2016-10-15 19:57:54 +02:00
<!DOCTYPE html>
< html lang = "fr" dir = "ltr" >
< head >
< meta http-equiv = "content-type" content = "text/html; charset=UTF-8" >
< meta charset = "utf-8" / >
2017-02-07 17:35:26 +01:00
< title > documentation:2.0:kerberos< / title > <!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else --><!-- //endif -->
2016-10-15 19:57:54 +02:00
< meta name = "generator" content = "DokuWiki" / >
2017-08-30 18:47:26 +02:00
< meta name = "robots" content = "index,follow" / >
2016-10-15 19:57:54 +02:00
< meta name = "keywords" content = "documentation,2.0,kerberos" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "kerberos.html" / >
< link rel = "contents" href = "kerberos.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
2017-02-07 17:35:26 +01:00
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
2016-10-15 19:57:54 +02:00
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : k e r b e r o s " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
2017-02-07 17:35:26 +01:00
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script > <!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script > <!-- //endif --> <!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/lib/scripts/jquery-ui.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/lib/scripts/jquery-ui.js" > < / script > <!-- //endif -->
2016-10-15 19:57:54 +02:00
< / head >
< body >
< div class = "dokuwiki export container" > <!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#presentation" > Présentation< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#prerequisites" > Pré-requis< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#example_values" > Valeurs d'exemple< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#server_time" > Horloge des serveurs< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#dns" > DNS< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#ad_accounts" > Comptes AD< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#web_browser_configuration" > Configuration du navigateur web< / a > < / div >
< ul class = "toc" >
< li class = "level3" > < div class = "li" > < a href = "#firefox" > Firefox< / a > < / div > < / li >
< li class = "level3" > < div class = "li" > < a href = "#internet_explorer" > Internet Explorer< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level2" > < div class = "li" > < a href = "#apache_kerberos_module_installation" > Installation du module Kerberos d'Apache< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#single_llng_serversingle_ad_domain" > Serveur LL::NG unique / Domaine AD unique< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#client_kerberos_configuration" > Configuration du client Kerberos< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#obtain_keytab_file" > Obtenir un fichier table de clef< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#configuration_of_lemonldapng" > Configuration de LemonLDAP::NG< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#llng_clustersingle_ad_domain" > Cluster LL::NG / domaine AD unique< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#client_kerberos_configuration1" > Configuration du client Kerberos< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#obtain_keytab_file1" > Obtenir un fichier table de clef< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#configuration_of_lemonldapng1" > Configuration de LemonLDAP::NG< / a > < / div > < / li >
2017-04-13 19:00:28 +02:00
< li class = "level2" > < div class = "li" > < a href = "#configuration_of_portal_virtual_host" > Configuration de l'hôte virtuel du portail< / a > < / div > < / li >
2016-10-15 19:57:54 +02:00
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#llng_clustertwo_ad_domains" > Cluster LL::NG / Deux domaines AD< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#client_kerberos_configuration2" > Configuration du client Kerberos< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#obtain_keytab_file2" > Obtenir un fichier table de clef< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#configuration_of_lemonldapng2" > Configuration de LemonLDAP::NG< / a > < / div > < / li >
2017-04-13 19:00:28 +02:00
< li class = "level2" > < div class = "li" > < a href = "#configuration_of_portal_virtual_host1" > Configuration de l'hôte virtuel du portail< / a > < / div > < / li >
2016-10-15 19:57:54 +02:00
< / ul >
< / li >
2017-02-07 17:35:26 +01:00
< li class = "level1" > < div class = "li" > < a href = "#other_resources" > Autres documents< / a > < / div > < / li >
2016-10-15 19:57:54 +02:00
< / ul >
< / div >
< / div > <!-- TOC END -->
< h1 class = "sectionedit1" id = "kerberos" > Kerberos< / h1 >
< div class = "level1" >
< / div > <!-- EDIT1 SECTION "Kerberos" [1 - 24] -->
< h2 class = "sectionedit2" id = "presentation" > Présentation< / h2 >
< div class = "level2" >
< p >
Cette documentation explique comment utiliser Active Directory comme serveur Kerberos, et fournir une authentification transparente aux utilisateurs du domaine AD à < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > .
