You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

#1 2016-12-02 17:28:24

willianmgrocha
Guest
From: Brazil
Registered: 2014-10-22
Posts: 66

How configure SSO + Kerberos + Apache on Centos

Dear,

Anyone of you, knows or have tips to configure the SSO using KErberos +Apache on Centos?

Today i have the environment working fine the SSO but is using NTLM + Apache + Winbind (ldap).

Thanks if you can help me.

Best Regards.

Offline

#2 2017-01-18 21:28:13

sum1
Guest
Registered: 2017-01-18
Posts: 3

Re: How configure SSO + Kerberos + Apache on Centos

Kinda off-topic but it's quite easy. First create a principal in ur KRB environment (HTTP / your url @ NSA GOV) - just correct the hostname and the KRB domain to match yours.
Then export the principal into a keytab, install mod_auth_kerb and configure it:

 <IfModule !auth_kerb_module>
  <Directory "/var/www/html/test/">
   Require all denied
  </Directory>
 </IfModule>

 <IfModule auth_kerb_module>
  <Directory "/var/www/html/test/">
   AuthType Kerberos
   AuthName "Test Login"
   Krb5Keytab /etc/krb5_apache.keytab
   KrbAuthRealms NSA_GOV
   Require valid-user
  </Directory>
 </IfModule>

Ensure krb5_apache.keytab is read-able by the Apache user (and nobody else). The above setup works with Apache 2.4 and has some kind of fallback in case the kerberos module isn't loaded / present in Apache.

Off topic: why oh why does this forum software report "Too more links in message. Allowed 2 links. Reduce number of links and post it again." when where's none ?


... tired of signatures

Offline

#3 2017-01-26 15:18:22

small75
Guest
From: Russia
Registered: 2016-06-27
Posts: 8

Re: How configure SSO + Kerberos + Apache on Centos

i'm used this article (sorry, but article in russian lang)
http://docs.ipi-manager.ru/Administrato … ry/Apache/

after this steps in GLPI
Setup/Authentication/Others/Other authentication sent in the HTTP request
Field storage of the login in the HTTP request: REMOTE_USER

Offline

#4 2017-03-02 13:47:49

lessources
Guest
Registered: 2010-10-21
Posts: 66

Re: How configure SSO + Kerberos + Apache on Centos

i generate a keytab in my AD server
then i transfer it to my centos server

sum1 wrote:

Then export the principal into a keytab, install mod_auth_kerb and configure it:

how can i export it?
when  i try a kinit copy ....
i just have a prompt Kinit:

thank you in advance

Offline

#5 2017-03-03 13:26:36

small75
Guest
From: Russia
Registered: 2016-06-27
Posts: 8

Re: How configure SSO + Kerberos + Apache on Centos

sum1 wrote:

Then export the principal into a keytab, install mod_auth_kerb and configure it:

"export" - mean:
start command "ktpass.exe" on Windows Server and coping result keytab-file to Linux

Offline

#6 2019-01-08 14:59:48

willianmgrocha
Guest
From: Brazil
Registered: 2014-10-22
Posts: 66

Re: How configure SSO + Kerberos + Apache on Centos

sum1 wrote:

Kinda off-topic but it's quite easy. First create a principal in ur KRB environment (HTTP / your url @ NSA GOV) - just correct the hostname and the KRB domain to match yours.
Then export the principal into a keytab, install mod_auth_kerb and configure it:

 <IfModule !auth_kerb_module>
  <Directory "/var/www/html/test/">
   Require all denied
  </Directory>
 </IfModule>

 <IfModule auth_kerb_module>
  <Directory "/var/www/html/test/">
   AuthType Kerberos
   AuthName "Test Login"
   Krb5Keytab /etc/krb5_apache.keytab
   KrbAuthRealms NSA_GOV
   Require valid-user
  </Directory>
 </IfModule>

Ensure krb5_apache.keytab is read-able by the Apache user (and nobody else). The above setup works with Apache 2.4 and has some kind of fallback in case the kerberos module isn't loaded / present in Apache.

Off topic: why oh why does this forum software report "Too more links in message. Allowed 2 links. Reduce number of links and post it again." when where's none ?


Hi, I trying to apply this procedure on GLPI verison 9.3.2 and is not working. I created one site of WordPress for test the Kerberos and is working fine. Someone knows if there is another adjust to configure SSO in the GLPI Version 9.3.2?

Thanks in advance for your help.

Willian Rocha

Offline

Board footer

Powered by FluxBB