dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
78c64717f1
lemonldap-ng/doc/pages/documentation/1.4/authapache.html
Clément Oudot e3df94f9b4 Update doc to 1.4
2013-11-02 21:09:55 +00:00

372 lines
14 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1><a name="apache" id="apache">Apache</a></h1>
<div class="level1">
<table class="inline">
<tr class="row0 roweven">
<th class="col0">Authentication </th><th class="col1"> Users </th><th class="col2"> Password </th>
</tr>
<tr class="row1 rowodd">
<td class="col0 centeralign"></td><td class="col1"> </td><td class="col2"> </td>
</tr>
</table>
</div>
<!-- SECTION "Apache" [1-73] -->
<h2><a name="presentation" id="presentation">Presentation</a></h2>
<div class="level2">
<p>
<acronym title="LemonLDAP::NG">LL::NG</acronym> can delegate authentication to Apache, so it is possible to use any <a href="http://httpd.apache.org/docs/current/howto/auth.html" class="urlextern" title="http://httpd.apache.org/docs/current/howto/auth.html" rel="nofollow">Apache authentication module</a>, for example:
</p>
<ul>
<li class="level1"><div class="li"> <a href="http://modauthkerb.sourceforge.net/" class="urlextern" title="http://modauthkerb.sourceforge.net/" rel="nofollow">Kerberos</a></div>
</li>
<li class="level1"><div class="li"> <a href="http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm" class="urlextern" title="http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm" rel="nofollow">NTLM</a></div>
</li>
<li class="level1"><div class="li"> <a href="http://freeradius.org/mod_auth_radius/" class="urlextern" title="http://freeradius.org/mod_auth_radius/" rel="nofollow">Radius</a></div>
</li>
<li class="level1"><div class="li"></div>
</li>
</ul>
<p>
<p><div class="notetip">Apache authentication module will set the <code>REMOTE_USER</code> environment variable, which will be used by <acronym title="LemonLDAP::NG">LL::NG</acronym> to get authenticated user.
</div></p>
</p>
<p>
<p><div class="noteclassic">This documentation will focus on Kerberos authentication module, that can allow for example to set transparent authentication for Active Directory users (as Active Directory is a Kerberos server).
</div></p>
</p>
<p>
The following sample parameters will be used:
</p>
<ul>
<li class="level1"><div class="li"> <strong>EXAMPLE.COM</strong>: Kerberos realm</div>
</li>
<li class="level1"><div class="li"> <strong><acronym title="Hyper Text Transfer Protocol">HTTP</acronym></strong>: Service name</div>
</li>
<li class="level1"><div class="li"> <strong>auth.example.com</strong>: <acronym title="Domain Name System">DNS</acronym> of the portal</div>
</li>
<li class="level1"><div class="li"> <strong>ad.example.com</strong>: <acronym title="Domain Name System">DNS</acronym> of Active Directory</div>
</li>
<li class="level1"><div class="li"> <strong>cn=ssokerberos,cn=users,dc=example,dc=com</strong>: <acronym title="Distinguished Name">DN</acronym> of AD technical account</div>
</li>
<li class="level1"><div class="li"> <strong>complicatedpassword</strong>: Password of AD technical account</div>
</li>
</ul>
</div>
<!-- SECTION "Presentation" [74-1180] -->
<h2><a name="configuration" id="configuration">Configuration</a></h2>
<div class="level2">
</div>
<!-- SECTION "Configuration" [1181-1207] -->
<h3><a name="apache_kerberos_module" id="apache_kerberos_module">Apache Kerberos module</a></h3>
<div class="level3">
<p>
The module can be found <a href="http://modauthkerb.sourceforge.net/" class="urlextern" title="http://modauthkerb.sourceforge.net/" rel="nofollow">here</a>.
</p>
<p>
On CentOS/RHEL:
</p>
<pre class="code shell">yum install mod_auth_kerb</pre>
<p>
On Debian/Ubuntu:
</p>
<pre class="code shell">apt-get install libapache2-mod-auth-kerb</pre>
<p>
The module must be loaded by Apache (LoadModule directive).
</p>
</div>
<!-- SECTION "Apache Kerberos module" [1208-1518] -->
<h3><a name="kerberos_client_for_linux" id="kerberos_client_for_linux">Kerberos client for Linux</a></h3>
<div class="level3">
<p>
Edit <code>/etc/krb5.conf</code>:
</p>
<pre class="file">
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = ad.example.com
admin_server = ad.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
</pre>
</div>
<!-- SECTION "Kerberos client for Linux" [1519-1796] -->
<h3><a name="connection_between_linux_and_active_directory_-_method_1" id="connection_between_linux_and_active_directory_-_method_1">Connection between Linux and Active Directory - method 1</a></h3>
<div class="level3">
<p>
<p><div class="notetip">This method requires to execute a command on the Active Directory server, and then transfer the keytab on Linux server.
</div></p>
</p>
<p>
You have to run this command on Active Directory:
</p>
<pre class="code">
ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser EXAMPLE.COM\ssokerberos -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set +DesOnly -pass complicatedpassword -out c:\auth.keytab
</pre>
<p>
The file <code>auth.keytab</code> should then be copied (with a secure media) to the Linux server (for example in <code>/etc/lemonldap-ng</code>).
</p>
<p>
Then on Linux server:
</p>
<pre class="code shell">kinit HTTP/auth.example.com
kvno HTTP/auth.example.com@EXAMPLE.COM
klist -e
kinit -k -t /etc/lemonldap-ng/auth.keytab HTTP/auth.example.com</pre>
</div>
<!-- SECTION "Connection between Linux and Active Directory - method 1" [1797-2577] -->
<h3><a name="connection_between_linux_and_active_directory_-_method_2" id="connection_between_linux_and_active_directory_-_method_2">Connection between Linux and Active Directory - method 2</a></h3>
<div class="level3">
<p>
<p><div class="notetip">This method requires the <code>msktutil</code> program on Linux server. You should be able to find a package for your distribution with a little search on the web.
</div></p>
</p>
<p>
Initiate the Kerberos connection:
</p>
<pre class="code">
kinit ssokerberos@EXAMPLE.COM
</pre>
<p>
Then create the keytab.
</p>
<ul>
<li class="level1"><div class="li"> Windows 2003 server:</div>
</li>
</ul>
<pre class="code">
rm -f /etc/lemonldap-ng/auth.keytab
msktutil -c -b &quot;cn=COMPUTERS&quot; -s HTTP/auth.example.com -h auth.example.com -k /etc/lemonldap-ng/auth.keytab --computer-name portalsso --upn HTTP/auth.example.com --server ad.example.com --verbose
</pre>
<ul>
<li class="level1"><div class="li"> Windows 2008 server:</div>
</li>
</ul>
<pre class="code">
rm -f /etc/lemonldap-ng/auth.keytab
msktutil -c -b &quot;cn=COMPUTERS&quot; -s HTTP/auth.example.com -h auth.example.com -k /etc/lemonldap-ng/auth.keytab --computer-name portalsso --upn HTTP/auth.example.com --server ad.example.com --verbose --enctypes 28
</pre>
<p>
<p><div class="noteimportant">Option <code>enctypes</code> requires msktutil &gt; 0.4
</div></p>
</p>
<p>
Close kerberos connection:
</p>
<pre class="code">
kdestroy
</pre>
<p>
Change rights on keytab file:
</p>
<pre class="code">
chown apache /etc/lemonldap-ng/auth.keytab
</pre>
</div>
<!-- SECTION "Connection between Linux and Active Directory - method 2" [2578-3693] -->
<h3><a name="configuration_of_lemonldapng" id="configuration_of_lemonldapng">Configuration of LemonLDAP::NG</a></h3>
<div class="level3">
<p>
In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modules</code> and choose Apache for authentication.
</p>
<p>
<p><div class="notetip">You can then choose any other module for users and password.
</div></p>
</p>
<p>
You can also configure the authentication level for this module.
</p>
</div>
<!-- SECTION "Configuration of LemonLDAP::NG" [3694-3989] -->
<h3><a name="configuration_of_apache_virtual_host" id="configuration_of_apache_virtual_host">Configuration of Apache virtual host</a></h3>
<div class="level3">
<p>
Modify the portal virtual host:
</p>
<pre class="code file apache">&lt;<span class="kw3">VirtualHost</span> *&gt;
<span class="kw1">ServerName</span> auth.example.com
&nbsp;
<span class="kw1">DocumentRoot</span> /var/lib/lemonldap-ng/portal/
&nbsp;
&lt;<span class="kw3">Directory</span> /var/lib/lemonldap-ng/portal/&gt;
<span class="kw1">Order</span> <span class="kw1">allow</span>,<span class="kw1">deny</span>
<span class="kw1">Allow</span> from <span class="kw2">all</span>
<span class="kw1">Options</span> +ExecCGI
&nbsp;
&lt;<span class="kw3">IfModule</span> auth_kerb_module&gt;
<span class="kw1">AuthType</span> Kerberos
KrbMethodNegotiate <span class="kw2">On</span>
KrbMethodK5Passwd <span class="kw2">Off</span>
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/lemonldap-ng/auth.keytab
KrbVerifyKDC <span class="kw2">Off</span>
KrbServiceName HTTP/auth.example.com
<span class="kw1">require</span> valid-<span class="kw1">user</span>
&lt;/<span class="kw3">IfModule</span>&gt;
&nbsp;
&lt;/<span class="kw3">Directory</span>&gt;
&nbsp;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
</div>
<!-- SECTION "Configuration of Apache virtual host" [3990-4634] -->
<h3><a name="use_kerberos_with_multiple_authentication_backend" id="use_kerberos_with_multiple_authentication_backend">Use Kerberos with Multiple authentication backend</a></h3>
<div class="level3">
<p>
You may want to use the <a href="../../documentation/1.4/authmulti.html" class="wikilink1" title="documentation:1.4:authmulti">Mutliple authentication backend</a> to fail back to another authentication for user without Kerberos ticket.