< / p >
< p >
On présente ici plusieurs architectures:
< / p >
< ul >
< li class = "level1" > < div class = "li" > Un seul serveur < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > lié à un seul domaine AD< / div >
< / li >
< li class = "level1" > < div class = "li" > Un cluster < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > lié à un seul domaine AD< / div >
< / li >
< li class = "level1" > < div class = "li" > Un cluster < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > lié à 2 domaines AD< / div >
< / li >
< / ul >
< / div > <!-- EDIT2 SECTION "Presentation" [25 - 376] -->
< h2 class = "sectionedit3" id = "prerequisites" > Pré-requis< / h2 >
< div class = "level2" >
< / div > <!-- EDIT3 SECTION "Prerequisites" [377 - 403] -->
< h3 class = "sectionedit4" id = "example_values" > Valeurs d'exemple< / h3 >
< div class = "level3" >
< p >
Nous utilisons les valeurs suivantes dans nos exemples
< / p >
< ul >
< li class = "level1" > < div class = "li" > < strong > EXAMPLE.COM< / strong > : premier domaine AD< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > ACME.COM< / strong > : second domaine AD< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > auth.example.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > du portail < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > < / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > authpwd.example.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > du portail < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > (pour retomber sur un formulaire d'authentification)< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > node1.example.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > du second portail < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > (en mode cluster)< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > node2.example.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > du second portail < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > (en mode cluster)< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > ad.example.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > du premier Active Directory< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > ad.acme.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > du second Active Directory< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > KERB_AUTH< / strong > : compte AD pour générer la table de clefs du serveur < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > (en mode serveur seul)< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > KERB_NODE1< / strong > : compte AD pour générer la table de clefs du premier serveur < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > (en mode cluster)< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > KERB_NODE2< / strong > : compte AD pour générer la table de clef du second serveur < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > (en mode cluster)< / div >
< / li >
< / ul >
< / div > <!-- EDIT4 SECTION "Example values" [404 - 1263] -->
< h3 class = "sectionedit5" id = "server_time" > Horloge des serveurs< / h3 >
< div class = "level3" >
< p >
Il est impératif que les serveurs < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > et AD soient à la même heure. Il est recommandé d'utilisé NTP à cet effet.
< / p >
< / div > <!-- EDIT5 SECTION "Server time" [1264 - 1399] -->
< h3 class = "sectionedit6" id = "dns" > DNS< / h3 >
< div class = "level3" >
< p >
Tous les noms doivent être enregistrés dans le serveur < abbr title = "Domain Name System" > DNS< / abbr > (qui est Active Directory). Il est préférable que le < abbr title = "Domain Name System" > DNS< / abbr > inverse soit capable de résoudre tous les noms.
< / p >
< / div > <!-- EDIT6 SECTION "DNS" [1400 - 1543] -->
< h3 class = "sectionedit7" id = "ad_accounts" > Comptes AD< / h3 >
< div class = "level3" >
< p >
Il est recommandé de créer un compte AD pour chaque serveur < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > . Chaque compte tiendra le nom principal de service (SPN) du serveur < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > .
< / p >
< div class = "notetip" > Il devrait être possible d'avoir le même compte pour tous les SPN, mais ça nécessite certaines manipulations de l'AD (commande setspn) non documentées ici.
< / div >
< / div > <!-- EDIT7 SECTION "AD accounts" [1544 - 1884] -->
< h3 class = "sectionedit8" id = "web_browser_configuration" > Configuration du navigateur web< / h3 >
< div class = "level3" >
< / div >
< h4 id = "firefox" > Firefox< / h4 >
< div class = "level4" >
< p >
Aller à < code > about:config< / code > dans un onglet et chercher < code > trusted< / code > . Éditer la propriété < code > network.negotiate-auth.trusted-uris< / code > et la mettre à la valeur < code > example.com< / code > .
< / p >
< / div >
< h4 id = "internet_explorer" > Internet Explorer< / h4 >
< div class = "level4" >
< p >
Ajouter < code > < a href = "https://auth.example.com" class = "urlextern" title = "https://auth.example.com" rel = "nofollow" > https://auth.example.com< / a > < / code > comme site approuvé.
< / p >
< p >
Vérifier dans les paramètres de sécurité que l'authentification Kerberos est autorisée.
