Friday, January 11, 2008

Kerberos and LDAP over the web

I have for several years had a kerberos/ldap Single-Sign-On (SSO) solution active on my home computer network. One part that had not been integrated is my Apache httpd web-server. I started to take a look on activate this at Christmas. It was easy to get Kerberos working for the webserver on my Ubuntu server.

This assumes you have ssl working on your web-server for the area you want to password protect.

Install the libapache2-mod-auth-kerb from Universe.
Activate the module with the command:
sudo a2enmod auth_kerb

Add the following to the directory configuration in apache you want to protect using kerberos.

AuthName "Realm"
AuthType Kerberos
KrbAuthRealms MYREALM
Krb5Keytab /etc/apache2/http.keytab
Require principal@MYREALM
KrbServiceName HTTP/
Require valid-user

Change MYREALM and MYDOMAIN to values that fits you.

Connect to the kerberos admin server and create a new principal and a keytab including this principal. If you use MIT Kerberos, do like this. Start kadmin and then:
ank -randkey HTTP/
xst -k /etc/apache2/http.keytab

Verify that only www-data has read-access to the keytab-file /etc/apache2/http.keytab.

Restart Apache and you are up and running.

The problem now is that you may want to restrict that only people in certain groups have access to certain pages or directories. What we want here is to use the groups in LDAP. I have unfortunately not entered finish there yet. So my interim solution, that I did today, is to use apache own group-files.

Ad the following to lines after the other Apache config lines above:

AuthGroupFile /etc/webgroup
Require group private

Restart Apache again.

Add in /etc/webgroup one line for each group you want to create. Start with group name colon (:) space separated principals for the users that are members of your group. For instance:
private: bob@MYREALM ed@MYREALM

Thats it! So whats then the problem with LDAP instead of Apaches group files? I must in some way rewrite the realm to the users used in LDAP within either Apache config or within LDAP. I do not know how to do that at the moment in a good way. That's another nice problem to solve another day.

No comments: