Linux Nagios Server 2012 Uncategorized

Implementing Kerberos AD-integration for Single Sign-On in Apache

Ok, so I wanted to do single sign-on on an Apache server which is running Nagios. I have been looking on google and always get patchy results when setting up kerberos AD-integration on apache, so I decided to try and put the solution that worked for me here.

Create Standard user in Active Directory

logon to “users and computers” on your active directory server and create a standard domain user. This users does not need to have any special permissions.

My installation is on Centos 6.5 but im sure it will work on others.

Install Apache module

Install Apache module

 
# yum install libapache2-mod-auth-kerb krb5-user

Create keytab-file

now you have to log on to the windows domain controller and generate a keytab file. As log as you have the windows support tools installed you should have no problems creating the file.

C:\>ktpass -in C:\Temp\kerberos_hostname.keytab -princ HTTP/<fqdn-cname-in-DNS>@WINDOWSDOMAIN -mapuser <kerberosuser-AD-username>@WINDOWSDOMAIN -pass <kerberosuser-AD-password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\Temp\kerberos_concatenated_hostnames.keytab

replace the following with your environment variables

    kerberos_hostname.keytab
    fqdn-cname-in-DNS@WINDOWSDOMAIN
    kerberosuser-AD-username@WINDOWSDOMAIN
    kerberosuser-AD-password
    kerberos_concatenated_hostnames.keytab

Set up keytab-file

using Winscp Copy over the file you have just generated from the domain controller, to the tmp folder in centos.

copy over the file to it final location and set the permissions.

#cp /tmp/kerbros.keytab /etc/kerbros.keytab
#chmod 0644 /etc/kerbros.keytab

Set-Up Apache

now we need to change the httpd configuration file for the virtual site you are running.

add the following line to the configuration file.

AuthType Kerberos
AuthName "Some Name"
KrbAuthRealms WINDOWSDOMAIN
KrbServiceName HTTP
Krb5Keytab /path/to/keytab-file
require valid-user

Leave a Reply

Your email address will not be published. Required fields are marked *