Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
documentation:latest:kerberos [2017/10/26 22:37]
127.0.0.1 external edit
documentation:latest:kerberos [2019/01/15 15:54] (current)
Line 1: Line 1:
 ====== Kerberos ====== ====== Kerberos ======
- 
-<note tip>A backport of 2.0 new Kerberos authentication module has been done for 1.9.14. See [[documentation:​2.0:​authkerberos|Kerberos]] to see how to use it.</​note>​ 
  
 ===== Presentation ===== ===== Presentation =====
  
-This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication ​to AD domain users to LL::NG.+This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication ​for one or multiple ​AD domains.
  
-We will present several architectures:​ +You can use Kerberos ​ in LL::​NG ​with the following authentication modules: 
-  * Single ​LL::​NG ​server linked to one AD domain +  * [[authkerberos|Kerberos]] (recommended)use Perl GSSAPI module, compatible with Apache and Nginx 
-  * LL::NG cluster linked to one AD domain +  * [[authapache|Apache]]use mod_auth_kerb or mod_auth_gssapi in Apache
-  * LL::NG cluster linked to two AD domains+
  
 ===== Prerequisites ===== ===== Prerequisites =====
Line 20: Line 17:
   * **ACME.COM**:​ Second AD domain   * **ACME.COM**:​ Second AD domain
   * **auth.example.com**:​ DNS of the LL::NG portal   * **auth.example.com**:​ DNS of the LL::NG portal
-  ​* **authpwd.example.com**:​ DNS of the LL::NG portal (to failback to a form based authentication) +  * **KERB_AUTH**:​ AD account to generate the keytab for LL::NG server
-  * **node1.example.com**:​ DNS of the first LL::NG portal server (in cluster mode) +
-  * **node2.example.com**:​ DNS of the second LL::NG portal server (in cluster mode) +
-  * **ad.example.com**:​ DNS of First Active Directory +
-  * **ad.acme.com**:​ DNS of Second Active Directory +
-  ​* **KERB_AUTH**:​ AD account to generate the keytab for LL::NG server ​(in single mode) +
-  * **KERB_NODE1**:​ AD account to generate the keytab for the first LL::NG server (in cluster mode) +
-  * **KERB_NODE2**:​ AD account to generate the keytab for the second LL::NG server (in cluster mode)+
  
 ==== Server time ==== ==== Server time ====
Line 35: Line 25:
 ==== DNS ==== ==== DNS ====
  
-All names must be registered in the DNS server (which is Active Directory). The reverse DNS should also work for all the names.+The auth.example.com ​must be registered in the DNS server (which is Active Directory). The reverse DNS of auth.example.com **must** return ​the portal IP.
  
-==== AD accounts ​ ====+<note tip>If you have a SSO cluster, you must setup a Virtual IP in cluster and register this IP in DNS.</​note>​
  
-It is recommended to create an AD account for each LL::NG server. Each account will hold the Service Principal Name (SPN) of  the LL::NG server.+==== SSL ====
  
-<note tip>It should be possible to have the same account for all SPN, but this may require some manipulations on AD (command setspn) that are not documented here.</note>+SSL is not mandatory, but it is strongly recommendedYour portal URL should be https://​auth.example.com.
  
 ==== Web browser configuration ​ ==== ==== Web browser configuration ​ ====
Line 55: Line 45:
 Check into security parameters that Kerberos authentication is allowed. Check into security parameters that Kerberos authentication is allowed.
  
-==== Apache Kerberos module installation ​==== +===== Single AD domain =====
- +
-On CentOS/​RHEL:​ +
-<code shell> +
-yum install mod_auth_kerb +
-</​code>​ +
- +
-On Debian/​Ubuntu:​ +
-<code shell> +
-apt-get install libapache2-mod-auth-kerb +
-</​code>​ +
- +
-The module must be loaded by Apache (LoadModule directive). +
- +
-===== Single LL::NG Server / Single AD domain =====+
  
 ==== Client Kerberos configuration ==== ==== Client Kerberos configuration ====
Line 190: Line 166:
   * Encryption types must be the same   * Encryption types must be the same
  
-==== Configuration of LemonLDAP::​NG ==== 
-  
-See [[authapache#​llng|Apache authentication module configuration]]. 
  
