621 lines
27 KiB
HTML
621 lines
27 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" dir="ltr">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<title>documentation:2.0:kerberos</title>
|
|
<meta name="generator" content="DokuWiki"/>
|
|
<meta name="robots" content="index,follow"/>
|
|
<meta name="keywords" content="documentation,2.0,kerberos"/>
|
|
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
|
|
<link rel="start" href="kerberos.html"/>
|
|
<link rel="contents" href="kerberos.html" title="Sitemap"/>
|
|
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
|
|
<!-- //if:usedebianlibs
|
|
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
|
|
//elsif:useexternallibs
|
|
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
|
|
//elsif:cssminified
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
|
|
//else -->
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
|
|
<!-- //endif -->
|
|
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:kerberos","namespace":"documentation:2.0"};
|
|
/*!]]>*/</script>
|
|
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
|
|
<!-- //endif -->
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
|
|
<!-- //endif -->
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export container">
|
|
<!-- TOC START -->
|
|
<div id="dw__toc">
|
|
<h3 class="toggle">Table of Contents</h3>
|
|
<div>
|
|
|
|
<ul class="toc">
|
|
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#prerequisites">Prerequisites</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#example_values">Example values</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#server_time">Server time</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#dns">DNS</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#ad_accounts">AD accounts</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#web_browser_configuration">Web browser configuration</a></div>
|
|
<ul class="toc">
|
|
<li class="level3"><div class="li"><a href="#firefox">Firefox</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#internet_explorer">Internet Explorer</a></div></li>
|
|
</ul>
|
|
</li>
|
|
<li class="level2"><div class="li"><a href="#apache_kerberos_module_installation">Apache Kerberos module installation</a></div></li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"><a href="#single_llng_serversingle_ad_domain">Single LL::NG Server / Single AD domain</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#client_kerberos_configuration">Client Kerberos configuration</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#obtain_keytab_file">Obtain keytab file</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#configuration_of_lemonldapng">Configuration of LemonLDAP::NG</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#configuration_of_portal_virtual_host">Configuration of portal virtual host</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#redirection_script">Redirection script</a></div></li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"><a href="#llng_clustersingle_ad_domain">LL::NG Cluster / Single AD domain</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#client_kerberos_configuration1">Client Kerberos configuration</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#obtain_keytab_file1">Obtain keytab file</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#configuration_of_lemonldapng1">Configuration of LemonLDAP::NG</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#configuration_of_portal_virtual_host1">Configuration of portal virtual host</a></div></li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"><a href="#llng_clustertwo_ad_domains">LL::NG Cluster / Two AD domains</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#client_kerberos_configuration2">Client Kerberos configuration</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#obtain_keytab_file2">Obtain keytab file</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#configuration_of_lemonldapng2">Configuration of LemonLDAP::NG</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#configuration_of_portal_virtual_host2">Configuration of portal virtual host</a></div></li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"><a href="#other_resources">Other resources</a></div></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<!-- TOC END -->
|
|
|
|
<h1 class="sectionedit1" id="kerberos">Kerberos</h1>
|
|
<div class="level1">
|
|
|
|
</div>
|
|
<!-- EDIT1 SECTION "Kerberos" [1-24] -->
|
|
<h2 class="sectionedit2" id="presentation">Presentation</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication to AD domain users to <abbr title="LemonLDAP::NG">LL::NG</abbr>.