< / p >
< / div > <!-- EDIT8 SECTION "Web browser configuration" [1885 - 2244] -->
< h3 class = "sectionedit9" id = "apache_kerberos_module_installation" > Installation du module Kerberos d'Apache< / h3 >
< div class = "level3" >
< p >
Sur CentOS/RHEL :
< / p >
< pre class = "code shell" > yum install mod_auth_kerb< / pre >
< p >
Sur Debian/Ubuntu :
< / p >
< pre class = "code shell" > apt-get install libapache2-mod-auth-kerb< / pre >
< p >
Ce module doit être chargé par Apache (directive LoadModule).
< / p >
< / div > <!-- EDIT9 SECTION "Apache Kerberos module installation" [2245 - 2497] -->
< h2 class = "sectionedit10" id = "single_llng_serversingle_ad_domain" > Serveur LL::NG unique / Domaine AD unique< / h2 >
< div class = "level2" >
< / div > <!-- EDIT10 SECTION "Single LL::NG Server / Single AD domain" [2498 - 2550] -->
< h3 class = "sectionedit11" id = "client_kerberos_configuration" > Configuration du client Kerberos< / h3 >
< div class = "level3" >
< p >
Sur le serveur < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > , éditer < code > /etc/krb5.conf< / code > :
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [< / span > libdefaults< span class = "br0" > ]< / span > < / span >
< span class = "re1" > default_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
< span class = "re1" > dns_lookup_kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > false< / span >
< span class = "re1" > dns_lookup_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > no< / span >
< span class = "re1" > ticket_lifetime< / span > < span class = "sy0" > =< / span > < span class = "re2" > 24h< / span >
< span class = "re1" > forwardable< / span > < span class = "sy0" > =< / span > < span class = "re2" > yes< / span >
< span class = "re1" > renewable< / span > < span class = "sy0" > =< / span > < span class = "re2" > true< / span >
< span class = "re0" > < span class = "br0" > [< / span > realms< span class = "br0" > ]< / span > < / span >
EXAMPLE.COM < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > {< / span > < / span >
< span class = "re1" > kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "re1" > admin_server< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "br0" > }< / span >
< span class = "re0" > < span class = "br0" > [< / span > domain_realm< span class = "br0" > ]< / span > < / span >
.example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span > < / pre >
< p >
On peut vérifier que Kerberos fonctionne en essayant d'obtenir un ticket pour un utilisateur du domaine (par exemple coudot) :
< / p >
< pre class = "code" > kinit coudot@EXAMPLE.COM< / pre >
< p >
Un mot-de-passe peut être demandé. Lister ensuite les tickets :
< / p >
< pre class = "code" > klist -e< / pre >
< p >
On doit trouver un ticket krbtgt :
< / p >
< pre class = "code" > Valid starting Expires Service principal
06/04/15 15:43:24 06/05/15 01:43:29 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/05/15 15:43:24, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96< / pre >
< p >
On peut alors fermer la sessions Kerberos :
< / p >
< pre class = "code" > kdestroy< / pre >
< / div > <!-- EDIT11 SECTION "Client Kerberos configuration" [2551 - 3552] -->
< h3 class = "sectionedit12" id = "obtain_keytab_file" > Obtenir un fichier table de clef< / h3 >
< div class = "level3" >
< p >
Il faut lancer cette commande dans Active Directory:
< / p >
< pre class = "code" > ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser KERB_AUTH@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass < PASSWORD> -out c:\auth.keytab< / pre >
< div class = "noteimportant" > Les valeurs passées dans -crypto et -ptype dépendent de la version d'Active Directory et de celle des stations de travail. On peut par exemple utiliser RC4-HMAC-NT comme protocole de chiffrement si DES n'est pas supporté par les stations de travail (c'est le cas par défaut sur Window 8 par exemple).
< / div >
< p >
Le fichier < code > auth.keytab< / code > doit ensuite être copié (par un média sûr) sur le serveur Linux (par exemple dans < code > /etc/lemonldap-ng< / code > ).
< / p >
< p >
Changer les droits sur le fichier keytab :
< / p >
< pre class = "code" > chown apache /etc/lemonldap-ng/auth.keytab
chmod 600 /etc/lemonldap-ng/auth.keytab< / pre >
< p >
On peut vérifier la validité du fichier table de clefs en essayant de demander un ticket de service, et en le comparant au contenu de la table de clefs.
