Difference between revisions of "Next Active Directory Integration"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
| Line 23: | Line 23: | ||
Most issues were caused by selinux. After setting the correct context for the keytab file I was able to get this thing working properly. | Most issues were caused by selinux. After setting the correct context for the keytab file I was able to get this thing working properly. | ||
<ref>http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/</ref><ref>http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml</ref><ref>https://stackoverflow.com/questions/8978080/htaccess-exclude-one-url-from-basic-auth</ref> | <ref>http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/</ref><ref>http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml</ref><ref>https://stackoverflow.com/questions/8978080/htaccess-exclude-one-url-from-basic-auth</ref> | ||
| + | *Check keytab for issues<ref>http://home.apache.org/~michaelo/svn-enterprise-auth/</ref> | ||
*<ref>https://unix.stackexchange.com/questions/120216/apache-mod-auth-kerb-key-table-entry-not-found</ref>Sample apache conf | *<ref>https://unix.stackexchange.com/questions/120216/apache-mod-auth-kerb-key-table-entry-not-found</ref>Sample apache conf | ||
<pre> | <pre> | ||
Revision as of 17:52, 14 December 2017
Installing for WP **VERSION-HERE** with SSO enabled.
Looking to use kerberose for this one, eventually replacing with SAML.
DUMP OF NOTES HERE
[1]
- mv kerberos.keytab /var/www/html/
- chown apache:apache /var/www/html/kerberos.keytab
- kinit -p admin@domain.tld
- yum install mod_auth_gssapi
- nano /etc/httpd/conf.d/vhosts.conf
<Location /private>
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/httpd.keytab
Require valid-user
</Location>
- nano /etc/httpd/conf.d/vhosts.conf
Kerberose issues
Most issues were caused by selinux. After setting the correct context for the keytab file I was able to get this thing working properly. [3][4][5]
<VirtualHost 10.5.3.200:443> #Proxy <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /elasticsearch/ http://127.0.0.1:9200/ ProxyPassReverse /elasticsearch/ http://127.0.0.1:9200/ #Server Config ServerName spufi002.ads.ktag.ch ServerAdmin "sm-linux@ag.ch" DocumentRoot /srv/www/htdocs/kibana/ ErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_log SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> CustomLog /var/log/apache2/ssl_request_log ssl_combined <Directory "/srv/www/htdocs/kibana"> #Authentication AuthType Kerberos AuthName "SPNEGO" KrbAuthRealms ADS.KTAG.CH Krb5Keytab /etc/krb5.keytab KrbMethodNegotiate on KrbServiceName http KrbMethodK5Passwd on KrbLocalUserMapping On Require user abnn ABNN tloi TLOI pwix PWIX rhe6 RHE6 dwav DWAV options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> </VirtualHost>
- ↑ https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html
- ↑ https://github.com/modauthgssapi/mod_auth_gssapi
- ↑ http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/
- ↑ http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml
- ↑ https://stackoverflow.com/questions/8978080/htaccess-exclude-one-url-from-basic-auth
- ↑ http://home.apache.org/~michaelo/svn-enterprise-auth/
- ↑ https://unix.stackexchange.com/questions/120216/apache-mod-auth-kerb-key-table-entry-not-found