|
|
</p>
|
|
|
|
<p>
|
|
We will present several architectures:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> Single <abbr title="LemonLDAP::NG">LL::NG</abbr> server linked to one AD domain</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <abbr title="LemonLDAP::NG">LL::NG</abbr> cluster linked to one AD domain</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <abbr title="LemonLDAP::NG">LL::NG</abbr> cluster linked to two AD domains</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT2 SECTION "Presentation" [25-376] -->
|
|
<h2 class="sectionedit3" id="prerequisites">Prerequisites</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT3 SECTION "Prerequisites" [377-403] -->
|
|
<h3 class="sectionedit4" id="example_values">Example values</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
We will use the following values in our examples
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>EXAMPLE.COM</strong>: First AD domain</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>ACME.COM</strong>: Second AD domain</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>auth.example.com</strong>: <abbr title="Domain Name System">DNS</abbr> of the <abbr title="LemonLDAP::NG">LL::NG</abbr> portal</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>authpwd.example.com</strong>: <abbr title="Domain Name System">DNS</abbr> of the <abbr title="LemonLDAP::NG">LL::NG</abbr> portal (to failback to a form based authentication)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>node1.example.com</strong>: <abbr title="Domain Name System">DNS</abbr> of the first <abbr title="LemonLDAP::NG">LL::NG</abbr> portal server (in cluster mode)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>node2.example.com</strong>: <abbr title="Domain Name System">DNS</abbr> of the second <abbr title="LemonLDAP::NG">LL::NG</abbr> portal server (in cluster mode)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>ad.example.com</strong>: <abbr title="Domain Name System">DNS</abbr> of First Active Directory</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>ad.acme.com</strong>: <abbr title="Domain Name System">DNS</abbr> of Second Active Directory</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>KERB_AUTH</strong>: AD account to generate the keytab for <abbr title="LemonLDAP::NG">LL::NG</abbr> server (in single mode)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>KERB_NODE1</strong>: AD account to generate the keytab for the first <abbr title="LemonLDAP::NG">LL::NG</abbr> server (in cluster mode)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>KERB_NODE2</strong>: AD account to generate the keytab for the second <abbr title="LemonLDAP::NG">LL::NG</abbr> server (in cluster mode)</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT4 SECTION "Example values" [404-1263] -->
|
|
<h3 class="sectionedit5" id="server_time">Server time</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
It is mandatory that <abbr title="LemonLDAP::NG">LL::NG</abbr> servers and AD servers have the same time. It is recommended to use NTP to do this.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT5 SECTION "Server time" [1264-1399] -->
|
|
<h3 class="sectionedit6" id="dns">DNS</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
All names must be registered in the <abbr title="Domain Name System">DNS</abbr> server (which is Active Directory). The reverse <abbr title="Domain Name System">DNS</abbr> should also work for all the names.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT6 SECTION "DNS" [1400-1543] -->
|
|
<h3 class="sectionedit7" id="ad_accounts">AD accounts</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
It is recommended to create an AD account for each <abbr title="LemonLDAP::NG">LL::NG</abbr> server. Each account will hold the Service Principal Name (SPN) of the <abbr title="LemonLDAP::NG">LL::NG</abbr> server.
|
|
</p>
|
|
<div class="notetip">It should be possible to have the same account for all SPN, but this may require some manipulations on AD (command setspn) that are not documented here.
|
|
</div>
|
|
</div>
|
|
<!-- EDIT7 SECTION "AD accounts" [1544-1884] -->
|
|
<h3 class="sectionedit8" id="web_browser_configuration">Web browser configuration</h3>
|
|
<div class="level3">
|
|
|
|
</div>
|
|
|
|
<h4 id="firefox">Firefox</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
Type <code>about:config</code> in a tab and search for <code>trusted</code>. Then edit the property <code>network.negotiate-auth.trusted-uris</code> and set value <code>example.com</code>.
|
|
</p>
|
|
|
|
</div>
|
|
|
|
<h4 id="internet_explorer">Internet Explorer</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
Add <code><a href="https://auth.example.com" class="urlextern" title="https://auth.example.com" rel="nofollow">https://auth.example.com</a></code> as trusted site.
|
|
</p>
|
|
|
|
<p>
|
|
Check into security parameters that Kerberos authentication is allowed.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT8 SECTION "Web browser configuration" [1885-2244] -->
|
|
<h3 class="sectionedit9" id="apache_kerberos_module_installation">Apache Kerberos module installation</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
On CentOS/RHEL:
|
|
</p>
|
|
<pre class="code shell">yum install mod_auth_kerb</pre>
|
|
|
|
<p>
|
|
On Debian/Ubuntu:
|
|
</p>
|
|
<pre class="code shell">apt-get install libapache2-mod-auth-kerb</pre>
|
|
|
|
<p>
|
|
The module must be loaded by Apache (LoadModule directive).
