Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:authapache [2014/08/18 15:07]
coudot
documentation:latest:authapache [2019/01/15 15:54] (current)
Line 1: Line 1:
 ====== Apache====== ====== Apache======
  
-^Authentication ^ Users ^ Password ^+ Authentication ​  Users   Password ​ ^
 |  ✔  | | | |  ✔  | | |
  
 ===== Presentation ===== ===== Presentation =====
  
-LL::NG can delegate authentication to Apache, so it is possible to use any [[http://​httpd.apache.org/​docs/​current/​howto/​auth.html|Apache authentication module]], for example: +LL::NG can delegate authentication to Apache, so it is possible to use any [[http://​httpd.apache.org/​docs/​current/​howto/​auth.html|Apache authentication module]], for example ​Kerberos, Radius, OTP, etc. 
-  ​* ​[[http://​modauthkerb.sourceforge.net/​|Kerberos]] + 
-  * [[http://​search.cpan.org/​~speeves/​Apache2-AuthenNTLM-0.02/​AuthenNTLM.pm|NTLM]] +<note important>​To authenticate users using Kerberos, you can now use the new [[authkerberos|Kerberos ​authentication module]] which allow one to chain Kerberos in a [[authcombination|combination]]</note>
-  * [[http://​freeradius.org/​mod_auth_radius/​|Radius]] +
-  * ...+
  
 <note tip>​Apache authentication module will set the ''​REMOTE_USER''​ environment variable, which will be used by LL::NG to get authenticated user.</​note>​ <note tip>​Apache authentication module will set the ''​REMOTE_USER''​ environment variable, which will be used by LL::NG to get authenticated user.</​note>​
- 
-<​note>​This documentation will focus on Kerberos authentication module, that can allow for example to set transparent authentication for Active Directory users (as Active Directory is a Kerberos server).</​note>​ 
- 
-The following sample parameters will be used: 
-  * **EXAMPLE.COM**:​ Kerberos realm 
-  * **HTTP**: Service name 
-  * **auth.example.com**:​ DNS of the portal 
-  * **ad.example.com**:​ DNS of Active Directory 
-  * **cn=ssokerberos,​cn=users,​dc=example,​dc=com**:​ DN of AD technical account 
-  * **complicatedpassword**:​ Password of AD technical account 
  
 ===== Configuration ===== ===== Configuration =====
  
-==== Apache Kerberos module ​====+==== LL::​NG  ​====
  
-The module can be found [[http://​modauthkerb.sourceforge.net/​|here]].+In General Parameters > Authentication modules, choose ''​Apache''​ as authentication backend.
  
-On CentOS/RHEL+You may want to failback to another authentication backend in case of the Apache authentication fails. Use then the [[authmulti|Multiple authentication module]], for example
-<​code ​shell> +<​code>​Apache;LDAP</​code>​
-yum install mod_auth_kerb +
-</​code>​+
  
-On Debian/​Ubuntu:​ +<note tip>In this case, the Apache authentication module should not require a valid user and not be authoritative,​ else Apache server will return an error and not let LL::NG Portal manage the failback authentication.</note>
-<code shell> +
-apt-get install libapache2-mod-auth-kerb +
-</code>+
  
-The module must be loaded by Apache ​(LoadModule directive).+==== Apache ​====
  
-==== Kerberos client ​for Linux ====+The Apache configuration depends on the module you choose, you need to look at the module documentation, ​for example: 
 +  * [[http://​modauthkerb.sourceforge.net/​|Kerberos]] 
 +  * [[http://​search.cpan.org/​~speeves/​Apache2-AuthenNTLM-0.02/​AuthenNTLM.pm|NTLM]] 
 +  * [[http://​freeradius.org/​mod_auth_radius/​|Radius]] 
 +  * ...
  
