Apache

Authentication	Users	Password
✔

Presentation

LL::NG can delegate authentication to Apache, so it is possible to use any Apache authentication module, for example:

Apache authentication module will set the REMOTE_USER environment variable, which will be used by LL::NG to get authenticated user.

This documentation will focus on Kerberos authentication module, that can allow for example to set transparent authentication for Active Directory users (as Active Directory is a Kerberos server).

The following sample parameters will be used:

EXAMPLE.COM: Kerberos realm
HTTP: Service name
auth.example.com: DNS of the portal
ad.example.com: DNS of Active Directory
cn=ssokerberos,cn=users,dc=example,dc=com: DN of AD technical account
complicatedpassword: Password of AD technical account

Configuration

Apache Kerberos module

The module can be found here.

On CentOS/RHEL:

yum install mod_auth_kerb

On Debian/Ubuntu:

apt-get install libapache2-mod-auth-kerb

The module must be loaded by Apache (LoadModule directive).

Kerberos client for Linux

Edit /etc/krb5.conf:

[libdefaults]
 default_realm = EXAMPLE.COM

[realms]
 EXAMPLE.COM = {
  kdc = ad.example.com
  admin_server = ad.example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

Connection between Linux and Active Directory - method 1

This method requires to execute a command on the Active Directory server, and then transfer the keytab on Linux server.

You have to run this command on Active Directory:

ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser EXAMPLE.COM\ssokerberos -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set +DesOnly -pass complicatedpassword -out c:\auth.keytab

The file auth.keytab should then be copied (with a secure media) to the Linux server (for example in /etc/lemonldap-ng).

Then on Linux server:

kinit HTTP/auth.example.com
kvno HTTP/auth.example.com@EXAMPLE.COM
klist -e
kinit -k -t /etc/lemonldap-ng/auth.keytab HTTP/auth.example.com

Connection between Linux and Active Directory - method 2

This method requires the msktutil program on Linux server. You should be able to find a package for your distribution with a little search on the web.

Initiate the Kerberos connection:

kinit ssokerberos@EXAMPLE.COM

Then create the keytab.

Windows 2003 server:

rm -f /etc/lemonldap-ng/auth.keytab
msktutil -c -b "cn=COMPUTERS" -s HTTP/auth.example.com -h auth.example.com -k /etc/lemonldap-ng/auth.keytab --computer-name portalsso --upn HTTP/auth.example.com --server ad.example.com --verbose

Windows 2008 server:

rm -f /etc/lemonldap-ng/auth.keytab
msktutil -c -b "cn=COMPUTERS" -s HTTP/auth.example.com -h auth.example.com -k /etc/lemonldap-ng/auth.keytab --computer-name portalsso --upn HTTP/auth.example.com --server ad.example.com --verbose --enctypes 28

Option –enctypes requires msktutil > 0.4

Close kerberos connection:

kdestroy

Change rights on keytab file:

chown apache /etc/lemonldap-ng/auth.keytab

Configuration of LemonLDAP::NG

In Manager, go in General Parameters > Authentication modules and choose Apache for authentication.

You can then choose any other module for users and password.

You can also configure the authentication level for this module.

Configuration of Apache virtual host

Modify the portal virtual host:

<VirtualHost *>
    ServerName auth.example.com
 
   DocumentRoot /var/lib/lemonldap-ng/portal/
 
  <Directory /var/lib/lemonldap-ng/portal/>
    Order allow,deny
    Allow from all
    Options +ExecCGI
 
    <IfModule auth_kerb_module>
      AuthType Kerberos
      KrbMethodNegotiate On
      KrbMethodK5Passwd Off
      KrbAuthRealms EXAMPLE.COM
      Krb5KeyTab /etc/lemonldap-ng/auth.keytab
      KrbVerifyKDC Off
      KrbServiceName HTTP/auth.example.com
      require valid-user
    </IfModule>
 
  </Directory>
 
</VirtualHost>

Use Kerberos with Multiple authentication backend

You may want to use the Mutliple authentication backend to fail back to another authentication for user without Kerberos ticket.

This needs some hacking because the Apache Kerberos authentication module do not work if require valid-user is not set.

To achieve this, follow these steps:

Create a symlink on portal/index.pl to define the kerberos authentication end point:

ln -s /var/lib/lemonldap-ng/portal/index.pl /var/lib/lemonldap-ng/portal/kerberos.pl

Create a redirection script, called login.pl:

vi /var/lib/lemonldap-ng/portal/login.pl

#!/usr/bin/perl
use CGI ':cgi-lib';
use strict;
use MIME::Base64;
use CGI::Carp 'fatalsToBrowser';
my $uri = $ENV{"REDIRECT_QUERY_STRING"};
print CGI::header(-Refresh => '0; URL=http://auth.example.com/?'.$uri);
exit(0);

Modify the Apache virtual host to separate the Kerberos Authentication module:

<VirtualHost *>
  ServerName auth.example.com
 
  DocumentRoot /var/lib/lemonldap-ng/portal/
 
  <Directory /var/lib/lemonldap-ng/portal/>
    Order allow,deny
    Allow from all
    Options +ExecCGI +FollowSymLinks
  </Directory>
 
  ErrorDocument 401 /login.pl
  <Location /kerberos.pl>
    <IfModule auth_kerb_module>
      AuthType Kerberos
      KrbMethodNegotiate On
      KrbMethodK5Passwd Off
      KrbAuthRealms EXAMPLE.COM
      Krb5KeyTab /etc/lemonldap-ng/auth.keytab
      KrbVerifyKDC Off
      KrbServiceName HTTP/auth.example.com
    </IfModule>
  </Location>
 
</VirtualHost>

Modify LemonLDAP::NG Portal URL trough Manager to: http://auth.example.com/kerberos.pl
Configure Multiple authentication backend (for example: Apache;LDAP)
Restart Apache

Time to test

Configure IE or Firefox to trust http://auth.example.com, and then it should work!