Red Hat Bugzilla – Bug 859267
RFE: Working example of Kerberos/LDAP server, Kerberos client, mod_auth_kerb module
Last modified: 2015-08-31 22:58:37 EDT
Rajesh: We tested mod_auth_kerb with ApacheDS LDAP, Kerberos server - directory.apache.org. I have working example for RHEL. Just to think, if we provide for customers some working example in doc. Its quite complicated setup of all components (Kerberos/LDAP server, Kerberos client, mod_auth_kerb module) MHA: Need SME/instructions for this.
Not sure if this can be included in EWS 2.0, as we have no idea about the steps. Setting NEEDINFO for Rajesh for this.
This should be rewritten. Its our internal doc for qa testing. It is not for customers. I will provide you steps.
10.2. Working example for EWS httpd with mod_auth_kerb authentication The following is a basic example how to configure and run Kerberos authentication with EWS httpd and mod_auth_kerb on RHEL platform: 10.2.1 Prerequisites - installed mod_auth_kerb on RHEL - installed curl with GSS-Negotiate support - running and configured Kerberos/LDAP server (for example ApacheDS) on the same host like EWS - created LDAP users: - krbtgt dn: uid=krbtgt,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: KDC Service sn: Service uid: krbtgt userPassword: secret krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM krb5KeyVersionNumber: 0 - ldap dn: uid=ldap,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: LDAP sn: Service uid: ldap userPassword: randall krb5PrincipalName: ldap/localhost@EXAMPLE.COM krb5KeyVersionNumber: 0 - HTTP dn: uid=HTTP,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: HTTP sn: Service uid: HTTP userPassword: secretpwd krb5PrincipalName: HTTP/localhost@EXAMPLE.COM krb5KeyVersionNumber: 0 - hnelson (testing user) dn: uid=hnelson,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: Horatio Nelson sn: Nelson uid: hnelson userPassword: secret krb5PrincipalName: hnelson@EXAMPLE.COM krb5KeyVersionNumber: 0 10.2.2 Configure Kerberos client 10.2.2.1 create krb5.conf configuration file in /etc [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM default_tgs_enctypes = des-cbc-md5,des3-cbc-sha1-kd default_tkt_enctypes = des-cbc-md5,des3-cbc-sha1-kd dns_lookup_realm = false dns_lookup_kdc = false allow_weak_crypto = yes ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes [realms] EXAMPLE.COM = { kdc = localhost:60088 admin_server = localhost:60088 } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM 10.2.2.2 create key tab in /etc/httpd ktutil ktutil: addent -password -p HTTP/localhost@EXAMPLE.COM -k 0 -e des-cbc-md5 Password for HTTP/localhost@EXAMPLE.COM: secretpwd ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 0 HTTP/localhost@EXAMPLE.COM ktutil: wkt krb5.keytab ktutil: quit Under root user: chgrp apache /etc/httpd/krb5.keytab chmod 640 /etc/httpd/krb5.keytab 10.2.2.3 Check /etc/hosts There should be 127.0.0.1 localhost 10.2.3 Configure mod_auth_kerb - create auth_kerb.conf in /etc/httpd/conf.d/ # # The mod_auth_kerb module implements Kerberos authentication over # HTTP, following the "Negotiate" protocol. # LoadModule auth_kerb_module modules/mod_auth_kerb.so <Location /kerberostest> # SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM KrbServiceName HTTP Krb5KeyTab /etc/httpd/krb5.keytab require valid-user </Location> 10.2.4 Test Kerberos authentication 10.2.4.1 Create test page in $EWS_HOME/httpd/www/html/kerberostest/auth_kerb_page.html <html> <body> <h1>mod_auth_kerb successfully authenticated!