</p>
<p>
This needs some hacking because the Apache Kerberos authentication module do not work if <code>require valid-user</code> is not set.
</p>
<p>
To achieve this, follow these steps:
</p>
<ul>
<li class="level1"><div class="li"> Create a symlink on portal/index.pl to define the kerberos authentication end point:</div>
</li>
</ul>
<pre class="code">
ln -s /var/lib/lemonldap-ng/portal/index.pl /var/lib/lemonldap-ng/portal/kerberos.pl
</pre>
<ul>
<li class="level1"><div class="li"> Create a redirection script, called login.pl:</div>
</li>
</ul>
<pre class="code">
vi /var/lib/lemonldap-ng/portal/login.pl
</pre>
<pre class="code file perl"><span class="co1">#!/usr/bin/perl</span>
<span class="kw2">use</span> CGI <span class="st_h">':cgi-lib'</span><span class="sy0">;</span>
<span class="kw2">use</span> strict<span class="sy0">;</span>
<span class="kw2">use</span> MIME<span class="sy0">::</span><span class="me2">Base64</span><span class="sy0">;</span>
<span class="kw2">use</span> CGI<span class="sy0">::</span><span class="me2">Carp</span> <span class="st_h">'fatalsToBrowser'</span><span class="sy0">;</span>
<span class="kw1">my</span> <span class="re0">$uri</span> <span class="sy0">=</span> <span class="re0">$ENV</span><span class="br0">&#123;</span><span class="st0">&quot;REDIRECT_QUERY_STRING&quot;</span><span class="br0">&#125;</span><span class="sy0">;</span>
<a href="http://perldoc.perl.org/functions/print.html"><span class="kw3">print</span></a> CGI<span class="sy0">::</span><span class="me2">header</span><span class="br0">&#40;</span><span class="sy0">-</span>Refresh <span class="sy0">=&gt;</span> <span class="st_h">'0; URL=http://auth.example.com/?'</span><span class="sy0">.</span><span class="re0">$uri</span><span class="br0">&#41;</span><span class="sy0">;</span>
<a href="http://perldoc.perl.org/functions/exit.html"><span class="kw3">exit</span></a><span class="br0">&#40;</span>0<span class="br0">&#41;</span><span class="sy0">;</span></pre>
<ul>
<li class="level1"><div class="li"> Modify the Apache virtual host to separate the Kerberos Authentication module:</div>
</li>
</ul>
<pre class="code file apache">&lt;<span class="kw3">VirtualHost</span> *&gt;
<span class="kw1">ServerName</span> auth.example.com
&nbsp;
<span class="kw1">DocumentRoot</span> /var/lib/lemonldap-ng/portal/
&nbsp;
&lt;<span class="kw3">Directory</span> /var/lib/lemonldap-ng/portal/&gt;
<span class="kw1">Order</span> <span class="kw1">allow</span>,<span class="kw1">deny</span>
<span class="kw1">Allow</span> from <span class="kw2">all</span>
<span class="kw1">Options</span> +ExecCGI +<span class="kw2">FollowSymLinks</span>
&lt;/<span class="kw3">Directory</span>&gt;
&nbsp;
<span class="kw1">ErrorDocument</span> 401 /login.pl
&lt;<span class="kw3">Location</span> /kerberos.pl&gt;
&lt;<span class="kw3">IfModule</span> auth_kerb_module&gt;
<span class="kw1">AuthType</span> Kerberos
KrbMethodNegotiate <span class="kw2">On</span>
KrbMethodK5Passwd <span class="kw2">Off</span>
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/lemonldap-ng/auth.keytab
KrbVerifyKDC <span class="kw2">Off</span>
KrbServiceName HTTP/auth.example.com
&lt;/<span class="kw3">IfModule</span>&gt;
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
<ul>
<li class="level1"><div class="li"> Modify LemonLDAP::NG Portal <acronym title="Uniform Resource Locator">URL</acronym> trough Manager to: <a href="http://auth.example.com/kerberos.pl" class="urlextern" title="http://auth.example.com/kerberos.pl" rel="nofollow">http://auth.example.com/kerberos.pl</a></div>
</li>
<li class="level1"><div class="li"> Configure Multiple authentication backend (for example: Apache;<acronym title="Lightweight Directory Access Protocol">LDAP</acronym>)</div>
</li>
<li class="level1"><div class="li"> Restart Apache</div>
</li>
</ul>
</div>
<!-- SECTION "Use Kerberos with Multiple authentication backend" [4635-6422] -->
<h3><a name="time_to_test" id="time_to_test">Time to test</a></h3>
<div class="level3">
<p>
Configure <acronym title="Internet Explorer">IE</acronym> or Firefox to trust <code><a href="http://auth.example.com" class="urlextern" title="http://auth.example.com" rel="nofollow">http://auth.example.com</a></code>, and then it should work!
</p>
</div>
<!-- SECTION "Time to test" [6423-] --></div><!-- closes <div class="dokuwiki export">-->
Reference in New Issue View Git Blame Copy Permalink