< / p >
< p >
Ouvrir une session Kerberos (comme effectué dans l'étape précédente) :
< / p >
< pre class = "code" > kinit coudot@example.com< / pre >
< p >
Demander un ticket de service :
< / p >
< pre class = "code" > kvno HTTP/auth.example.com@EXAMPLE.COM< / pre >
< p >
Le résultat de la commande doit être :
< / p >
< pre class = "code" > HTTP/auth.example.com@EXAMPLE.COM: kvno = 3< / pre >
< p >
Lire le ticket de service :
< / p >
< pre class = "code" > klist -e< / pre >
< p >
On doit trouver un ticket de ce genre :
< / p >
< pre class = "code" > 06/04/15 16:28:49 06/05/15 02:28:11 HTTP/auth.example.com@EXAMPLE.COM
renew until 06/05/15 16:28:07, Etype (skey, tkt): arcfour-hmac, arcfour-hmac< / pre >
< p >
La session Kerberos peut être fermée :
< / p >
< pre class = "code" > kdestroy< / pre >
< p >
Comparer maintenant le résultat ci-dessus avec la même requête effectuée au travers de la table de clefs :
< / p >
< pre class = "code" > klist -e -k -t /etc/lemonldap-ng/auth.keytab< / pre >
< p >
Le résultat de la commande doit être :
< / p >
< pre class = "code" > Keytab name: FILE:/etc/lemonldap-ng/auth.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/01/70 01:00:00 HTTP/auth.example.com@EXAMPLE.COM (arcfour-hmac)< / pre >
< p >
Les points importants à vérifier sont :
< / p >
< ul >
< li class = "level1" > < div class = "li" > KVNO doit être identique< / div >
< / li >
< li class = "level1" > < div class = "li" > Principal names doit identique< / div >
< / li >
< li class = "level1" > < div class = "li" > Encryption types doit être identique< / div >
< / li >
< / ul >
< / div > <!-- EDIT12 SECTION "Obtain keytab file" [3553 - 5681] -->
< h3 class = "sectionedit13" id = "configuration_of_lemonldapng" > Configuration de LemonLDAP::NG< / h3 >
< div class = "level3" >
< p >
2017-04-13 19:00:28 +02:00
See < a href = "authkerberos.html" class = "wikilink1" title = "documentation:2.0:authkerberos" > Kerberos authentication module< / a > < em > or < a href = "authapache.html#llng" class = "wikilink1" title = "documentation:2.0:authapache" > Apache authentication module configuration< / a > (deprecated)< / em > .
2016-10-15 19:57:54 +02:00
< / p >
2017-04-13 19:00:28 +02:00
< / div > <!-- EDIT13 SECTION "Configuration of LemonLDAP::NG" [5682 - 5861] -->
2016-10-15 19:57:54 +02:00
2017-04-13 19:00:28 +02:00
< h2 class = "sectionedit14" id = "llng_clustersingle_ad_domain" > Cluster LL::NG / domaine AD unique< / h2 >
2016-10-15 19:57:54 +02:00
< div class = "level2" >
2017-04-13 19:00:28 +02:00
< / div > <!-- EDIT14 SECTION "LL::NG Cluster / Single AD domain" [5862 - 5908] -->
2016-10-15 19:57:54 +02:00
2017-04-13 19:00:28 +02:00
< h3 class = "sectionedit15" id = "client_kerberos_configuration1" > Configuration du client Kerberos< / h3 >
2016-10-15 19:57:54 +02:00
< div class = "level3" >
< p >
La configuration du client Kerberos est la même qie pour un serveur < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > unique.
< / p >
2017-04-13 19:00:28 +02:00
< / div > <!-- EDIT15 SECTION "Client Kerberos configuration" [5909 - 6023] -->
2016-10-15 19:57:54 +02:00
2017-04-13 19:00:28 +02:00
< h3 class = "sectionedit16" id = "obtain_keytab_file1" > Obtenir un fichier table de clef< / h3 >
2016-10-15 19:57:54 +02:00
< div class = "level3" >
< div class = "noteimportant" > Il faut obtenir une table de clef pour chaque nœud < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > .
< / div >
< p >
Les commandes sur Active Directory :
< / p >
< pre class = "code" > ktpass -princ HTTP/node1.example.com@EXAMPLE.COM -mapuser KERB_NODE1@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass < PASSWORD> -out c:\authnode1.keytab
ktpass -princ HTTP/node2.example.com@EXAMPLE.COM -mapuser KERB_NODE2@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass < PASSWORD> -out c:\authnode2.keytab< / pre >
< p >
Copier les tables de clefs générés sur chaque nœud (en la renommant en auth.keytab pour avoir la même configuration Apache sur chaque nœud).
< / p >
< p >
Changer les droits sur le fichier keytab :
< / p >
< pre class = "code" > chown apache /etc/lemonldap-ng/auth.keytab
chmod 600 /etc/lemonldap-ng/auth.keytab< / pre >
< div class = "notetip" > On peut faire le même contrôle que pour un serveur < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > isolé. Utiliser simplement node1.example.com et node2.example.com au lieu de auth.example.com.
< / div >
2017-04-13 19:00:28 +02:00
< / div > <!-- EDIT16 SECTION "Obtain keytab file" [6024 - 6957] -->
2016-10-15 19:57:54 +02:00
2017-04-13 19:00:28 +02:00
< h3 class = "sectionedit17" id = "configuration_of_lemonldapng1" > Configuration de LemonLDAP::NG< / h3 >
2016-10-15 19:57:54 +02:00
< div class = "level3" >
< p >
La configuration est la même qie pour un serveur < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > unique.
< / p >
2017-04-13 19:00:28 +02:00
< / div > <!-- EDIT17 SECTION "Configuration of LemonLDAP::NG" [6958 - 7058] -->
2016-10-15 19:57:54 +02:00
2017-04-13 19:00:28 +02:00
< h3 class = "sectionedit18" id = "configuration_of_portal_virtual_host" > Configuration de l'hôte virtuel du portail< / h3 >
2016-10-15 19:57:54 +02:00
< div class = "level3" >
< p >
Le seul chagement dans la configuration d'Apache est le the < code > KrbServiceName< / code > qui doit être mis à Any:
< / p >
< pre class = "code file apache" > KrbServiceName Any< / pre >
2017-04-13 19:00:28 +02:00
< / div > <!-- EDIT18 SECTION "Configuration of portal virtual host" [7059 - 7247] -->
2016-10-15 19:57:54 +02:00
2017-04-13 19:00:28 +02:00
< h2 class = "sectionedit19" id = "llng_clustertwo_ad_domains" > Cluster LL::NG / Deux domaines AD< / h2 >
2016-10-15 19:57:54 +02:00
< div class = "level2" >
2017-04-13 19:00:28 +02:00
< / div > <!-- EDIT19 SECTION "LL::NG Cluster / Two AD domains" [7248 - 7292] -->
2016-10-15 19:57:54 +02:00
2017-04-13 19:00:28 +02:00
< h3 class = "sectionedit20" id = "client_kerberos_configuration2" > Configuration du client Kerberos< / h3 >
2016-10-15 19:57:54 +02:00
< div class = "level3" >
< p >
Les deux domaines doivent être définis dans < code > /etc/krb5.conf< / code > :
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [< / span > libdefaults< span class = "br0" > ]< / span > < / span >
< span class = "re1" > default_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
< span class = "re1" > dns_lookup_kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > false< / span >
< span class = "re1" > dns_lookup_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > no< / span >
< span class = "re1" > ticket_lifetime< / span > < span class = "sy0" > =< / span > < span class = "re2" > 24h< / span >
< span class = "re1" > forwardable< / span > < span class = "sy0" > =< / span > < span class = "re2" > yes< / span >
< span class = "re1" > renewable< / span > < span class = "sy0" > =< / span > < span class = "re2" > true< / span >
< span class = "re0" > < span class = "br0" > [< / span > realms< span class = "br0" > ]< / span > < / span >
EXAMPLE.COM < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > {< / span > < / span >
< span class = "re1" > kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "re1" > admin_server< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "re1" > default_domain< / span > < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
< span class = "br0" > }< / span >
ACME.COM < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > {< / span > < / span >
< span class = "re1" > kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.acme.com< / span >
< span class = "re1" > admin_server< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.acme.com< / span >
< span class = "br0" > }< / span >
< span class = "re0" > < span class = "br0" > [< / span > domain_realm< span class = "br0" > ]< / span > < / span >
.example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
.acme.com < span class = "sy0" > =< / span > < span class = "re2" > ACME.COM< / span >
acme.com < span class = "sy0" > =< / span > < span class = "re2" > ACME.COM< / span > < / pre >
< p >
On doit pouvoir ouvrir une session Kerberos dans chaque domaine :
< / p >
< pre class = "code" > kinit coudot@EXAMPLE.COM
klist -e
kdestroy< / pre >
< pre class = "code" > kinit coudot@ACME.COM
klist -e
kdestroy< / pre >
2017-04-13 19:00:28 +02:00
< / div > <!-- EDIT20 SECTION "Client Kerberos configuration" [7293 - 8037] -->
2016-10-15 19:57:54 +02:00
2017-04-13 19:00:28 +02:00
< h3 class = "sectionedit21" id = "obtain_keytab_file2" > Obtenir un fichier table de clef< / h3 >
2016-10-15 19:57:54 +02:00
< div class = "level3" >
< p >
Il faut obtenir une table de clefs pour chaque nœud dans chaque domaine. Ce qui signifie que la commande ktpass doit être lancée dans les deux AD.
