Bug 859267 - RFE: Working example of Kerberos/LDAP server, Kerberos client, mod_auth_kerb module
RFE: Working example of Kerberos/LDAP server, Kerberos client, mod_auth_kerb ...
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: doc-HTTP-Connectors-Guide (Show other bugs)
2.0.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 2.0.1
Assigned To: Mandar Joshi
Libor Fuka
: Documentation, FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-20 20:16 EDT by Misha H. Ali
Modified: 2015-08-31 22:58 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-03 07:59:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Misha H. Ali 2012-09-20 20:16:13 EDT
Rajesh: We tested mod_auth_kerb with ApacheDS LDAP, Kerberos server - directory.apache.org. I have working example for RHEL. Just to think, if we provide for customers some working example in doc. Its quite complicated setup of all components (Kerberos/LDAP server, Kerberos client, mod_auth_kerb module)

MHA: Need SME/instructions for this.
Comment 1 Misha H. Ali 2012-09-20 20:18:06 EDT
Not sure if this can be included in EWS 2.0, as we have no idea about the steps. Setting NEEDINFO for Rajesh for this.
Comment 5 Libor Fuka 2013-06-03 06:10:35 EDT
This should be rewritten. Its our internal doc for qa testing. It is not for customers.
I will provide you steps.
Comment 6 Libor Fuka 2013-06-03 08:26:59 EDT
10.2. Working example for EWS httpd with mod_auth_kerb authentication

The following is a basic example how to configure and run Kerberos authentication with EWS httpd and mod_auth_kerb on RHEL platform:

10.2.1 Prerequisites
     - installed mod_auth_kerb on RHEL
     - installed curl with GSS-Negotiate support
     - running and configured Kerberos/LDAP server (for example ApacheDS) on the same host like EWS
     - created LDAP users:
       - krbtgt
dn: uid=krbtgt,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: KDC Service
sn: Service
uid: krbtgt
userPassword: secret
krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
krb5KeyVersionNumber: 0

       - ldap
dn: uid=ldap,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: LDAP
sn: Service
uid: ldap
userPassword: randall
krb5PrincipalName: ldap/localhost@EXAMPLE.COM
krb5KeyVersionNumber: 0 

       - HTTP
dn: uid=HTTP,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: HTTP
sn: Service
uid: HTTP
userPassword: secretpwd
krb5PrincipalName: HTTP/localhost@EXAMPLE.COM
krb5KeyVersionNumber: 0

       - hnelson (testing user)
dn: uid=hnelson,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userPassword: secret
krb5PrincipalName: hnelson@EXAMPLE.COM
krb5KeyVersionNumber: 0

10.2.2 Configure Kerberos client
       10.2.2.1 create krb5.conf configuration file in /etc
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = EXAMPLE.COM
  default_tgs_enctypes = des-cbc-md5,des3-cbc-sha1-kd
  default_tkt_enctypes = des-cbc-md5,des3-cbc-sha1-kd
  dns_lookup_realm = false
  dns_lookup_kdc = false
  allow_weak_crypto = yes
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = yes  

[realms]
  EXAMPLE.COM = {
    kdc = localhost:60088
    admin_server = localhost:60088
  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM

      10.2.2.2 create key tab in /etc/httpd
ktutil
ktutil:  addent -password -p HTTP/localhost@EXAMPLE.COM -k 0 -e des-cbc-md5
Password for HTTP/localhost@EXAMPLE.COM: secretpwd
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    0               HTTP/localhost@EXAMPLE.COM
ktutil:  wkt krb5.keytab
ktutil:  quit

Under root user:
chgrp apache /etc/httpd/krb5.keytab
chmod 640 /etc/httpd/krb5.keytab

     10.2.2.3 Check /etc/hosts
         There should be 127.0.0.1 localhost

10.2.3 Configure mod_auth_kerb
      - create auth_kerb.conf in /etc/httpd/conf.d/
#
# The mod_auth_kerb module implements Kerberos authentication over
# HTTP, following the "Negotiate" protocol.
# 

LoadModule auth_kerb_module modules/mod_auth_kerb.so

<Location /kerberostest>
#  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms EXAMPLE.COM
  KrbServiceName HTTP
  Krb5KeyTab /etc/httpd/krb5.keytab
  require valid-user
</Location>

10.2.4 Test Kerberos authentication
  10.2.4.1 Create test page in $EWS_HOME/httpd/www/html/kerberostest/auth_kerb_page.html
<html>
  <body>
    <h1>mod_auth_kerb successfully authenticated!</h1>
</body>
</html>
  10.2.4.2 Optionally set LogLevel debug in $EWS_HOME/httpd/conf/httpd.conf
  10.2.4.2 Start EWS httpd (under root) - $EWS_HOME/httpd/sbin/apachectl start
  10.2.4.3 Test Kerberos client authentication
           - kinit hnelson
           - klist
             It should display:
Ticket cache: FILE:/tmp/krb5cc_18602
Default principal: hnelson@EXAMPLE.COM

