Install Single Sign on with Kerberos at CentOS 7.5.1408
-
- Last edited 4 years ago by MLR
-
-
- This page is a first draft
Contents
- 1 About this manual
- 2 Preparation
- 3 Needed users in the Active Directory
- 4 Create a keytab file
- 5 Install required packages on CentOS
- 6 Create Kerberos configuration
- 7 Test authentication with your Keytab-file
- 8 Secure your BlueSpice webroot with Kerberos
- 9 Testing
- 10 User permission to autocreate account
- 11 PHP-extension for ldap
About this manual
In this manual we will use certain placeholders. Replace them due to the following steps analogical to your system environment.
example.local= your domain namewebserver.example.local= FQDN of your bluespice webserverdc.example.local= FQDN of your domain controller
Preparation
Please make sure that you configured a working "A" record at your DNS server for webserver.example.local and (really necessary!) an reverse DNS record (PTR).
Please make also sure that the system clocks do not differ more than 5 minutes.
Needed users in the Active Directory
You need to create the following users in your Active Directory
- One user for your Kerberos authentication (We will call it "KerberosProxy" at this manual)
- One user for your BlueSpice AD proxy user (We will call it "LdapProxy" at this manual)
Please create these users and configure the passwords to "never expire".
Create a keytab file
Create a keytab file at your domain controller using this command (works on Windows >= 2018 R2):
$ ktpass -princ HTTP/webserver.example.local@EXAMPLE.LOCAL
-mapuser KerberosProxy@EXAMPLE.LOCAL
-crypto RC4-HMAC-NT
-ptype KRB5_NT_PRINCIPAL
-pass <password-of-KerberosProxy>
-out bluespice.keytab
Move this file to your BlueSpice server (folder /etc).
Install required packages on CentOS
Install all packages you need for Kerberos:
$ yum install krb5-workstation mod_auth_kerb
Create Kerberos configuration
Create a backup of /etc/krb5.conf and clear the file content. Insert this new content:
[libdefaults]
default_realm = EXAMPLE.LOCAL
[realms]
EXAMPLE.LOCAL = {
kdc = dc.example.local
admin_server = dc.example.local
}
[domain_realm]
example.local = EXAMPLE.LOCAL
.example.local = EXAMPLE.LOCAL
Test authentication with your Keytab-file
Now you can test your authentication with the keytab file which was created before:
$ kinit -VV -k -t /etc/bluespice.keytab HTTP/webserver.example.local
If everything is configured correctly you should get a success message:
Authenticated to Kerberos v5
Secure your BlueSpice webroot with Kerberos
Now you have to secure the BlueSpice DocumentRoot with. Open your VirtualHost config and insert the following:
<VirtualHost *:443>
...
<Directory /path/to/DocumentRoot>
AuthType Kerberos
KrbAuthRealms EXAMPLE.LOCAL
KrbServiceName HTTP/webserver.example.local@EXAMPLE.LOCAL
Krb5Keytab "/etc/bluespice.keytab"
KrbMethodNegotiate on
KrbMethodK5Passwd on
Require valid-user
</Directory>
...
</VirtualHost>
Restart your apache2 webserver.
Testing
Create a file test.php at the DocumentRoot of BlueSpice and insert this code:
<?php
echo $_SERVER['REMOTE_USER'];
If everyting works fine you should be able to open test.php with a webbrowser (not Firefox!) without getting an authentication window and you can see your windows user name at the test.php. Now delete test.php.
User permission to autocreate account
Make sure that the wiki user group * has the autocreateaccount permission in the PermissionManager of BlueSpice.
PHP-extension for ldap
Make sure that php-ldap is installed and loaded at your apache2 server.