-==== Configuration of portal virtual host ==== +===== Multiple ​AD domains =====
- +
-First, copy the current portal virtual host definition into a new one. Use ''​authpwd''​ server name for this virtual host: +
- +
-<file apache>​ +
-<​VirtualHost *> +
-    ServerName authpwd.example.com +
- +
-    ... +
-     +
-</​VirtualHost>​ +
-</​file>​ +
- +
-This virtual host will be used by clients that fail to use the Kerberos protocol. +
- +
-Then, modify the main portal virtual host to load the Apache Kerberos authentication module : +
- +
-<file apache>​ +
-<​VirtualHost *> +
-  ServerName auth.example.com +
- +
-  DocumentRoot /​var/​lib/​lemonldap-ng/​portal/​ +
-    +
-  <​Directory /​var/​lib/​lemonldap-ng/​portal/>​ +
-    Order allow,​deny +
-    Allow from all +
-    Options +ExecCGI +FollowSymLinks +
-  </​Directory>​ +
- +
-  ErrorDocument 401 /login.pl +
-  <​LocationMatch ^/​(?​!login.pl)>​ +
-    <​IfModule auth_kerb_module>​ +
-      AuthType Kerberos +
-      KrbMethodNegotiate On +
-      KrbMethodK5Passwd Off +
-      KrbAuthRealms EXAMPLE.COM +
-      Krb5KeyTab /​etc/​lemonldap-ng/​auth.keytab +
-      KrbVerifyKDC Off +
-      KrbServiceName HTTP/​auth.example.com +
-      require valid-user +
-    </​IfModule>​ +
-  </​LocationMatch>​ +
-     +
-</​VirtualHost>​ +
-</​file>​ +
- +
-==== Redirection script ==== +
- +
-Create a redirection script, called login.pl: +
-<​code>​ +
-vi /​var/​lib/​lemonldap-ng/​portal/​login.pl +
-</​code>​ +
-<file perl> +
-#​!/​usr/​bin/​perl +
-use CGI ':​cgi-lib';​ +
-use strict; +
-use CGI::Carp '​fatalsToBrowser';​ +
-my $uri = $ENV{"​REQUEST_URI"​};​ +
-print CGI::​header(-Refresh => '0; URL=https://​authpwd.example.com'​.$uri);​ +
-exit(0); +
-</​file>​ +
- +
-<note tip>The redirection script is needed if you use a failaback authentication. If not, you can just  keep a single virtual host (the authentication will fail if Kerberos negociation do not succeed).</​note>​ +
- +
-===== LL::NG Cluster / Single AD domain ===== +
- +
-==== Client Kerberos configuration ==== +
- +
-The client Kerberos configuration is the same as a single LL::NG server. +
- +
-==== Obtain keytab file ==== +
- +
-<note important>​You need to get a keytab for each LL::NG node.</​note>​ +
- +
-Commands on Active Directory will be: +
-<​code>​ +
-ktpass -princ HTTP/​node1.example.com@EXAMPLE.COM -mapuser KERB_NODE1@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass <​PASSWORD>​ -out c:​\authnode1.keytab +
-ktpass -princ HTTP/​node2.example.com@EXAMPLE.COM -mapuser KERB_NODE2@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass <​PASSWORD>​ -out c:​\authnode2.keytab +
-</​code>​ +
- +
-Copy the generated keytab on each node (rename it as auth.keytab to have the same Apache configuration on each node).  +
- +
-Change rights on keytab file: +
-<​code>​ +
-chown apache /​etc/​lemonldap-ng/​auth.keytab +
-chmod 600 /​etc/​lemonldap-ng/​auth.keytab +
-</​code>​ +
- +
-<note tip>You can do the same check for the keytab as with the single LL::NG server. Just use node1.example.com and node2.example.com instead of auth.example.com.</​note>​ +
- +
- +
-==== Configuration of LemonLDAP::​NG ==== +
-  +
-The configuration is the same as a single LL::NG server. +
- +
-==== Configuration of portal virtual host ==== +
- +
-The only change in Apache configuration is in the ''​KrbServiceName'',​ it should be set to Any: +
-<file apache>​ +
-    KrbServiceName Any +
-</​file>​ +
- +
-===== LL::NG Cluster / Two AD domains =====+
  
 ==== Client Kerberos configuration ==== ==== Client Kerberos configuration ====
Line 364: Line 235:
 </​code>​ </​code>​
  
-==== Configuration of LemonLDAP::​NG ==== +===== Other resources ​=====
-  +
-The configuration is the same as a single LL::NG server. +
- +
-==== Configuration of portal virtual host ==== +
- +
-The configuration is the same as with a single AD domain. +
- +
-===== Other ressources ​=====+
  
 You can check these documentations to get more information:​ You can check these documentations to get more information:​
   * [[http://​modauthkerb.sourceforge.net/​configure.html]]   * [[http://​modauthkerb.sourceforge.net/​configure.html]]
   * [[http://​www.grolmsnet.de/​kerbtut/​]]   * [[http://​www.grolmsnet.de/​kerbtut/​]]