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT9 SECTION "Apache Kerberos module installation" [2245-2497] -->
|
|
<h2 class="sectionedit10" id="single_llng_serversingle_ad_domain">Single LL::NG Server / Single AD domain</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT10 SECTION "Single LL::NG Server / Single AD domain" [2498-2550] -->
|
|
<h3 class="sectionedit11" id="client_kerberos_configuration">Client Kerberos configuration</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
On <abbr title="LemonLDAP::NG">LL::NG</abbr> server, edit <code>/etc/krb5.conf</code>:
|
|
</p>
|
|
<pre class="code file ini"><span class="re0"><span class="br0">[</span>libdefaults<span class="br0">]</span></span>
|
|
<span class="re1">default_realm</span> <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
|
|
<span class="re1">dns_lookup_kdc</span> <span class="sy0">=</span><span class="re2"> false</span>
|
|
<span class="re1">dns_lookup_realm</span> <span class="sy0">=</span><span class="re2"> no</span>
|
|
<span class="re1">ticket_lifetime</span> <span class="sy0">=</span><span class="re2"> 24h</span>
|
|
<span class="re1">forwardable</span> <span class="sy0">=</span><span class="re2"> yes</span>
|
|
<span class="re1">renewable</span> <span class="sy0">=</span><span class="re2"> true</span>
|
|
|
|
<span class="re0"><span class="br0">[</span>realms<span class="br0">]</span></span>
|
|
EXAMPLE.COM <span class="sy0">=</span><span class="re2"> <span class="br0">{</span></span>
|
|
<span class="re1">kdc</span> <span class="sy0">=</span><span class="re2"> ad.example.com</span>
|
|
<span class="re1">admin_server</span> <span class="sy0">=</span><span class="re2"> ad.example.com</span>
|
|
<span class="br0">}</span>
|
|
|
|
<span class="re0"><span class="br0">[</span>domain_realm<span class="br0">]</span></span>
|
|
.example.com <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
|
|
example.com <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span></pre>
|
|
|
|
<p>
|
|
You can check that Kerberos is working by trying to get a ticket for a user of the domain (for example coudot):
|
|
</p>
|
|
<pre class="code">kinit coudot@EXAMPLE.COM</pre>
|
|
|
|
<p>
|
|
You should be prompted to enter password. Then list the tickets:
|
|
</p>
|
|
<pre class="code">klist -e</pre>
|
|
|
|
<p>
|
|
You should see a krbtgt ticket:
|
|
</p>
|
|
<pre class="code">Valid starting Expires Service principal
|
|
06/04/15 15:43:24 06/05/15 01:43:29 krbtgt/EXAMPLE.COM@EXAMPLE.COM
|
|
renew until 06/05/15 15:43:24, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96</pre>
|
|
|
|
<p>
|
|
You can then close the Kerberos session:
|
|
</p>
|
|
<pre class="code">kdestroy</pre>
|
|
|
|
</div>
|
|
<!-- EDIT11 SECTION "Client Kerberos configuration" [2551-3552] -->
|
|
<h3 class="sectionedit12" id="obtain_keytab_file">Obtain keytab file</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
You have to run this command on Active Directory:
|
|
</p>
|
|
<pre class="code">ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser KERB_AUTH@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass <PASSWORD> -out c:\auth.keytab</pre>
|
|
<div class="noteimportant">The values passed in -crypto and -ptype depend on the Active Directory version and the windows version of the workstations. You can for example use RC4-HMAC-NT as crypto protocol if DES is not supported by workstations (this the case by default for Window 8 for example).
