This shows you the differences between two versions of the page.

Link to this comparison view

documentation:latest:authkerberos [2019/01/15 15:54] (current)
Line 1: Line 1:
 +====== Kerberos======
 +^  Authentication ​ ^  Users  ^  Password ​ ^
 +|  ✔  | | |
 +===== Presentation =====
 +[[https://​en.wikipedia.org/​wiki/​Kerberos_(protocol)|Kerberos]] is a network authentication protocol used to authenticate users based on their desktop session.
 +LL::NG uses GSSAPI module to validate Kerberos ticket against a local keytab.
 +===== LLNG Configuration =====
 +In Manager, go in ''​General Parameters''​ > ''​Authentication modules''​ and choose Kerberos for authentication. Then go to "​Kerberos parameters"​ and configure the following parameters:
 +  * **keytab file** (required): the Kerberos keytab file
 +  * **Use Ajax request**: set to "​enabled"​ if you want to use an Ajax request instead of a direct Kerberos attempt. **This is required if you want to chain Kerberos in a [[authcombination|combination]]**
 +  * **Kerberos authentication level**: default to 3
 +  * **Use Web Server Kerberos module**: set to "​enabled"​ to use the Web Server module (for example Apache mod_auth_kerb) instead of Perl Kerberos code to validate Kerberos ticket
 +  * **Remove domain in username**: set to "​enabled"​ to strip username value and remove the '​@domain'​.
 +<note important>​
 +  * Due to a perl GSSAPI issue, you may need to copy the keytab in /​etc/​krb5.keytab which is the default location hardcoded in the library
 +  * As Kerberos ticket is passed inside Authorization header, you may need to set CGIPassAuth on in Apache //(with old Apache, use ''​RewriteCond %{HTTP:​Authorization}''​ followed by ''​RewriteRule .* - [E=HTTP_AUTHORIZATION:​%{HTTP:​Authorization}]''​)//​
 +==== Kerberos configuration ====
 +The Kerberos configuration is quite complex. You can find some configuration tips [[kerberos|on this page]].
 +==== Web Server Kerberos module ====
 +If you want to let Web Server Kerberos module validates the Kerberos ticket, set the according option to "​enabled"​ and configure the portal virtual host to launch the module if "​kerberos"​ GET parameter is in the request.
 +Example with Apache and mod_auth_kerb:​
 +<file apache>
 +  <If "​%{QUERY_STRING} =~ /​kerberos=/">​
 +    <​IfModule auth_kerb_module>​
 +      AuthType Kerberos
 +      KrbMethodNegotiate On
 +      KrbMethodK5Passwd Off
 +      KrbAuthRealms EXAMPLE.COM
 +      Krb5KeyTab /​etc/​lemonldap-ng/​auth.keytab
 +      KrbVerifyKDC On
 +      KrbServiceName Any
 +      require valid-user
 +    </​IfModule>​
 +  </If>