< / p >
< p >
On a donc 2 tables de clefs pour chaque nœud, par exemple :
< / p >
< ul >
< li class = "level1" > < div class = "li" > node1-example.keytab< / div >
< / li >
< li class = "level1" > < div class = "li" > node1-acme.keytab< / div >
< / li >
< / ul >
< p >
Il faut concaténer les 2 fichiers, merci à la commande < code > ktutil< / code > :
< / p >
< pre class = "code" > ktutil
ktutil: read_kt node1-example.keytab
ktutil: read_kt node1-acme.keytab
ktutil: write_kt /etc/lemonldap-ng/auth.keytab
ktutil: quit< / pre >
< p >
On peut ensuite effacer les tables de clefs originales et protéger la table de clefs finale :
< / p >
< pre class = "code" > chown apache /etc/lemonldap-ng/auth.keytab
chmod 600 /etc/lemonldap-ng/auth.keytab< / pre >
2017-04-13 19:00:28 +02:00
< / div > <!-- EDIT21 SECTION "Obtain keytab file" [8038 - 8699] -->
2016-10-15 19:57:54 +02:00
2017-04-13 19:00:28 +02:00
< h3 class = "sectionedit22" id = "configuration_of_lemonldapng2" > Configuration de LemonLDAP::NG< / h3 >
2016-10-15 19:57:54 +02:00
< div class = "level3" >
< p >
La configuration est la même qie pour un serveur < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > unique.
< / p >
2017-04-13 19:00:28 +02:00
< / div > <!-- EDIT22 SECTION "Configuration of LemonLDAP::NG" [8700 - 8800] -->
2016-10-15 19:57:54 +02:00
2017-04-13 19:00:28 +02:00
< h3 class = "sectionedit23" id = "configuration_of_portal_virtual_host1" > Configuration de l'hôte virtuel du portail< / h3 >
2016-10-15 19:57:54 +02:00
< div class = "level3" >
< p >
La configuration est la même que pour un domaine AD unique.
< / p >
2017-04-13 19:00:28 +02:00
< / div > <!-- EDIT23 SECTION "Configuration of portal virtual host" [8801 - 8907] -->
2016-10-15 19:57:54 +02:00
2017-04-13 19:00:28 +02:00
< h2 class = "sectionedit24" id = "other_resources" > Autres documents< / h2 >
2016-10-15 19:57:54 +02:00
< div class = "level2" >
< p >
Pour en savoir plus :
< / p >
< ul >
< li class = "level1" > < div class = "li" > < a href = "http://modauthkerb.sourceforge.net/configure.html" class = "urlextern" title = "http://modauthkerb.sourceforge.net/configure.html" rel = "nofollow" > http://modauthkerb.sourceforge.net/configure.html< / a > < / div >
< / li >
< li class = "level1" > < div class = "li" > < a href = "http://www.grolmsnet.de/kerbtut/" class = "urlextern" title = "http://www.grolmsnet.de/kerbtut/" rel = "nofollow" > http://www.grolmsnet.de/kerbtut/< / a > < / div >
< / li >
< / ul >
2017-04-13 19:00:28 +02:00
< / div > <!-- EDIT24 SECTION "Other resources" [8908 - ] -->
2016-10-15 19:57:54 +02:00
< / div >
< / body >
< / html >