Kerberos authentication

Introduction

LemonLDAP::NG can use Kerberos to authenticate users. It has been tested with Active Directory as Kerberos server, but it should work with others.

In this mode, the authentication is done by Apache, which sets the environment variable "Remote User". This variable is catched by LemonLDAP::NG when configured with "Apache" authentication module.

You can have a look at this tutorial to complete the following one: http://michele.pupazzo.org/diary/?p=460

The following documentation explains how set Kerberos Authentication with LemonLDAP::NG on Apache2/Linux and Active Directory as Kerberos server.

We will use:

Apache Kerberos module



The module can be found here http://modauthkerb.sourceforge.net/.

On CentOS/RHEL :

# yum install mod_auth_kerb


The module must be loaded by Apache (LoadModule directive).

Kerberos client for Linux



Edit /etc/krb5.conf:
[libdefaults]
 default_realm = EXAMPLE.COM

[realms] EXAMPLE.COM = { kdc = ad.example.com admin_server = ad.example.com }

[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM

Connection between Linux and Active Directory

You have to run this command on Active Directory:
c:> ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser EXAMPLE.COM\ssokerberos -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set +DesOnly -pass complicatedpassword -out c:\auth.keytab


The file auth.keytab should then be copied (with a secure media) to the Linux server (for example in /etc/lemonldap-ng).

Then on Linux server:
$ kinit HTTP/auth.example.com
$ kvno HTTP/auth.example.com@EXAMPLE.COM
$ klist -e
$ kinit -k -t /etc/lemonldap-ng/auth.keytab HTTP/auth.example.com

Configuration of LemonLDAP::NG Portal

You just have to edit /var/lib/lemonldap-ng/portal/index.pl:
# Call Apache authentication module
authentication => 'Apache',

Configuration of Apache virtual host

Modify the portal virtual host:
<VirtualHost *>
    ServerName auth.example.com

DocumentRoot /var/lib/lemonldap-ng/portal/ <Directory /var/lib/lemonldap-ng/portal/> Order allow,deny Allow from all Options +ExecCGI <IfModule auth_kerb_module> AuthType Kerberos KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/lemonldap-ng/auth.keytab KrbVerifyKDC Off KrbServiceName HTTP require valid-user </IfModule> </Directory> </VirtualHost>

Time to test

Configure IE or Firefox to trust "http://auth.example.com", and then it should work!