372 lines
14 KiB
HTML
372 lines
14 KiB
HTML
|
||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
|
||
lang="en" dir="ltr">
|
||
|
||
<head>
|
||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
<title></title>
|
||
<!-- metadata -->
|
||
<meta name="generator" content="Offline" />
|
||
<meta name="version" content="Offline 0.1" />
|
||
<!-- style sheet links -->
|
||
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
|
||
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
|
||
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
|
||
|
||
</head>
|
||
<body>
|
||
<div class="dokuwiki export">
|
||
|
||
|
||
|
||
|
||
<h1><a name="apache" id="apache">Apache</a></h1>
|
||
<div class="level1">
|
||
<table class="inline">
|
||
<tr class="row0 roweven">
|
||
<th class="col0">Authentication </th><th class="col1"> Users </th><th class="col2"> Password </th>
|
||
</tr>
|
||
<tr class="row1 rowodd">
|
||
<td class="col0 centeralign"> ✔ </td><td class="col1"> </td><td class="col2"> </td>
|
||
</tr>
|
||
</table>
|
||
|
||
</div>
|
||
<!-- SECTION "Apache" [1-73] -->
|
||
<h2><a name="presentation" id="presentation">Presentation</a></h2>
|
||
<div class="level2">
|
||
|
||
<p>
|
||
|
||
<acronym title="LemonLDAP::NG">LL::NG</acronym> can delegate authentication to Apache, so it is possible to use any <a href="http://httpd.apache.org/docs/current/howto/auth.html" class="urlextern" title="http://httpd.apache.org/docs/current/howto/auth.html" rel="nofollow">Apache authentication module</a>, for example:
|
||
</p>
|
||
<ul>
|
||
<li class="level1"><div class="li"> <a href="http://modauthkerb.sourceforge.net/" class="urlextern" title="http://modauthkerb.sourceforge.net/" rel="nofollow">Kerberos</a></div>
|
||
</li>
|
||
<li class="level1"><div class="li"> <a href="http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm" class="urlextern" title="http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm" rel="nofollow">NTLM</a></div>
|
||
</li>
|
||
<li class="level1"><div class="li"> <a href="http://freeradius.org/mod_auth_radius/" class="urlextern" title="http://freeradius.org/mod_auth_radius/" rel="nofollow">Radius</a></div>
|
||
</li>
|
||
<li class="level1"><div class="li"> …</div>
|
||
</li>
|
||
</ul>
|
||
|
||
<p>
|
||
|
||
<p><div class="notetip">Apache authentication module will set the <code>REMOTE_USER</code> environment variable, which will be used by <acronym title="LemonLDAP::NG">LL::NG</acronym> to get authenticated user.
|
||
</div></p>
|
||
</p>
|
||
|
||
<p>
|
||
<p><div class="noteclassic">This documentation will focus on Kerberos authentication module, that can allow for example to set transparent authentication for Active Directory users (as Active Directory is a Kerberos server).
|
||
</div></p>
|
||
</p>
|
||
|
||
<p>
|
||
The following sample parameters will be used:
|
||
</p>
|
||
<ul>
|
||
<li class="level1"><div class="li"> <strong>EXAMPLE.COM</strong>: Kerberos realm</div>
|
||
</li>
|
||
<li class="level1"><div class="li"> <strong><acronym title="Hyper Text Transfer Protocol">HTTP</acronym></strong>: Service name</div>
|
||
</li>
|
||
<li class="level1"><div class="li"> <strong>auth.example.com</strong>: <acronym title="Domain Name System">DNS</acronym> of the portal</div>
|
||
</li>
|
||
<li class="level1"><div class="li"> <strong>ad.example.com</strong>: <acronym title="Domain Name System">DNS</acronym> of Active Directory</div>
|
||
</li>
|
||
<li class="level1"><div class="li"> <strong>cn=ssokerberos,cn=users,dc=example,dc=com</strong>: <acronym title="Distinguished Name">DN</acronym> of AD technical account</div>
|
||
</li>
|
||
<li class="level1"><div class="li"> <strong>complicatedpassword</strong>: Password of AD technical account</div>
|
||
</li>
|
||
</ul>
|
||
|
||
</div>
|
||
<!-- SECTION "Presentation" [74-1180] -->
|
||
<h2><a name="configuration" id="configuration">Configuration</a></h2>
|
||
<div class="level2">
|
||
|
||
</div>
|
||
<!-- SECTION "Configuration" [1181-1207] -->
|
||
<h3><a name="apache_kerberos_module" id="apache_kerberos_module">Apache Kerberos module</a></h3>
|
||
<div class="level3">
|
||
|
||
<p>
|
||
|
||
The module can be found <a href="http://modauthkerb.sourceforge.net/" class="urlextern" title="http://modauthkerb.sourceforge.net/" rel="nofollow">here</a>.