-Edit ''/​etc/​krb5.conf'':​+===== Tips =====
  
-<​file>​ +==== Kerberos ====
-[libdefaults] +
- ​default_realm ​EXAMPLE.COM+
  
-[realms] +The Kerberos configuration is quite complex. You can find some configuration tips [[kerberos|on this page]].
- ​EXAMPLE.COM = { +
-  kdc = ad.example.com +
-  admin_server = ad.example.com +
- }+
  
-[domain_realm] +<note tip>​Prefer new [[authkerberos|Kerberos]] module.</note>
- ​.example.com = EXAMPLE.COM +
- ​example.com = EXAMPLE.COM +
-</file>+
  
-==== Connection between Linux and Active Directory ​ - method 1 ====+==== Compatibility with Identity Provider modules ​====
  
-<note tip>This method requires ​to execute a command on the Active Directory server, and then transfer ​the keytab on Linux server.</​note>​+When using IDP modules (like CAS or SAML), the activation of Apache authentication can alter the operation. ​This is because the client often need to request directly ​the IDP, and the Apache authentication will block the request.
  
-You have to run this command on Active Directory:​ +In this case, you can add in the Apache authentication module:
- +
-<​code>​ +
-ktpass -princ HTTP/​auth.example.com@EXAMPLE.COM -mapuser EXAMPLE.COM\ssokerberos -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set +DesOnly -pass complicatedpassword -out c:​\auth.keytab +
-</​code>​ +
- +
-The file ''​auth.keytab''​ should then be copied (with a secure media) to the Linux server (for example ​in ''/​etc/​lemonldap-ng''​). +
- +
-Then on Linux server: +
- +
-<code shell> +
-kinit HTTP/​auth.example.com +
-kvno HTTP/​auth.example.com@EXAMPLE.COM +
-klist -e +
-kinit -k -t /​etc/​lemonldap-ng/​auth.keytab HTTP/​auth.example.com +
-</​code>​ +
- +
-==== Connection between Linux and Active Directory ​ - method 2 ==== +
- +
-<note tip>This method requires ​the ''​msktutil''​ program on Linux server. You should be able to find a package for your distribution with a little search on the web.</​note>​ +
- +
-Initiate the Kerberos connection:​ +
-<​code>​ +
-kinit ssokerberos@EXAMPLE.COM +
-</​code>​ +
- +
-Then create the keytab. +
-  * Windows 2003 server: +
-<​code>​ +
-rm -f /​etc/​lemonldap-ng/​auth.keytab +
-msktutil -c -b "​cn=COMPUTERS"​ -s HTTP/​auth.example.com -h auth.example.com -k /​etc/​lemonldap-ng/​auth.keytab --computer-name portalsso --upn HTTP/​auth.example.com --server ad.example.com --verbose +
-</​code>​ +
-  * Windows 2008 server: +
-<​code>​ +
-rm -f /​etc/​lemonldap-ng/​auth.keytab +
-msktutil -c -b "​cn=COMPUTERS"​ -s HTTP/​auth.example.com -h auth.example.com -k /​etc/​lemonldap-ng/​auth.keytab --computer-name portalsso --upn HTTP/​auth.example.com --server ad.example.com --verbose --enctypes 28 +
-</​code>​ +
- +
-<note important>​Option ''​--enctypes''​ requires msktutil > 0.4</​note>​ +
- +
-Close kerberos connection:​ +
-<​code>​ +
-kdestroy +
-</​code>​ +
- +
-Change rights on keytab file: +
-<​code>​ +
-chown apache /​etc/​lemonldap-ng/​auth.keytab +
-</​code>​ +
- +
-==== Configuration of LemonLDAP::​NG ==== +
- +
-In Manager, go in ''​General Parameters''​ > ''​Authentication modules''​ and choose ​Apache ​for authentication+
- +
-<note tip>You can then choose any other module ​for users and password.</​note>​ +
- +
-You can also configure the authentication level for this module. +
- +
-==== Configuration of Apache virtual host ==== +
- +
-Modify the portal virtual host:+
  