|
|
|
|
</div>
|
|
<p>
|
|
The file <code>auth.keytab</code> should then be copied (with a secure media) to the Linux server (for example in <code>/etc/lemonldap-ng</code>).
|
|
</p>
|
|
|
|
<p>
|
|
Change rights on keytab file:
|
|
</p>
|
|
<pre class="code">chown apache /etc/lemonldap-ng/auth.keytab
|
|
chmod 600 /etc/lemonldap-ng/auth.keytab</pre>
|
|
|
|
<p>
|
|
You can check the validity of the keytab file by trying to request a service ticket, and compare the result with the keytab content.
|
|
</p>
|
|
|
|
<p>
|
|
Open a Kerberos session (like done in the previous step):
|
|
</p>
|
|
<pre class="code">kinit coudot@example.com</pre>
|
|
|
|
<p>
|
|
Request a service ticket:
|
|
</p>
|
|
<pre class="code">kvno HTTP/auth.example.com@EXAMPLE.COM</pre>
|
|
|
|
<p>
|
|
The result of the command should be:
|
|
</p>
|
|
<pre class="code">HTTP/auth.example.com@EXAMPLE.COM: kvno = 3</pre>
|
|
|
|
<p>
|
|
Read the service ticket:
|
|
</p>
|
|
<pre class="code">klist -e</pre>
|
|
|
|
<p>
|
|
You should see this kind of ticket:
|
|
</p>
|
|
<pre class="code">06/04/15 16:28:49 06/05/15 02:28:11 HTTP/auth.example.com@EXAMPLE.COM
|
|
renew until 06/05/15 16:28:07, Etype (skey, tkt): arcfour-hmac, arcfour-hmac</pre>
|
|
|
|
<p>
|
|
You can close the Kerberos session:
|
|
</p>
|
|
<pre class="code">kdestroy</pre>
|
|
|
|
<p>
|
|
Now you can compare the above result with the same request done trough the keytab file:
|
|
</p>
|
|
<pre class="code">klist -e -k -t /etc/lemonldap-ng/auth.keytab</pre>
|
|
|
|
<p>
|
|
The result of the command should be:
|
|
</p>
|
|
<pre class="code">Keytab name: FILE:/etc/lemonldap-ng/auth.keytab
|
|
KVNO Timestamp Principal
|
|
---- ----------------- --------------------------------------------------------
|
|
3 01/01/70 01:00:00 HTTP/auth.example.com@EXAMPLE.COM (arcfour-hmac)</pre>
|
|
|
|
<p>
|
|
The important things to check are:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> KVNO must be the same</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Principal names must be the same</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Encryption types must be the same</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT12 SECTION "Obtain keytab file" [3553-5681] -->
|
|
<h3 class="sectionedit13" id="configuration_of_lemonldapng">Configuration of LemonLDAP::NG</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
See <a href="authapache.html#llng" class="wikilink1" title="documentation:2.0:authapache">Apache authentication module configuration</a>.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT13 SECTION "Configuration of LemonLDAP::NG" [5682-5793] -->
|
|
<h3 class="sectionedit14" id="configuration_of_portal_virtual_host">Configuration of portal virtual host</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
First, copy the current portal virtual host definition into a new one. Use <code>authpwd</code> server name for this virtual host:
|
|
</p>
|
|
<pre class="code file apache"><<span class="kw3">VirtualHost</span> *>
|
|
<span class="kw1">ServerName</span> authpwd.example.com
|
|
|
|
...
|
|
|
|
</<span class="kw3">VirtualHost</span>></pre>
|
|
|
|
<p>
|
|
This virtual host will be used by clients that fail to use the Kerberos protocol.