|
||
</p>
|
||
|
||
<p>
|
||
On CentOS/RHEL:
|
||
|
||
</p>
|
||
<pre class="code shell">yum install mod_auth_kerb</pre>
|
||
|
||
<p>
|
||
On Debian/Ubuntu:
|
||
|
||
</p>
|
||
<pre class="code shell">apt-get install libapache2-mod-auth-kerb</pre>
|
||
|
||
<p>
|
||
The module must be loaded by Apache (LoadModule directive).
|
||
</p>
|
||
|
||
</div>
|
||
<!-- SECTION "Apache Kerberos module" [1208-1518] -->
|
||
<h3><a name="kerberos_client_for_linux" id="kerberos_client_for_linux">Kerberos client for Linux</a></h3>
|
||
<div class="level3">
|
||
|
||
<p>
|
||
|
||
Edit <code>/etc/krb5.conf</code>:
|
||
</p>
|
||
<pre class="file">
|
||
[libdefaults]
|
||
default_realm = EXAMPLE.COM
|
||
|
||
[realms]
|
||
EXAMPLE.COM = {
|
||
kdc = ad.example.com
|
||
admin_server = ad.example.com
|
||
}
|
||
|
||
[domain_realm]
|
||
.example.com = EXAMPLE.COM
|
||
example.com = EXAMPLE.COM
|
||
</pre>
|
||
|
||
</div>
|
||
<!-- SECTION "Kerberos client for Linux" [1519-1796] -->
|
||
<h3><a name="connection_between_linux_and_active_directory_-_method_1" id="connection_between_linux_and_active_directory_-_method_1">Connection between Linux and Active Directory - method 1</a></h3>
|
||
<div class="level3">
|
||
|
||
<p>
|
||
|
||
<p><div class="notetip">This method requires to execute a command on the Active Directory server, and then transfer the keytab on Linux server.
|
||
</div></p>
|
||
</p>
|
||
|
||
<p>
|
||
You have to run this command on Active Directory:
|
||
</p>
|
||
<pre class="code">
|
||
ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser EXAMPLE.COM\ssokerberos -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set +DesOnly -pass complicatedpassword -out c:\auth.keytab
|
||
</pre>
|
||
|
||
<p>
|
||
The file <code>auth.keytab</code> should then be copied (with a secure media) to the Linux server (for example in <code>/etc/lemonldap-ng</code>).
|
||
</p>
|
||
|
||
<p>
|
||
Then on Linux server:
|
||
</p>
|
||
<pre class="code shell">kinit HTTP/auth.example.com
|
||
kvno HTTP/auth.example.com@EXAMPLE.COM
|
||
klist -e
|
||
kinit -k -t /etc/lemonldap-ng/auth.keytab HTTP/auth.example.com</pre>
|
||
|
||
</div>
|
||
<!-- SECTION "Connection between Linux and Active Directory - method 1" [1797-2577] -->
|
||
<h3><a name="connection_between_linux_and_active_directory_-_method_2" id="connection_between_linux_and_active_directory_-_method_2">Connection between Linux and Active Directory - method 2</a></h3>
|
||
<div class="level3">
|
||
|
||
<p>
|
||
|
||
<p><div class="notetip">This method requires the <code>msktutil</code> program on Linux server. You should be able to find a package for your distribution with a little search on the web.
|
||
</div></p>
|
||
</p>
|
||
|
||
<p>
|
||
Initiate the Kerberos connection:
|
||
|
||
</p>
|
||
<pre class="code">
|
||
kinit ssokerberos@EXAMPLE.COM
|
||
</pre>
|
||
|
||
<p>
|
||
Then create the keytab.
|
||
</p>
|
||
<ul>
|
||
<li class="level1"><div class="li"> Windows 2003 server:</div>
|
||
</li>
|
||
</ul>
|
||
<pre class="code">
|
||
rm -f /etc/lemonldap-ng/auth.keytab
|
||
msktutil -c -b "cn=COMPUTERS" -s HTTP/auth.example.com -h auth.example.com -k /etc/lemonldap-ng/auth.keytab --computer-name portalsso --upn HTTP/auth.example.com --server ad.example.com --verbose
|
||
</pre>
|
||
<ul>
|
||
<li class="level1"><div class="li"> Windows 2008 server:</div>
|
||
</li>
|
||
</ul>
|
||
<pre class="code">
|
||
rm -f /etc/lemonldap-ng/auth.keytab
|
||
msktutil -c -b "cn=COMPUTERS" -s HTTP/auth.example.com -h auth.example.com -k /etc/lemonldap-ng/auth.keytab --computer-name portalsso --upn HTTP/auth.example.com --server ad.example.com --verbose --enctypes 28
|
||
</pre>
|
||
|
||
<p>
|
||
<p><div class="noteimportant">Option <code>–enctypes</code> requires msktutil > 0.4
|
||
</div></p>
|
||
</p>
|
||
|
||
<p>
|
||
Close kerberos connection:
|
||
|
||
</p>
|
||
<pre class="code">
|
||
kdestroy
|
||
</pre>
|
||
|
||
<p>
|
||
Change rights on keytab file:
|
||
|
||
</p>
|
||
<pre class="code">
|
||
chown apache /etc/lemonldap-ng/auth.keytab
|
||
</pre>
|
||
|
||
</div>
|
||
<!-- SECTION "Connection between Linux and Active Directory - method 2" [2578-3693] -->
|
||
<h3><a name="configuration_of_lemonldapng" id="configuration_of_lemonldapng">Configuration of LemonLDAP::NG</a></h3>
|
||
<div class="level3">
|
||
|
||
<p>
|
||
|
||
In Manager, go in <code>General Parameters</code> > <code>Authentication modules</code> and choose Apache for authentication.
