kerberos-and-apache2-single-sign-on


kerberos-and-apache2-single-sign-on

Kerberos and Apache2 Single-Sign-on
###########################################

Record of steps taken when building testweb.foxhop.net

.. contents::

Prepare Service AD account and keytab

Windows Domain admin required.

1.  configure the testservice AD user account
2.  configure the testservice AD user password to sup3rs3cur3
3.  generate a keytab file

.. code-block:: txt

# run on srv0103 ktpass -out c:.foxhop.net.keytab ^ -princ
HTTP/testweb.foxhop.net@AD.FOXHOP.NET ^ -mapUser
testservice@AD.FOXHOP.NET -mapOp set -pass sup3rs3cur3 ^ -crypto
RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

Copy keytab to /tmp on linux webserver.

Configure Kerberos

vim /etc/krb5.conf

.. code-block:: ini

[logging] default = FILE:/var/log/krb5libs.log kdc =
FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

[libdefaults] default_realm = AD.FOXHOP.NET dns_lookup_realm = true
dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes

[realms] AD.FOXHOP.NET = { kdc = DS1.AD.FOXHOP.NET kdc =
DS2.AD.FOXHOP.NET admin_server = DS1.AD.FOXHOP.NET default_domain =
AD.FOXHOP.NET }

[domain_realm] .ad.foxhop.net = AD.FOXHOP.NET ad.foxhop.net =
AD.FOXHOP.NET

[appdefaults] pam = { debug = false ticket_lifetime = 36000
renew_lifetime = 36000 forwardable = true krb4_convert = false }

Test Kerberos

Get a ticket and authenticate your user

.. code-block:: cli

kinit foxhop-test@AD.FOXHOP.NET

Password for foxhop@AD.FOXHOP.NET:

View the ticket

.. code-block:: cli

klist

Valid starting Expires Service principal 08/01/12 11:07:22 08/01/12
21:07:27 krbtgt/AD.FOXHOP.NET@AD.FOXHOP.NET renew until 08/02/12
11:07:22

Delete or destroy all tickets

.. code-block:: cli

kdestroy klist

Successfully configured kerberos

Configure Apache

Copy keytab and adjust perms

.. code-block:: bash

cd /etc/httpd cp /tmp/testweb.foxhop.net.keytab . chown root:apache
testweb.foxhop.net.keytab chmod 640 testweb.foxhop.net.keytab

Test keytab

.. code-block:: bash

# you should see a ticket kinit -k -t
/etc/httpd/testweb.foxhop.net.keytab HTTP/testweb.foxhop.net klist

Install custom mod_auth_kerb RPM

.. code-block:: bash

rpm -Uvh /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm

Configure Apache2 VirtualHost

vi /etc/httpd/conf.d/000-testweb.foxhop.net.conf

.. code-block:: apache

#…

################## # Kerberos # ##################

    KrbServiceName HTTP
    KrbAuthRealms AD.FOXHOP.NET
    Krb5Keytab /etc/httpd/testweb.foxhop.net.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd on
    KrbSaveCredentials on
    # KrbLocalUserMapping removes @REALM | NA in RHEL5 
    # Compiled custom RPM: /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm
    KrbLocalUserMapping on

#…