|
|
</p>
|
|
|
|
<p>
|
|
Then, modify the main portal virtual host to load the Apache Kerberos authentication module :
|
|
</p>
|
|
<pre class="code file apache"><<span class="kw3">VirtualHost</span> *>
|
|
<span class="kw1">ServerName</span> auth.example.com
|
|
|
|
<span class="kw1">DocumentRoot</span> /var/lib/lemonldap-ng/portal/
|
|
|
|
<<span class="kw3">Directory</span> /var/lib/lemonldap-ng/portal/>
|
|
<span class="kw1">Order</span> <span class="kw1">allow</span>,<span class="kw1">deny</span>
|
|
<span class="kw1">Allow</span> from <span class="kw2">all</span>
|
|
<span class="kw1">Options</span> +ExecCGI +<span class="kw2">FollowSymLinks</span>
|
|
</<span class="kw3">Directory</span>>
|
|
|
|
<span class="kw1">ErrorDocument</span> <span class="nu0">401</span> /login.pl
|
|
<<span class="kw3">LocationMatch</span> ^/(?!login.pl)>
|
|
<<span class="kw3">IfModule</span> auth_kerb_module>
|
|
<span class="kw1">AuthType</span> Kerberos
|
|
KrbMethodNegotiate <span class="kw2">On</span>
|
|
KrbMethodK5Passwd <span class="kw2">Off</span>
|
|
KrbAuthRealms EXAMPLE.COM
|
|
Krb5KeyTab /etc/lemonldap-ng/auth.keytab
|
|
KrbVerifyKDC <span class="kw2">Off</span>
|
|
KrbServiceName HTTP/auth.example.com
|
|
<span class="kw1">require</span> valid-<span class="kw1">user</span>
|
|
</<span class="kw3">IfModule</span>>
|
|
</<span class="kw3">LocationMatch</span>>
|
|
|
|
</<span class="kw3">VirtualHost</span>></pre>
|
|
|
|
</div>
|
|
<!-- EDIT14 SECTION "Configuration of portal virtual host" [5794-6901] -->
|
|
<h3 class="sectionedit15" id="redirection_script">Redirection script</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
Create a redirection script, called login.pl:
|
|
</p>
|
|
<pre class="code">vi /var/lib/lemonldap-ng/portal/login.pl</pre>
|
|
<pre class="code file perl"><span class="co1">#!/usr/bin/perl</span>
|
|
<span class="kw2">use</span> CGI <span class="st_h">':cgi-lib'</span><span class="sy0">;</span>
|
|
<span class="kw2">use</span> strict<span class="sy0">;</span>
|
|
<span class="kw2">use</span> CGI<span class="sy0">::</span><span class="me2">Carp</span> <span class="st_h">'fatalsToBrowser'</span><span class="sy0">;</span>
|
|
<span class="kw1">my</span> <span class="re0">$uri</span> <span class="sy0">=</span> <span class="re0">$ENV</span><span class="br0">{</span><span class="st0">"REQUEST_URI"</span><span class="br0">}</span><span class="sy0">;</span>
|
|
<a href="http://perldoc.perl.org/functions/print.html"><span class="kw3">print</span></a> CGI<span class="sy0">::</span><span class="me2">header</span><span class="br0">(</span><span class="sy0">-</span>Refresh <span class="sy0">=></span> <span class="st_h">'0; URL=https://authpwd.example.com'</span><span class="sy0">.</span><span class="re0">$uri</span><span class="br0">)</span><span class="sy0">;</span>
|
|
<a href="http://perldoc.perl.org/functions/exit.html"><span class="kw3">exit</span></a><span class="br0">(</span><span class="nu0">0</span><span class="br0">)</span><span class="sy0">;</span></pre>
|
|
<div class="notetip">The redirection script is needed if you use a failaback authentication. If not, you can just keep a single virtual host (the authentication will fail if Kerberos negotiation do not succeed).
