="urlextern"title="http://httpd.apache.org/docs/current/howto/auth.html"rel="nofollow">Apache authentication module</a>, for example:
<p><divclass="notetip">Apache authentication module will set the <code>REMOTE_USER</code> environment variable, which will be used by <acronymtitle="LemonLDAP::NG">LL::NG</acronym> to get authenticated user.
</div></p>
</p>
<p>
<p><divclass="noteclassic">This documentation will focus on Kerberos authentication module, that can allow for example to set transparent authentication for Active Directory users (as Active Directory is a Kerberos server).
<liclass="level1"><divclass="li"><strong><acronymtitle="Hyper Text Transfer Protocol">HTTP</acronym></strong>: Service name</div>
</li>
<liclass="level1"><divclass="li"><strong>auth.example.com</strong>: <acronymtitle="Domain Name System">DNS</acronym> of the portal</div>
</li>
<liclass="level1"><divclass="li"><strong>ad.example.com</strong>: <acronymtitle="Domain Name System">DNS</acronym> of Active Directory</div>
</li>
<liclass="level1"><divclass="li"><strong>cn=ssokerberos,cn=users,dc=example,dc=com</strong>: <acronymtitle="Distinguished Name">DN</acronym> of AD technical account</div>
</li>
<liclass="level1"><divclass="li"><strong>complicatedpassword</strong>: Password of AD technical account</div>
The module can be found <ahref="http://modauthkerb.sourceforge.net/"class="urlextern"title="http://modauthkerb.sourceforge.net/"rel="nofollow">here</a>.
<h3><aname="kerberos_client_for_linux"id="kerberos_client_for_linux">Kerberos client for Linux</a></h3>
<divclass="level3">
<p>
Edit <code>/etc/krb5.conf</code>:
</p>
<preclass="file">
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = ad.example.com
admin_server = ad.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
</pre>
</div>
<!-- SECTION "Kerberos client for Linux" [1519-1796] -->
<h3><aname="connection_between_linux_and_active_directory_-_method_1"id="connection_between_linux_and_active_directory_-_method_1">Connection between Linux and Active Directory - method 1</a></h3>
<divclass="level3">
<p>
<p><divclass="notetip">This method requires to execute a command on the Active Directory server, and then transfer the keytab on Linux server.
<!-- SECTION "Connection between Linux and Active Directory - method 1" [1797-2577] -->
<h3><aname="connection_between_linux_and_active_directory_-_method_2"id="connection_between_linux_and_active_directory_-_method_2">Connection between Linux and Active Directory - method 2</a></h3>
<divclass="level3">
<p>
<p><divclass="notetip">This method requires the <code>msktutil</code> program on Linux server. You should be able to find a package for your distribution with a little search on the web.
</div></p>
</p>
<p>
Initiate the Kerberos connection:
</p>
<preclass="code">
kinit ssokerberos@EXAMPLE.COM
</pre>
<p>
Then create the keytab.
</p>
<ul>
<liclass="level1"><divclass="li"> Windows 2003 server:</div>
You may want to use the <ahref="../../documentation/1.4/authmulti.html"class="wikilink1"title="documentation:1.4:authmulti">Mutliple authentication backend</a> to fail back to another authentication for user without Kerberos ticket.
<h3><aname="time_to_test"id="time_to_test">Time to test</a></h3>
<divclass="level3">
<p>
Configure <acronymtitle="Internet Explorer">IE</acronym> or Firefox to trust <code><ahref="http://auth.example.com"class="urlextern"title="http://auth.example.com"rel="nofollow">http://auth.example.com</a></code>, and then it should work!