 <file apache> <file apache>
-<​VirtualHost *> 
-    ServerName auth.example.com 
- 
-   ​DocumentRoot /​var/​lib/​lemonldap-ng/​portal/​ 
-    
-  <​Directory /​var/​lib/​lemonldap-ng/​portal/>​ 
-    Order allow,deny 
-    Allow from all 
-    Options +ExecCGI 
-    ​ 
-    <​IfModule auth_kerb_module>​ 
-      AuthType Kerberos 
-      KrbMethodNegotiate On 
-      KrbMethodK5Passwd Off 
-      KrbAuthRealms EXAMPLE.COM 
-      Krb5KeyTab /​etc/​lemonldap-ng/​auth.keytab 
-      KrbVerifyKDC Off 
-      KrbServiceName HTTP/​auth.example.com 
-      require valid-user 
-    </​IfModule>​ 
- 
-  </​Directory>​ 
-  ​ 
-</​VirtualHost>​ 
-</​file>​ 
- 
-==== Use Kerberos with Multiple authentication backend ==== 
- 
-You may want to use the [[authmulti|Mutliple authentication backend]] to fail back to another authentication for user without Kerberos ticket. 
- 
-This needs some hacking because the Apache Kerberos authentication module do not work if ''​require valid-user''​ is not set. This requires to create a second virtual host (kerberos.example.com),​ which should be registered into the DNS system. 
- 
-<note tip> 
-We use here kerberos.example.com as primary portal URL and auth.example.com as failback portal URL. You can of course change these names if you need. 
-</​note>​ 
- 
-To achieve this, follow these steps: 
-  * In Apache portal configuration,​ copy the default virtualhost (auth.example.com) a paste it as a new one. This new one is standard and don't need to load the mod_auth_kerb module. 
-  * Rename the first into kerberos.example.com:​ 
-<file apache> 
-    ServerName kerberos.example.com 
-</​file>​ 
-  * Create a redirection script, called login.pl: 
-<​code>​ 
-vi /​var/​lib/​lemonldap-ng/​portal/​login.pl 
-</​code>​ 
-<file perl> 
-#​!/​usr/​bin/​perl 
-use CGI ':​cgi-lib';​ 
-use strict; 
-use CGI::Carp '​fatalsToBrowser';​ 
-my $uri = $ENV{"​REQUEST_URI"​};​ 
-print CGI::​header(-Refresh => '0; URL=https://​auth.example.com'​.$uri);​ 
-exit(0); 
-</​file>​ 
-  * Modify the virtual host to load Kerberos Authentication module on specific page: 
-<file apache> 
-<​VirtualHost *> 
-  ServerName kerberos.example.com 
- 
-  DocumentRoot /​var/​lib/​lemonldap-ng/​portal/​ 
-    
-  <​Directory /​var/​lib/​lemonldap-ng/​portal/>​ 
-    Order allow,deny 
-    Allow from all 
-    Options +ExecCGI +FollowSymLinks 
-  </​Directory>​ 
- 
-  ErrorDocument 401 /login.pl 
-  <​LocationMatch /​(index.pl|cas/​*|saml/​*|openidserver/​*)>​ 
-    <​IfModule auth_kerb_module>​ 
-      AuthType Kerberos 
-      KrbMethodNegotiate On 
-      KrbMethodK5Passwd Off 
-      KrbAuthRealms EXAMPLE.COM 
-      Krb5KeyTab /​etc/​lemonldap-ng/​auth.keytab 
-      KrbVerifyKDC Off 
-      KrbServiceName HTTP/​kerberos.example.com 
       Satisfy any        Satisfy any 
       Order allow,​deny ​       Order allow,​deny ​
       allow from APPLICATIONS_IP       allow from APPLICATIONS_IP
-      require valid-user 
-    </​IfModule>​ 
-  </​LocationMatch>​ 
-    ​ 
-</​VirtualHost>​ 
 </​file>​ </​file>​
-  * Modify LemonLDAP::​NG Portal URL trough Manager to: http://​kerberos.example.com/​ 
-  * Configure Multiple authentication backend (for example: Apache;​LDAP) 
-  * Restart Apache 
  
-<note important>​For CAS, SAML or OpenID to work, you need to authorize applications IP to pass trough Kerberos ​authenticationfor ticket validation for example.</​note>​+This will bypass the authentication ​module ​for request from APPLICATIONS_IP.
  
-==== Time to test ==== 
  
-Configure IE or Firefox to trust ''​http://​auth.example.com''​ or ''​http://​kerberos.example.com''​ , and then it should work!