Authentication Users Password

LL::NG can delegate authentication to Apache, so it is possible to use any Apache authentication module, for example:

Apache authentication module will set the REMOTE_USER environment variable, which will be used by LL::NG to get authenticated user.
This documentation will focus on Kerberos authentication module, that can allow for example to set transparent authentication for Active Directory users (as Active Directory is a Kerberos server).

The following sample parameters will be used:

  • EXAMPLE.COM: Kerberos realm
  • HTTP: Service name
  • DNS of the portal
  • DNS of Active Directory
  • cn=ssokerberos,cn=users,dc=example,dc=com: DN of AD technical account
  • complicatedpassword: Password of AD technical account

The module can be found here.


yum install mod_auth_kerb

On Debian/Ubuntu:

apt-get install libapache2-mod-auth-kerb

The module must be loaded by Apache (LoadModule directive).

Edit /etc/krb5.conf:

 default_realm = EXAMPLE.COM

  kdc =
  admin_server =

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

You have to run this command on Active Directory:

ktpass -princ HTTP/ -mapuser EXAMPLE.COM\ssokerberos -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set +DesOnly -pass complicatedpassword -out c:\auth.keytab

The file auth.keytab should then be copied (with a secure media) to the Linux server (for example in /etc/lemonldap-ng).

Then on Linux server:

kinit HTTP/
kvno HTTP/
klist -e
kinit -k -t /etc/lemonldap-ng/auth.keytab HTTP/

In Manager, go in General Parameters > Authentication modules and choose Apache for authentication.

You can then choose any other module for users and password.

You can also configure the authentication level for this module.

Modify the portal virtual host:

<VirtualHost *>
   DocumentRoot /var/lib/lemonldap-ng/portal/
  <Directory /var/lib/lemonldap-ng/portal/>
    Order allow,deny
    Allow from all
    Options +ExecCGI
    <IfModule auth_kerb_module>
      AuthType Kerberos
      KrbMethodNegotiate On
      KrbMethodK5Passwd Off
      KrbAuthRealms EXAMPLE.COM
      Krb5KeyTab /etc/lemonldap-ng/auth.keytab
      KrbVerifyKDC Off
      KrbServiceName HTTP
      require valid-user

Configure IE or Firefox to trust, and then it should work!