</h1> </body> </html> 10.2.4.2 Optionally set LogLevel debug in $EWS_HOME/httpd/conf/httpd.conf 10.2.4.2 Start EWS httpd (under root) - $EWS_HOME/httpd/sbin/apachectl start 10.2.4.3 Test Kerberos client authentication - kinit hnelson - klist It should display: Ticket cache: FILE:/tmp/krb5cc_18602 Default principal: hnelson@EXAMPLE.COM Valid starting Expires Service principal 06/03/13 14:21:13 06/04/13 14:21:13 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 06/10/13 14:21:13 10.2.4.4 Test httpd kerberos authentication - run: curl --negotiate -u : http://localhost/kerberostest/auth_kerb_page.html It should display: <html> <body> <h1>mod_auth_kerb successfully authenticated!</h1> </body> </html> You can find more information about mod_auth_kerb in http://modauthkerb.sourceforge.net/
Created new topics for this as recommended above. The new ToC is as follows: 10.2. mod_auth_kerb Example **Updated** 10.2.1. About the mod_auth_kerb Example **New** 10.2.2. mod_auth_kerb Example Prerequisites **New** 10.2.3. Configure the Kerberos Client **New** 10.2.4. Test the Kerberos Authentication **New**
Please add also Configure mod_auth_kerb after Configure the Kerberos Client see comment 6
Added content, this bug will be set to ON_QA when the contents appear on the doc-stage and are ready for review.
Adding one extra topic (ref: comment #8). New Toc: 10.2. mod_auth_kerb Example **Updated** 10.2.1. About the mod_auth_kerb Example **New** 10.2.2. mod_auth_kerb Example Prerequisites **New** 10.2.3. Configure the Kerberos Client **New** 10.2.4. Configure mod_auth_kerb **New** <--- added 10.2.4. Test the Kerberos Authentication **New**
Replicated changes to new document. New Toc: 10.2. mod_auth_kerb Example 10.2.1. mod_auth_kerb Example Prerequisites 10.2.2. Configure the Kerberos Client 10.2.3. Configure mod_auth_kerb 10.2.4. Test the Kerberos Authentication This bug will be set to ON_QA once the changes appear.
Devel stage updated and it looks ok. Found small typos: Install curl with GSS-negotiated support. -> GSS-negotiate Configure and run a Kerberos or LDAP server -> LDAP/Kerberos server (misha see http://directory.apache.org/apacheds/, its open source, not supported by Red Hat, just for example for mod_auth_kerb testing) <Location /kerberostest> </Location>- should be black color $EWS_HOME -> JBOSS_EWS_DIST (see File Name Conventions) (auth_kerb_page.html: -> (auth_kerb_page.html) log level for debugging -> LogLevel debug for httpd debugging (its httpd.conf directive upper case/lower case like this LogLevel)
(In reply to lfuka from comment #13) > Devel stage updated and it looks ok. > Found small typos: > Install curl with GSS-negotiated support. -> GSS-negotiate Fixed. > > Configure and run a Kerberos or LDAP server -> LDAP/Kerberos server (misha > see http://directory.apache.org/apacheds/, its open source, not supported by > Red Hat, just for example for mod_auth_kerb testing) OK, then we should add a very clear warning that this is not supported by Red Hat and should not be applied to a production environment. Added warning. > <Location /kerberostest> </Location>- should be black color Unfortunately this is automatic. The renderer does not understand the / without a < to indicate a closing element so it is showing it in red. There is no way to manually fix this so no change unfortunately. > $EWS_HOME -> JBOSS_EWS_DIST (see File Name Conventions) Switched this out in each place that referenced $EWS_HOME > (auth_kerb_page.html: -> (auth_kerb_page.html) Fixed, added closing bracket. > log level for debugging -> LogLevel debug for httpd debugging (its > httpd.conf directive upper case/lower case like this LogLevel) Fixed, replaced Log Level with LogLevel.
last thing: in the Warning Using an ApacheDS as a LDAP/Kerberos server is .....
Available for verification in link in comment #15
Verified on comm 18