Kerberos and LDAP over the web

I have for several years had a kerberos/ldap Single-Sign-On (SSO) solution active on my home computer network. One part that had not been integrated is my Apache httpd web-server. I started to take a look on activate this at Christmas. It was easy to get Kerberos working for the webserver on my Ubuntu server.

This assumes you have ssl working on your web-server for the area you want to password protect.

Install the libapache2-mod-auth-kerb from Universe.
Activate the module with the command:
sudo a2enmod auth_kerb

Add the following to the directory configuration in apache you want to protect using kerberos.

AuthName "Realm"
AuthType Kerberos
KrbAuthRealms MYREALM
Krb5Keytab /etc/apache2/http.keytab
Require principal@MYREALM
KrbServiceName HTTP/www.MYDOMAIN.org
Require valid-user

Change MYREALM and MYDOMAIN to values that fits you.

Connect to the kerberos admin server and create a new principal and a keytab including this principal. If you use MIT Kerberos, do like this. Start kadmin and then:
ank -randkey HTTP/www.MYDOMAIN.org
xst -k /etc/apache2/http.keytab
q

Verify that only www-data has read-access to the keytab-file /etc/apache2/http.keytab.

Restart Apache and you are up and running.

The problem now is that you may want to restrict that only people in certain groups have access to certain pages or directories. What we want here is to use the groups in LDAP. I have unfortunately not entered finish there yet. So my interim solution, that I did today, is to use apache own group-files.

Ad the following to lines after the other Apache config lines above:

AuthGroupFile /etc/webgroup
Require group private

Restart Apache again.

Add in /etc/webgroup one line for each group you want to create. Start with group name colon (:) space separated principals for the users that are members of your group. For instance:
private: bob@MYREALM ed@MYREALM

Thats it! So whats then the problem with LDAP instead of Apaches group files? I must in some way rewrite the realm to the users used in LDAP within either Apache config or within LDAP. I do not know how to do that at the moment in a good way. That's another nice problem to solve another day.

Comments

Post a Comment

Popular posts from this blog

Circles in PostGIS

Image
OGC and PostGIS has no data type to represent a circle. Instead one use ST_Buffer(geom, distance) to get a geometry that covers the area within the distance to geom . So if geom is a point you get a circle. But it does not return an exact circle. The circle is approximated represented by a polygon using eight points. One can increase the precission by adding a third argument to ST_buffer that is the number of points in the polygon returned. The unit for distance depends on what SRID is used. But what if you have a geometry that you know is a circle created with the method above? There is no exact method as far as I know, but her comes a good approximation. First we want the origo of the circle. ST_Centroid(geom) comes to handy. It returns the centeroid point of the geometry, in this case the origo of the circle. To get the radius we pick out the first point in the polygon returned by ST_Buffer with PointN(ExteriorRing(geom),1) . We need to call ExteriorRing to get the polygon of
Read more

Create your own CA with TinyCA2 (part 1)

Image
A Certificate Authorities (CA) issues certificates to people and organization that gives us the possibility to know that we surf to the right web site and not a phising site. This concept can be nice to use on your private sites too, but you may not want to spend a lot of money to get a certificate for your site. Most common when one installs a web-mail server at home is using a self signed certificate. When one surf to the web-mail server from a friends computer one can not be sure that nobody listens to the traffic if one not verifies the signature of the self signed certificate. Maybe an easier and definitely a more scalable solution to this is to create ones own CA structure. When we are ready with this how to you will have installed a certificate on your web server, installed the root certificate into your Firefox, and you will have the root certificate stored on a USB-memory stick. First time you want to read your mail from a friends computer you install the root certificate f
Read more

Create your own CA with TinyCA2 (part 2)

Image
In part one of this series we created a root CA, a sub-CA and a certificate for our web site All certificates are stored in TinyCA2 s configuration. In this part we will: export the root CA:s certificate import the root CA:s certificate into Firefox export the certificate for the web site configure our web server to use the web site certificate To be able to import the root CA certificate to Firefox we must export it from TinyCA2. In the main window of TinyCA2, open the CA-menu and select Open CA. Select your root CA. Select Export CA Certificate in the toolbar, which is the second icon from the right. You may change the file name. Press Save when ready. Start Firefox, select the Edit-menu and Preferences. Click the Advanced icon and then the Encryption tab. Select View certificates and then the Authorities tab. You can see all the CA:s you trust. Click Import and select the file with your exported root certificate. You can in the Downloading Certificate window control what purpo
Read more