|
||
</p>
|
||
|
||
<p>
|
||
<p><div class="notetip">You can then choose any other module for users and password.
|
||
</div></p>
|
||
</p>
|
||
|
||
<p>
|
||
You can also configure the authentication level for this module.
|
||
</p>
|
||
|
||
</div>
|
||
<!-- SECTION "Configuration of LemonLDAP::NG" [3694-3989] -->
|
||
<h3><a name="configuration_of_apache_virtual_host" id="configuration_of_apache_virtual_host">Configuration of Apache virtual host</a></h3>
|
||
<div class="level3">
|
||
|
||
<p>
|
||
|
||
Modify the portal virtual host:
|
||
</p>
|
||
<pre class="code file apache"><<span class="kw3">VirtualHost</span> *>
|
||
<span class="kw1">ServerName</span> auth.example.com
|
||
|
||
<span class="kw1">DocumentRoot</span> /var/lib/lemonldap-ng/portal/
|
||
|
||
<<span class="kw3">Directory</span> /var/lib/lemonldap-ng/portal/>
|
||
<span class="kw1">Order</span> <span class="kw1">allow</span>,<span class="kw1">deny</span>
|
||
<span class="kw1">Allow</span> from <span class="kw2">all</span>
|
||
<span class="kw1">Options</span> +ExecCGI
|
||
|
||
<<span class="kw3">IfModule</span> auth_kerb_module>
|
||
<span class="kw1">AuthType</span> Kerberos
|
||
KrbMethodNegotiate <span class="kw2">On</span>
|
||
KrbMethodK5Passwd <span class="kw2">Off</span>
|
||
KrbAuthRealms EXAMPLE.COM
|
||
Krb5KeyTab /etc/lemonldap-ng/auth.keytab
|
||
KrbVerifyKDC <span class="kw2">Off</span>
|
||
KrbServiceName HTTP/auth.example.com
|
||
<span class="kw1">require</span> valid-<span class="kw1">user</span>
|
||
</<span class="kw3">IfModule</span>>
|
||
|
||
</<span class="kw3">Directory</span>>
|
||
|
||
</<span class="kw3">VirtualHost</span>></pre>
|
||
|
||
</div>
|
||
<!-- SECTION "Configuration of Apache virtual host" [3990-4634] -->
|
||
<h3><a name="use_kerberos_with_multiple_authentication_backend" id="use_kerberos_with_multiple_authentication_backend">Use Kerberos with Multiple authentication backend</a></h3>
|
||
<div class="level3">
|
||
|
||
<p>
|
||
|
||
You may want to use the <a href="../../documentation/1.4/authmulti.html" class="wikilink1" title="documentation:1.4:authmulti">Mutliple authentication backend</a> to fail back to another authentication for user without Kerberos ticket.
|
||
</p>
|
||
|
||
<p>
|
||
This needs some hacking because the Apache Kerberos authentication module do not work if <code>require valid-user</code> is not set.
