Difference between revisions of "Next Active Directory Integration"

From Michael's Information Zone
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
Looking to use kerberose for this one, eventually replacing with SAML.
 
Looking to use kerberose for this one, eventually replacing with SAML.
 
<br>
 
<br>
 +
*On the windows domain controller
 +
<pre>
 +
ktpass -princ HTTP/your.site@domain.tld -mapuser <serviceacount>@domain.tld -pass <password here> -crypto ALL -ptype KRB5_NT_PRINCIPAL -out C:\Temp\kerberos3.keytab
 +
</pre>
 
<br>
 
<br>
 
DUMP OF NOTES HERE
 
DUMP OF NOTES HERE
 
<ref>https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html</ref>
 
<ref>https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html</ref>
*mv kerberos.keytab /var/www/html/
+
<pre>
*chown apache:apache /var/www/html/kerberos.keytab
+
mv kerberos.keytab /var/www/html/
*kinit -p admin@domain.tld
+
chown apache:apache /var/www/html/kerberos.keytab
*yum install mod_auth_gssapi
+
yum install mod_auth_gssapi mod_auth_kerb krb5-workstation
 +
kinit -p admin@domain.tld
 +
 
 +
</pre>
 
*nano /etc/httpd/conf.d/vhosts.conf
 
*nano /etc/httpd/conf.d/vhosts.conf
 
<ref>https://github.com/modauthgssapi/mod_auth_gssapi</ref>
 
<ref>https://github.com/modauthgssapi/mod_auth_gssapi</ref>
Line 22: Line 29:
 
==Kerberose issues==
 
==Kerberose issues==
 
Most issues were caused by selinux. After setting the correct context for the keytab file I was able to get this thing working properly.
 
Most issues were caused by selinux. After setting the correct context for the keytab file I was able to get this thing working properly.
<ref>http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/</ref>
+
<ref>http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/</ref><ref>http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml</ref><ref>https://stackoverflow.com/questions/8978080/htaccess-exclude-one-url-from-basic-auth</ref>
 +
*Check keytab for issues<ref>http://home.apache.org/~michaelo/svn-enterprise-auth/</ref>
 +
*<ref>https://unix.stackexchange.com/questions/120216/apache-mod-auth-kerb-key-table-entry-not-found</ref>Sample apache conf
 +
<pre>
 +
<VirtualHost 10.5.3.200:443>
 +
 
 +
#Proxy
 +
<Proxy *>
 +
Order deny,allow
 +
Allow from all
 +
</Proxy>
 +
ProxyPass /elasticsearch/ http://127.0.0.1:9200/
 +
ProxyPassReverse /elasticsearch/ http://127.0.0.1:9200/
 +
 
 +
#Server Config
 +
ServerName spufi002.ads.ktag.ch
 +
ServerAdmin "sm-linux@ag.ch"
 +
DocumentRoot /srv/www/htdocs/kibana/
 +
ErrorLog /var/log/apache2/error_log
 +
TransferLog /var/log/apache2/access_log
 +
SSLEngine on
 +
SSLProtocol all -SSLv2 -SSLv3
 +
SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
 +
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
 +
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
 +
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
 +
SSLOptions +StdEnvVars
 +
</Files>
 +
<Directory "/srv/www/cgi-bin">
 +
SSLOptions +StdEnvVars
 +
</Directory>
 +
CustomLog /var/log/apache2/ssl_request_log  ssl_combined
 +
<Directory "/srv/www/htdocs/kibana">
 +
 
 +
#Authentication
 +
AuthType Kerberos
 +
AuthName "SPNEGO"
 +
KrbAuthRealms ADS.KTAG.CH
 +
Krb5Keytab /etc/krb5.keytab
 +
KrbMethodNegotiate on
 +
KrbServiceName http
 +
KrbMethodK5Passwd on
 +
KrbLocalUserMapping On
 +
Require user abnn ABNN tloi TLOI pwix PWIX rhe6 RHE6 dwav DWAV
 +
options Indexes FollowSymLinks
 +
AllowOverride None
 +
Order allow,deny
 +
Allow from all
 +
</Directory>
 +
</VirtualHost>
 +
</pre>

Latest revision as of 12:58, 11 April 2018

Installing for WP **VERSION-HERE** with SSO enabled.
Looking to use kerberose for this one, eventually replacing with SAML.

  • On the windows domain controller
ktpass -princ HTTP/your.site@domain.tld -mapuser <serviceacount>@domain.tld -pass <password here> -crypto ALL -ptype KRB5_NT_PRINCIPAL -out C:\Temp\kerberos3.keytab


DUMP OF NOTES HERE [1]

mv kerberos.keytab /var/www/html/
chown apache:apache /var/www/html/kerberos.keytab
yum install mod_auth_gssapi mod_auth_kerb krb5-workstation
kinit -p admin@domain.tld

  • nano /etc/httpd/conf.d/vhosts.conf

[2]

<Location /private>
    AuthType GSSAPI
    AuthName "GSSAPI Single Sign On Login"
    GssapiCredStore keytab:/etc/httpd.keytab
    Require valid-user
</Location>
  • nano /etc/httpd/conf.d/vhosts.conf

Kerberose issues

Most issues were caused by selinux. After setting the correct context for the keytab file I was able to get this thing working properly. [3][4][5]

  • Check keytab for issues[6]
  • [7]Sample apache conf
<VirtualHost 10.5.3.200:443>

#Proxy
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /elasticsearch/ http://127.0.0.1:9200/
ProxyPassReverse /elasticsearch/ http://127.0.0.1:9200/

#Server Config
ServerName spufi002.ads.ktag.ch
ServerAdmin "sm-linux@ag.ch"
DocumentRoot /srv/www/htdocs/kibana/
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/srv/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
CustomLog /var/log/apache2/ssl_request_log   ssl_combined
<Directory "/srv/www/htdocs/kibana">

#Authentication
AuthType Kerberos
AuthName "SPNEGO"
KrbAuthRealms ADS.KTAG.CH
Krb5Keytab /etc/krb5.keytab
KrbMethodNegotiate on
KrbServiceName http
KrbMethodK5Passwd on
KrbLocalUserMapping On
Require user abnn ABNN tloi TLOI pwix PWIX rhe6 RHE6 dwav DWAV
options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>