Difference between revisions of "Manual:Extension/LDAPAuthentication/SSO"
← Manual:Extension/LDAPAuthentication/SSO
| [unchecked revision] | [unchecked revision] |
(Created page with "{{DISPLAYTITLE:Install Single Sign on with Kerberos at CentOS 7.5.1408}} __TOC__ ==About this manual== In this manual we will use certain placeholders. Replace them due t...") (Tag: 2017 source edit) |
m (Mlink-rodrigue moved page LDAPAuthentication/SSO to Manual:Extension/LDAPAuthentication/SSO without leaving a redirect) |
Contents
- 1 About this manual
- 2 Preparation
- 3 Needed users in the Active Directory
- 4 Create a keytab file
- 5 Install required packages on CentOS
- 6 Create Kerberos configuration
- 7 Test authentication with your Keytab-file
- 8 Secure your BlueSpice webroot with Kerberos
- 9 Testing
- 10 User permission to autocreate account
- 11 PHP-extension for ldap
About this manual[edit | edit source]
In this manual we will use certain placeholders. Replace them due to the following steps analogical to your system environment.
-
example.local= your domain name -
webserver.example.local= FQDN of your bluespice webserver -
dc.example.local= FQDN of your domain controller
Preparation[edit | edit source]
Please make sure that you configured a working "A" record at your DNS server for webserver.example.local and (really necessary!) an reverse DNS record (PTR). Please make also sure that the system clocks do not differ more than 5 minutes.
Needed users in the Active Directory[edit | edit source]
You need to create the following users in your Active Directory
- One user for your Kerberos authentication (We will call it "KerberosProxy" at this manual)
- One user for your BlueSpice AD proxy user (We will call it "LdapProxy" at this manual)
Please create these users and configure the passwords to "never expire".
Create a keytab file[edit | edit source]
Create a keytab file at your domain controller using this command (works on Windows >= 2018 R2):
$ ktpass -princ HTTP/webserver.example.local@EXAMPLE.LOCAL
-mapuser KerberosProxy@EXAMPLE.LOCAL
-crypto RC4-HMAC-NT
-ptype KRB5_NT_PRINCIPAL
-pass <password-of-KerberosProxy>
-out bluespice.keytab
Move this file to your BlueSpice server (folder /etc).
Install required packages on CentOS[edit | edit source]
Install all packages you need for Kerberos:
$ yum install krb5-workstation mod_auth_kerb
Create Kerberos configuration[edit | edit source]
Create a backup of /etc/krb5.conf and clear the file content. Insert this new content:
[libdefaults]
default_realm = EXAMPLE.LOCAL
[realms]
EXAMPLE.LOCAL = {
kdc = dc.example.local
admin_server = dc.example.local
}
[domain_realm]
example.local = EXAMPLE.LOCAL
.example.local = EXAMPLE.LOCAL
Test authentication with your Keytab-file[edit | edit source]
Now you can test your authentication with the keytab file which was created before:
$ kinit -VV -k -t /etc/bluespice.keytab HTTP/webserver.example.local
If everything is configured correctly you should get a success message:
Authenticated to Kerberos v5
Secure your BlueSpice webroot with Kerberos[edit | edit source]
Now you have to secure the BlueSpice DocumentRoot with. Open your VirtualHost config and insert the following:
<VirtualHost *:443>
...
<Directory /path/to/DocumentRoot>
AuthType Kerberos
KrbAuthRealms EXAMPLE.LOCAL
KrbServiceName HTTP/webserver.example.local@EXAMPLE.LOCAL
Krb5Keytab "/etc/bluespice.keytab"
KrbMethodNegotiate on
KrbMethodK5Passwd on
Require valid-user
</Directory>
...
</VirtualHost>
Restart your apache2 webserver.
Testing[edit | edit source]
Create a file test.php at the DocumentRoot of BlueSpice and insert this code:
<?php
echo $_SERVER['REMOTE_USER'];
If everyting works fine you should be able to open test.php with a webbrowser (not Firefox!) without getting an authentication window and you can see your windows user name at the test.php. Now delete test.php.
