documentation:1.0:authapache

Apache

Authentication Users Password

LL::NG can delegate authentication to Apache, so it is possible to use any Apache authentication module, for example:

Apache authentication module will set the REMOTE_USER environment variable, which will be used by LL::NG to get authenticated user.
This documentation will focus on Kerberos authentication module, that can allow for example to set transparent authentication for Active Directory users (as Active Directory is a Kerberos server).

The following sample parameters will be used:

  • EXAMPLE.COM: Kerberos realm
  • HTTP: Service name
  • auth.example.com: DNS of the portal
  • ad.example.com: DNS of Active Directory
  • cn=ssokerberos,cn=users,dc=example,dc=com: DN of AD technical account
  • complicatedpassword: Password of AD technical account

The module can be found here.

On CentOS/RHEL:

yum install mod_auth_kerb

On Debian/Ubuntu:

apt-get install libapache2-mod-auth-kerb

The module must be loaded by Apache (LoadModule directive).

Edit /etc/krb5.conf:

[libdefaults]
 default_realm = EXAMPLE.COM

[realms]
 EXAMPLE.COM = {
  kdc = ad.example.com
  admin_server = ad.example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

You have to run this command on Active Directory:

ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser EXAMPLE.COM\ssokerberos -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set +DesOnly -pass complicatedpassword -out c:\auth.keytab

The file auth.keytab should then be copied (with a secure media) to the Linux server (for example in /etc/lemonldap-ng).

Then on Linux server:

kinit HTTP/auth.example.com
kvno HTTP/auth.example.com@EXAMPLE.COM
klist -e
kinit -k -t /etc/lemonldap-ng/auth.keytab HTTP/auth.example.com

In Manager, go in General Parameters > Authentication modules and choose Apache for authentication.

You can then choose any other module for users and password.

You can also configure the authentication level for this module.

Modify the portal virtual host:

<VirtualHost *>
    ServerName auth.example.com
 
   DocumentRoot /var/lib/lemonldap-ng/portal/
 
  <Directory /var/lib/lemonldap-ng/portal/>
    Order allow,deny
    Allow from all
    Options +ExecCGI
 
    <IfModule auth_kerb_module>
      AuthType Kerberos
      KrbMethodNegotiate On
      KrbMethodK5Passwd Off
      KrbAuthRealms EXAMPLE.COM
      Krb5KeyTab /etc/lemonldap-ng/auth.keytab
      KrbVerifyKDC Off
      KrbServiceName HTTP
      require valid-user
    </IfModule>
 
  </Directory>
 
</VirtualHost>

Configure IE or Firefox to trust http://auth.example.com, and then it should work!