|
|
</div>
|
|
</div>
|
|
<!-- EDIT15 SECTION "Redirection script" [6902-7459] -->
|
|
<h2 class="sectionedit16" id="llng_clustersingle_ad_domain">LL::NG Cluster / Single AD domain</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT16 SECTION "LL::NG Cluster / Single AD domain" [7460-7506] -->
|
|
<h3 class="sectionedit17" id="client_kerberos_configuration1">Client Kerberos configuration</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
The client Kerberos configuration is the same as a single <abbr title="LemonLDAP::NG">LL::NG</abbr> server.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT17 SECTION "Client Kerberos configuration" [7507-7621] -->
|
|
<h3 class="sectionedit18" id="obtain_keytab_file1">Obtain keytab file</h3>
|
|
<div class="level3">
|
|
<div class="noteimportant">You need to get a keytab for each <abbr title="LemonLDAP::NG">LL::NG</abbr> node.
|
|
</div>
|
|
<p>
|
|
Commands on Active Directory will be:
|
|
</p>
|
|
<pre class="code">ktpass -princ HTTP/node1.example.com@EXAMPLE.COM -mapuser KERB_NODE1@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass <PASSWORD> -out c:\authnode1.keytab
|
|
ktpass -princ HTTP/node2.example.com@EXAMPLE.COM -mapuser KERB_NODE2@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass <PASSWORD> -out c:\authnode2.keytab</pre>
|
|
|
|
<p>
|
|
Copy the generated keytab on each node (rename it as auth.keytab to have the same Apache configuration on each node).
|
|
</p>
|
|
|
|
<p>
|
|
Change rights on keytab file:
|
|
</p>
|
|
<pre class="code">chown apache /etc/lemonldap-ng/auth.keytab
|
|
chmod 600 /etc/lemonldap-ng/auth.keytab</pre>
|
|
<div class="notetip">You can do the same check for the keytab as with the single <abbr title="LemonLDAP::NG">LL::NG</abbr> server. Just use node1.example.com and node2.example.com instead of auth.example.com.
|
|
</div>
|
|
</div>
|
|
<!-- EDIT18 SECTION "Obtain keytab file" [7622-8555] -->
|
|
<h3 class="sectionedit19" id="configuration_of_lemonldapng1">Configuration of LemonLDAP::NG</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
The configuration is the same as a single <abbr title="LemonLDAP::NG">LL::NG</abbr> server.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT19 SECTION "Configuration of LemonLDAP::NG" [8556-8656] -->
|
|
<h3 class="sectionedit20" id="configuration_of_portal_virtual_host1">Configuration of portal virtual host</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
The only change in Apache configuration is in the <code>KrbServiceName</code>, it should be set to Any:
|
|
</p>
|
|
<pre class="code file apache"> KrbServiceName Any</pre>
|
|
|
|
</div>
|
|
<!-- EDIT20 SECTION "Configuration of portal virtual host" [8657-8845] -->
|
|
<h2 class="sectionedit21" id="llng_clustertwo_ad_domains">LL::NG Cluster / Two AD domains</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT21 SECTION "LL::NG Cluster / Two AD domains" [8846-8890] -->
|
|
<h3 class="sectionedit22" id="client_kerberos_configuration2">Client Kerberos configuration</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
The two domains must be defined in <code>/etc/krb5.conf</code>:
|
|
</p>
|
|
<pre class="code file ini"><span class="re0"><span class="br0">[</span>libdefaults<span class="br0">]</span></span>
|
|
<span class="re1">default_realm</span> <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
|
|
<span class="re1">dns_lookup_kdc</span> <span class="sy0">=</span><span class="re2"> false</span>
|
|
<span class="re1">dns_lookup_realm</span> <span class="sy0">=</span><span class="re2"> no</span>
|
|
<span class="re1">ticket_lifetime</span> <span class="sy0">=</span><span class="re2"> 24h</span>
|
|
<span class="re1">forwardable</span> <span class="sy0">=</span><span class="re2"> yes</span>
|
|
<span class="re1">renewable</span> <span class="sy0">=</span><span class="re2"> true</span>
|
|
|
|
<span class="re0"><span class="br0">[</span>realms<span class="br0">]</span></span>
|
|
EXAMPLE.COM <span class="sy0">=</span><span class="re2"> <span class="br0">{</span></span>
