<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr"> <head> <meta name="generator" content= "HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" /> <title>Lemonldap::NG documentation: 4.5-Apache-and-Kerberos-authentication-backend.html</title> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /> <style type="text/css"> /*<![CDATA[*/ body{ background: #ddd; font-family: sans-serif; font-size: 11pt; padding: 0 50px; } div.main-content{ padding: 10px; background: #fff; border: 2px #ccc solid; } a{ text-decoration: none; } p.footer{ text-align: center; margin: 5px 0 0 0; } .heading-1{ text-align: center; color: orange; font-variant: small-caps; font-size: 20pt; } .heading-1-1{ color: orange; font-size: 14pt; border-bottom: 2px #ccc solid; } pre{ background: #eee; border: 2px #ccc solid; padding: 5px; border-left: 10px #ccc solid; } ul.star li{ list-style-type: square; } /*]]>*/ </style> </head> <body> <div class="main-content"> <h2 class="heading-1"><span id="HKerberosauthentication">Kerberos authentication</span></h2> <p class="paragraph"></p> <ul> <li><a href="#HIntroduction">Introduction</a></li> <li><a href="#HApacheKerberosmodule">Apache Kerberos module</a></li> <li><a href="#HKerberosclientforLinux">Kerberos client for Linux</a></li> <li><a href="#HConnectionbetweenLinuxandActiveDirectory">Connection between Linux and Active Directory</a></li> <li><a href="#HConfigurationofLemonLDAP3A3ANGPortal">Configuration of LemonLDAP::NG Portal</a></li> <li><a href="#HConfigurationofApachevirtualhost">Configuration of Apache virtual host</a></li> <li><a href="#HTimetotest">Time to test</a></li> </ul> <h3 class="heading-1-1"><span id="HIntroduction">Introduction</span></h3> <p class="paragraph"></p>LemonLDAP::NG can use Kerberos to authenticate users. It has been tested with Active Directory as Kerberos server, but it should work with others. <p class="paragraph"></p>In this mode, the authentication is done by Apache, which sets the environment variable "Remote User". This variable is catched by LemonLDAP::NG when configured with "Apache" authentication module. <p class="paragraph"></p>You can have a look at this tutorial to complete the following one: <span class="wikiexternallink"><a href= "http://michele.pupazzo.org/diary/?p=460">http://michele.pupazzo.org/diary/?p=460</a></span> <p class="paragraph"></p>The following documentation explains how set Kerberos Authentication with LemonLDAP::NG on Apache2/Linux and Active Directory as Kerberos server. <p class="paragraph"></p>We will use: <ul class="star"> <li><strong class="strong">EXAMPLE.COM</strong>: Kerberos realm</li> <li><strong class="strong">HTTP</strong>: Service name</li> <li><strong class="strong">auth.example.com</strong>: DNS of the portal</li> <li><strong class="strong">ad.example.com</strong>: DNS of Active Directory</li> <li><strong class= "strong">cn=ssokerberos,cn=users,dc=example,dc=com</strong>: DN of AD technical account</li> <li><strong class="strong">complicatedpassword</strong>: Password of AD technical account</li> </ul> <h3 class="heading-1-1"><span id="HApacheKerberosmodule">Apache Kerberos module</span></h3><br /> <br /> The module can be found here <span class="wikiexternallink"><a href= "http://modauthkerb.sourceforge.net/">http://modauthkerb.sourceforge.net/</a></span>.<br /> <br /> On CentOS/RHEL :<br /> <br /> <div class="code"> <pre> # yum install mod_auth_kerb </pre> </div><br /> <br /> The module must be loaded by Apache (LoadModule directive). <h3 class="heading-1-1"><span id="HKerberosclientforLinux">Kerberos client for Linux</span></h3><br /> <br /> Edit /etc/krb5.conf: <div class="code"> <pre> [libdefaults] default_realm = EXAMPLE.COM<br /><br />[realms] EXAMPLE.COM = { kdc = ad.example.com admin_server = ad.example.com }<br /><br />[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM </pre> </div> <h3 class="heading-1-1"><span id= "HConnectionbetweenLinuxandActiveDirectory">Connection between Linux and Active Directory</span></h3> <p class="paragraph"></p>You have to run this command on Active Directory: <div class="code"> <pre> c:> ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser EXAMPLE.COM\ssokerberos -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set +DesOnly -pass complicatedpassword -out c:\auth.keytab </pre> </div><br /> <br /> The file auth.keytab should then be copied (with a secure media) to the Linux server (for example in /etc/lemonldap-ng).<br /> <br /> Then on Linux server: <div class="code"> <pre> $ kinit HTTP/auth.example.com $ kvno HTTP/auth.example.com@EXAMPLE.COM $ klist -e $ kinit -k -t /etc/lemonldap-ng/auth.keytab HTTP/auth.example.com </pre> </div> <h3 class="heading-1-1"><span id= "HConfigurationofLemonLDAP3A3ANGPortal">Configuration of LemonLDAP::NG Portal</span></h3> <p class="paragraph"></p>You just have to edit /var/lib/lemonldap-ng/portal/index.pl: <div class="code"> <pre> # Call Apache authentication module authentication => 'Apache', </pre> </div> <h3 class="heading-1-1"><span id= "HConfigurationofApachevirtualhost">Configuration of Apache virtual host</span></h3> <p class="paragraph"></p>Modify the portal virtual host: <div class="code"> <pre> <VirtualHost *> ServerName auth.example.com<br /><br /> DocumentRoot /<span class= "java-keyword">var</span>/lib/lemonldap-ng/portal/ <Directory /<span class= "java-keyword">var</span>/lib/lemonldap-ng/portal/> Order allow,deny Allow from all Options +ExecCGI <IfModule auth_kerb_module> AuthType Kerberos KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/lemonldap-ng/auth.keytab KrbVerifyKDC Off KrbServiceName HTTP require valid-user </IfModule> </Directory> </VirtualHost> </pre> </div> <h3 class="heading-1-1"><span id="HTimetotest">Time to test</span></h3> <p class="paragraph"></p>Configure <span class="wikiexternallink"><a href= "http://technet.microsoft.com/en-us/library/cc779070.aspx">IE</a></span> or <span class="wikiexternallink"><a href= "http://grolmsnet.de/kerbtut/firefox.html">Firefox</a></span> to trust "http://auth.example.com", and then it should work! <p class="paragraph"></p> </div> <p class="footer"><a href="index.html">Index</a></p> </body> </html>