Valid starting     Expires            Service principal
06/03/13 14:21:13  06/04/13 14:21:13  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 06/10/13 14:21:13
              
  10.2.4.4  Test httpd kerberos authentication
       - run: curl --negotiate -u : http://localhost/kerberostest/auth_kerb_page.html  
          It should display:
<html>
  <body>
    <h1>mod_auth_kerb successfully authenticated!</h1>
</body>
</html>  

You can find more information about mod_auth_kerb in http://modauthkerb.sourceforge.net/
Comment 7 Misha H. Ali 2013-06-04 04:55:52 EDT
Created new topics for this as recommended above. The new ToC is as follows:

10.2. mod_auth_kerb Example **Updated**
10.2.1. About the mod_auth_kerb Example **New**
10.2.2. mod_auth_kerb Example Prerequisites **New**
10.2.3. Configure the Kerberos Client **New**
10.2.4. Test the Kerberos Authentication **New**
Comment 8 Libor Fuka 2013-06-04 05:04:36 EDT
Please add also  Configure mod_auth_kerb after Configure the Kerberos Client

see comment 6
Comment 9 Misha H. Ali 2013-06-04 06:31:52 EDT
Added content, this bug will be set to ON_QA when the contents appear on the doc-stage and are ready for review.
Comment 10 Misha H. Ali 2013-06-04 06:34:25 EDT
Adding one extra topic (ref: comment #8). New Toc:

10.2. mod_auth_kerb Example **Updated**
10.2.1. About the mod_auth_kerb Example **New**
10.2.2. mod_auth_kerb Example Prerequisites **New**
10.2.3. Configure the Kerberos Client **New**
10.2.4. Configure mod_auth_kerb **New**   <--- added
10.2.4. Test the Kerberos Authentication **New**
Comment 12 Misha H. Ali 2013-06-05 04:50:28 EDT
Replicated changes to new document.

New Toc:

10.2. mod_auth_kerb Example
10.2.1. mod_auth_kerb Example Prerequisites
10.2.2. Configure the Kerberos Client
10.2.3. Configure mod_auth_kerb
10.2.4. Test the Kerberos Authentication

This bug will be set to ON_QA once the changes appear.
Comment 13 Libor Fuka 2013-06-05 09:13:39 EDT
Devel stage updated and it looks ok.
Found small typos:
Install curl with GSS-negotiated support. -> GSS-negotiate

Configure and run a Kerberos or LDAP server -> LDAP/Kerberos server (misha see http://directory.apache.org/apacheds/, its open source, not supported by Red Hat, just for example for mod_auth_kerb testing)

<Location /kerberostest> </Location>- should be black color

$EWS_HOME -> JBOSS_EWS_DIST (see File Name Conventions)

(auth_kerb_page.html: -> (auth_kerb_page.html)

log level for debugging -> LogLevel debug for httpd debugging (its httpd.conf directive upper case/lower case like this LogLevel)
Comment 14 Misha H. Ali 2013-06-06 00:32:15 EDT
(In reply to lfuka from comment #13)
> Devel stage updated and it looks ok.
> Found small typos:
> Install curl with GSS-negotiated support. -> GSS-negotiate

Fixed.

> 
> Configure and run a Kerberos or LDAP server -> LDAP/Kerberos server (misha
> see http://directory.apache.org/apacheds/, its open source, not supported by
> Red Hat, just for example for mod_auth_kerb testing)

OK, then we should add a very clear warning that this is not supported by Red Hat and should not be applied to a production environment. Added warning.

> <Location /kerberostest> </Location>- should be black color

Unfortunately this is automatic. The renderer does not understand the / without a < to indicate a closing element so it is showing it in red. There is no way to manually fix this so no change unfortunately.

> $EWS_HOME -> JBOSS_EWS_DIST (see File Name Conventions)

Switched this out in each place that referenced $EWS_HOME

> (auth_kerb_page.html: -> (auth_kerb_page.html)

Fixed, added closing bracket.

> log level for debugging -> LogLevel debug for httpd debugging (its
> httpd.conf directive upper case/lower case like this LogLevel)

Fixed, replaced Log Level with LogLevel.
Comment 16 Libor Fuka 2013-06-06 10:18:11 EDT
last thing:
in the Warning
Using an ApacheDS as a LDAP/Kerberos server is .....
Comment 17 Misha H. Ali 2013-06-06 22:15:52 EDT
Available for verification in link in comment #15
Comment 19 Libor Fuka 2013-06-07 03:50:16 EDT
Verified on comm 18

Note You need to log in before you can comment on or make changes to this bug.