|
|
<span class="re1">kdc</span> <span class="sy0">=</span><span class="re2"> ad.example.com</span>
|
|
<span class="re1">admin_server</span> <span class="sy0">=</span><span class="re2"> ad.example.com</span>
|
|
<span class="re1">default_domain</span> <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
|
|
<span class="br0">}</span>
|
|
ACME.COM <span class="sy0">=</span><span class="re2"> <span class="br0">{</span></span>
|
|
<span class="re1">kdc</span> <span class="sy0">=</span><span class="re2"> ad.acme.com</span>
|
|
<span class="re1">admin_server</span> <span class="sy0">=</span><span class="re2"> ad.acme.com</span>
|
|
<span class="br0">}</span>
|
|
|
|
<span class="re0"><span class="br0">[</span>domain_realm<span class="br0">]</span></span>
|
|
.example.com <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
|
|
example.com <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
|
|
.acme.com <span class="sy0">=</span><span class="re2"> ACME.COM</span>
|
|
acme.com <span class="sy0">=</span><span class="re2"> ACME.COM</span></pre>
|
|
|
|
<p>
|
|
You should then be able to open a Kerberos session on each domain:
|
|
</p>
|
|
<pre class="code">kinit coudot@EXAMPLE.COM
|
|
klist -e
|
|
kdestroy</pre>
|
|
<pre class="code">kinit coudot@ACME.COM
|
|
klist -e
|
|
kdestroy</pre>
|
|
|
|
</div>
|
|
<!-- EDIT22 SECTION "Client Kerberos configuration" [8891-9635] -->
|
|
<h3 class="sectionedit23" id="obtain_keytab_file2">Obtain keytab file</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
You need to obtain a keytab for each node on each domain. This means the ktpass commands should be run on both AD.
|
|
</p>
|
|
|
|
<p>
|
|
Then you will have 2 keytab files for each node, for example:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> node1-example.keytab</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> node1-acme.keytab</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
You need to concatenate the keytab files, thanks to <code>ktutil</code> command:
|
|
</p>
|
|
<pre class="code">ktutil
|
|
ktutil: read_kt node1-example.keytab
|
|
ktutil: read_kt node1-acme.keytab
|
|
ktutil: write_kt /etc/lemonldap-ng/auth.keytab
|
|
ktutil: quit</pre>
|
|
|
|
<p>
|
|
You can then remove the original keytab files and protect the final keytab file:
|
|
</p>
|
|
<pre class="code">chown apache /etc/lemonldap-ng/auth.keytab
|
|
chmod 600 /etc/lemonldap-ng/auth.keytab</pre>
|
|
|
|
</div>
|
|
<!-- EDIT23 SECTION "Obtain keytab file" [9636-10297] -->
|
|
<h3 class="sectionedit24" id="configuration_of_lemonldapng2">Configuration of LemonLDAP::NG</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
The configuration is the same as a single <abbr title="LemonLDAP::NG">LL::NG</abbr> server.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT24 SECTION "Configuration of LemonLDAP::NG" [10298-10398] -->
|
|
<h3 class="sectionedit25" id="configuration_of_portal_virtual_host2">Configuration of portal virtual host</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
The configuration is the same as with a single AD domain.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT25 SECTION "Configuration of portal virtual host" [10399-10505] -->
|
|
<h2 class="sectionedit26" id="other_resources">Other resources</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
You can check these documentations to get more information:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <a href="http://modauthkerb.sourceforge.net/configure.html" class="urlextern" title="http://modauthkerb.sourceforge.net/configure.html" rel="nofollow">http://modauthkerb.sourceforge.net/configure.html</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <a href="http://www.grolmsnet.de/kerbtut/" class="urlextern" title="http://www.grolmsnet.de/kerbtut/" rel="nofollow">http://www.grolmsnet.de/kerbtut/</a></div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT26 SECTION "Other resources" [10506-] --></div>
|
|
</body>
|
|
</html>
|