Kerberos authentication
- Introduction
- Apache Kerberos module
- Kerberos client for Linux
- Connection between Linux and Active Directory
- Configuration of LemonLDAP::NG Portal
- Configuration of Apache virtual host
- Time to test
Introduction
LemonLDAP::NG can use Kerberos to authenticate users. It has been tested with Active Directory as Kerberos server, but it should work with others. In this mode, the authentication is done by Apache, which sets the environment variable "Remote User". This variable is catched by LemonLDAP::NG when configured with "Apache" authentication module. You can have a look at this tutorial to complete the following one: http://michele.pupazzo.org/diary/?p=460 The following documentation explains how set Kerberos Authentication with LemonLDAP::NG on Apache2/Linux and Active Directory as Kerberos server. We will use:- EXAMPLE.COM: Kerberos realm
- HTTP: Service name
- auth.example.com: DNS of the portal
- ad.example.com: DNS of Active Directory
- cn=ssokerberos,cn=users,dc=example,dc=com: DN of AD technical account
- complicatedpassword: Password of AD technical account
Apache Kerberos module
The module can be found here http://modauthkerb.sourceforge.net/.
On CentOS/RHEL :
# yum install mod_auth_kerb
The module must be loaded by Apache (LoadModule directive).
Kerberos client for Linux
Edit /etc/krb5.conf:
[libdefaults] default_realm = EXAMPLE.COM
[realms] EXAMPLE.COM = { kdc = ad.example.com admin_server = ad.example.com }
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
Connection between Linux and Active Directory
You have to run this command on Active Directory:c:> ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser EXAMPLE.COM\ssokerberos -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set +DesOnly -pass complicatedpassword -out c:\auth.keytab
The file auth.keytab should then be copied (with a secure media) to the Linux server (for example in /etc/lemonldap-ng).
Then on Linux server:
$ kinit HTTP/auth.example.com $ kvno HTTP/auth.example.com@EXAMPLE.COM $ klist -e $ kinit -k -t /etc/lemonldap-ng/auth.keytab HTTP/auth.example.com
Configuration of LemonLDAP::NG Portal
You just have to edit /var/lib/lemonldap-ng/portal/index.pl:# Call Apache authentication module authentication => 'Apache',
Configuration of Apache virtual host
Modify the portal virtual host:<VirtualHost *> ServerName auth.example.com
DocumentRoot /var/lib/lemonldap-ng/portal/ <Directory /var/lib/lemonldap-ng/portal/> Order allow,deny Allow from all Options +ExecCGI <IfModule auth_kerb_module> AuthType Kerberos KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/lemonldap-ng/auth.keytab KrbVerifyKDC Off KrbServiceName HTTP require valid-user </IfModule> </Directory> </VirtualHost>