User permission to autocreate account[edit | edit source]
Make sure that the wiki user group * has the autocreateaccount permission in the PermissionManager of BlueSpice.
PHP-extension for ldap[edit | edit source]
Make sure that php-ldap is installed and loaded at your apache2 server.
{{DISPLAYTITLE:Install Single Sign on with Kerberos at CentOS 7.5.1408}}
__TOC__
==About this manual==
In this manual we will use certain placeholders. Replace them due to the following steps analogical to your system environment.
*<code>example.local</code> = your domain name
*<code>webserver.example.local</code> = FQDN of your bluespice webserver
*<code>dc.example.local</code> = FQDN of your domain controller
==Preparation==
Please make sure that you configured a working "A" record at your DNS server for <code>webserver.example.local</code> '''and''' (really necessary!) an reverse DNS record (PTR).
Please make also sure that the system clocks do not differ more than 5 minutes.
==Needed users in the Active Directory==
You need to create the following users in your Active Directory
*One user for your Kerberos authentication (We will call it "KerberosProxy" at this manual)
*One user for your BlueSpice AD proxy user (We will call it "LdapProxy" at this manual)
Please create these users and configure the passwords to "never expire".
<bs:uepagebreak />
==Create a keytab file==
Create a keytab file at your domain controller using this command (works on Windows >= 2018 R2):
<source lang="bash">
$ ktpass -princ HTTP/webserver.example.local@EXAMPLE.LOCAL
-mapuser KerberosProxy@EXAMPLE.LOCAL
-crypto RC4-HMAC-NT
-ptype KRB5_NT_PRINCIPAL
-pass <password-of-KerberosProxy>
-out bluespice.keytab
</source>
Move this file to your BlueSpice server (folder <code>/etc</code>).
==Install required packages on CentOS==
Install all packages you need for Kerberos:
<source lang="bash">
$ yum install krb5-workstation mod_auth_kerb
</source>
==Create Kerberos configuration==
Create a backup of <code>/etc/krb5.conf</code> and clear the file content. Insert this new content:
<source lang="bash">
[libdefaults]
default_realm = EXAMPLE.LOCAL
[realms]
EXAMPLE.LOCAL = {
kdc = dc.example.local
admin_server = dc.example.local
}
[domain_realm]
example.local = EXAMPLE.LOCAL
.example.local = EXAMPLE.LOCAL
</source>
==Test authentication with your Keytab-file==
Now you can test your authentication with the keytab file which was created before:
<source lang="bash">
$ kinit -VV -k -t /etc/bluespice.keytab HTTP/webserver.example.local
</source>
If everything is configured correctly you should get a success message:
<source lang="bash">Authenticated to Kerberos v5</source>
<bs:uepagebreak />
==Secure your BlueSpice webroot with Kerberos==
Now you have to secure the BlueSpice DocumentRoot with. Open your VirtualHost config and insert the following:
<source lang="bash">
<VirtualHost *:443>
...
<Directory /path/to/DocumentRoot>
AuthType Kerberos
KrbAuthRealms EXAMPLE.LOCAL
KrbServiceName HTTP/webserver.example.local@EXAMPLE.LOCAL
Krb5Keytab "/etc/bluespice.keytab"
KrbMethodNegotiate on
KrbMethodK5Passwd on
Require valid-user
</Directory>
...
</VirtualHost>
</source>
Restart your apache2 webserver.
==Testing==
Create a file <code>test.php</code> at the DocumentRoot of BlueSpice and insert this code:
<source lang="php">
<?php
echo $_SERVER['REMOTE_USER'];
</source>
If everyting works fine you should be able to open <code>test.php</code> with a webbrowser (not Firefox!) without getting an authentication window and you can see your windows user name at the <code>test.php</code>. Now delete <code>test.php</code>.
==User permission to autocreate account==
Make sure that the wiki user group <code>*</code> has the <code>autocreateaccount</code> permission in the PermissionManager of BlueSpice.
==PHP-extension for ldap==
Make sure that <code>php-ldap</code> is installed and loaded at your apache2 server.(No difference)
|