|
||
</p>
|
||
|
||
<p>
|
||
To achieve this, follow these steps:
|
||
</p>
|
||
<ul>
|
||
<li class="level1"><div class="li"> Create a symlink on portal/index.pl to define the kerberos authentication end point:</div>
|
||
</li>
|
||
</ul>
|
||
<pre class="code">
|
||
ln -s /var/lib/lemonldap-ng/portal/index.pl /var/lib/lemonldap-ng/portal/kerberos.pl
|
||
</pre>
|
||
<ul>
|
||
<li class="level1"><div class="li"> Create a redirection script, called login.pl:</div>
|
||
</li>
|
||
</ul>
|
||
<pre class="code">
|
||
vi /var/lib/lemonldap-ng/portal/login.pl
|
||
</pre>
|
||
<pre class="code file perl"><span class="co1">#!/usr/bin/perl</span>
|
||
<span class="kw2">use</span> CGI <span class="st_h">':cgi-lib'</span><span class="sy0">;</span>
|
||
<span class="kw2">use</span> strict<span class="sy0">;</span>
|
||
<span class="kw2">use</span> MIME<span class="sy0">::</span><span class="me2">Base64</span><span class="sy0">;</span>
|
||
<span class="kw2">use</span> CGI<span class="sy0">::</span><span class="me2">Carp</span> <span class="st_h">'fatalsToBrowser'</span><span class="sy0">;</span>
|
||
<span class="kw1">my</span> <span class="re0">$uri</span> <span class="sy0">=</span> <span class="re0">$ENV</span><span class="br0">{</span><span class="st0">"REDIRECT_QUERY_STRING"</span><span class="br0">}</span><span class="sy0">;</span>
|
||
<a href="http://perldoc.perl.org/functions/print.html"><span class="kw3">print</span></a> CGI<span class="sy0">::</span><span class="me2">header</span><span class="br0">(</span><span class="sy0">-</span>Refresh <span class="sy0">=></span> <span class="st_h">'0; URL=http://auth.example.com/?'</span><span class="sy0">.</span><span class="re0">$uri</span><span class="br0">)</span><span class="sy0">;</span>
|
||
<a href="http://perldoc.perl.org/functions/exit.html"><span class="kw3">exit</span></a><span class="br0">(</span>0<span class="br0">)</span><span class="sy0">;</span></pre>
|
||
<ul>
|
||
<li class="level1"><div class="li"> Modify the Apache virtual host to separate the Kerberos Authentication module:</div>
|
||
</li>
|
||
</ul>
|
||
<pre class="code file apache"><<span class="kw3">VirtualHost</span> *>
|
||
<span class="kw1">ServerName</span> auth.example.com
|
||
|
||
<span class="kw1">DocumentRoot</span> /var/lib/lemonldap-ng/portal/
|
||
|
||
<<span class="kw3">Directory</span> /var/lib/lemonldap-ng/portal/>
|
||
<span class="kw1">Order</span> <span class="kw1">allow</span>,<span class="kw1">deny</span>
|
||
<span class="kw1">Allow</span> from <span class="kw2">all</span>
|
||
<span class="kw1">Options</span> +ExecCGI +<span class="kw2">FollowSymLinks</span>
|
||
</<span class="kw3">Directory</span>>
|
||
|
||
<span class="kw1">ErrorDocument</span> 401 /login.pl
|
||
<<span class="kw3">Location</span> /kerberos.pl>
|
||
<<span class="kw3">IfModule</span> auth_kerb_module>
|
||
<span class="kw1">AuthType</span> Kerberos
|
||
KrbMethodNegotiate <span class="kw2">On</span>
|
||
KrbMethodK5Passwd <span class="kw2">Off</span>
|
||
KrbAuthRealms EXAMPLE.COM
|
||
Krb5KeyTab /etc/lemonldap-ng/auth.keytab
|
||
KrbVerifyKDC <span class="kw2">Off</span>
|
||
KrbServiceName HTTP/auth.example.com
|
||
</<span class="kw3">IfModule</span>>
|
||
</<span class="kw3">Location</span>>
|
||
|
||
</<span class="kw3">VirtualHost</span>></pre>
|
||
<ul>
|
||
<li class="level1"><div class="li"> Modify LemonLDAP::NG Portal <acronym title="Uniform Resource Locator">URL</acronym> trough Manager to: <a href="http://auth.example.com/kerberos.pl" class="urlextern" title="http://auth.example.com/kerberos.pl" rel="nofollow">http://auth.example.com/kerberos.pl</a></div>
|
||
</li>
|
||
<li class="level1"><div class="li"> Configure Multiple authentication backend (for example: Apache;<acronym title="Lightweight Directory Access Protocol">LDAP</acronym>)</div>
|
||
</li>
|
||
<li class="level1"><div class="li"> Restart Apache</div>
|
||
</li>
|
||
</ul>
|
||
|
||
</div>
|
||
<!-- SECTION "Use Kerberos with Multiple authentication backend" [4635-6422] -->
|
||
<h3><a name="time_to_test" id="time_to_test">Time to test</a></h3>
|
||
<div class="level3">
|
||
|
||
<p>
|
||
|
||
Configure <acronym title="Internet Explorer">IE</acronym> or Firefox to trust <code><a href="http://auth.example.com" class="urlextern" title="http://auth.example.com" rel="nofollow">http://auth.example.com</a></code>, and then it should work!
|
||
|
||
</p>
|
||
|
||
</div>
|
||
<!-- SECTION "Time to test" [6423-] --></div><!-- closes <div class="dokuwiki export">--> |