lemonldap-ng/doc/pages/documentation/current/authkerberos.html

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:authkerberos</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,authkerberos"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authkerberos.html"/>
<link rel="contents" href="authkerberos.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:authkerberos","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#llng_configuration">LLNG Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#kerberos_configuration">Kerberos configuration</a></div></li>
<li class="level2"><div class="li"><a href="#web_server_kerberos_module">Web Server Kerberos module</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="kerberos">Kerberos</h1>
<div class="level1">
<div class="table sectionedit2"><table class="inline table table-bordered table-striped">
	<thead>
	<tr class="row0 roweven">
		<th class="col0 centeralign">  Authentication  </th><th class="col1 centeralign">  Users  </th><th class="col2 centeralign">  Password  </th>
	</tr>
	</thead>
	<tr class="row1 rowodd">
		<td class="col0 centeralign">  ✔  </td><td class="col1"> </td><td class="col2"> </td>
	</tr>
</table></div>
<!-- EDIT2 TABLE [24-81] -->
</div>
<!-- EDIT1 SECTION "Kerberos" [1-82] -->
<h2 class="sectionedit3" id="presentation">Presentation</h2>
<div class="level2">

<p>
<a href="https://en.wikipedia.org/wiki/Kerberos_(protocol)" class="urlextern" title="https://en.wikipedia.org/wiki/Kerberos_(protocol)"  rel="nofollow">Kerberos</a> is a network authentication protocol used to authenticate users based on their desktop session.
</p>

<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> uses GSSAPI module to validate Kerberos ticket against a local keytab.
</p>

</div>
<!-- EDIT3 SECTION "Presentation" [83-347] -->
<h2 class="sectionedit4" id="llng_configuration">LLNG Configuration</h2>
<div class="level2">

<p>
In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modules</code> and choose Kerberos for authentication. Then go to “Kerberos parameters” and configure the following parameters:
</p>
<ul>
<li class="level1"><div class="li"> <strong>keytab file</strong> (required): the Kerberos keytab file</div>
</li>
<li class="level1"><div class="li"> <strong>Use Ajax request</strong>: set to “enabled” if you want to use an Ajax request instead of a direct Kerberos attempt. <strong>This is required if you want to chain Kerberos in a <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">combination</a></strong></div>
</li>
<li class="level1"><div class="li"> <strong>Kerberos authentication level</strong>: default to 3</div>
</li>
<li class="level1"><div class="li"> <strong>Use Web Server Kerberos module</strong>: set to “enabled” to use the Web Server module (for example Apache mod_auth_kerb) instead of Perl Kerberos code to validate Kerberos ticket</div>
</li>
<li class="level1"><div class="li"> <strong>Remove domain in username</strong>: set to “enabled” to strip username value and remove the &#039;@domain&#039;.</div>
</li>
</ul>
<div class="noteimportant"><ul>
<li class="level1"><div class="li"> Due to a perl GSSAPI issue, you may need to copy the keytab in /etc/krb5.keytab which is the default location hardcoded in the library</div>
</li>
<li class="level1"><div class="li"> As Kerberos ticket is passed inside Authorization header, you may need to set CGIPassAuth on in Apache <em>(with old Apache, use <code>RewriteCond %{HTTP:Authorization}</code> followed by <code>RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]</code>)</em></div>
</li>
</ul>

</div>
</div>
<!-- EDIT4 SECTION "LLNG Configuration" [348-1572] -->
<h3 class="sectionedit5" id="kerberos_configuration">Kerberos configuration</h3>
<div class="level3">

<p>
The Kerberos configuration is quite complex. You can find some configuration tips <a href="kerberos.html" class="wikilink1" title="documentation:2.0:kerberos">on this page</a>.
</p>

</div>
<!-- EDIT5 SECTION "Kerberos configuration" [1573-1716] -->
<h3 class="sectionedit6" id="web_server_kerberos_module">Web Server Kerberos module</h3>
<div class="level3">

<p>
If you want to let Web Server Kerberos module validates the Kerberos ticket, set the according option to “enabled” and configure the portal virtual host to launch the module if “kerberos” GET parameter is in the request.
</p>

<p>
Example with Apache and mod_auth_kerb:
</p>
<pre class="code file apache">  &lt;If <span class="st0">&quot;%{QUERY_STRING} =~ /kerberos=/&quot;</span>&gt;
    &lt;<span class="kw3">IfModule</span> auth_kerb_module&gt;
      <span class="kw1">AuthType</span> Kerberos
      KrbMethodNegotiate <span class="kw2">On</span>
      KrbMethodK5Passwd <span class="kw2">Off</span>
      KrbAuthRealms EXAMPLE.COM
      Krb5KeyTab /etc/lemonldap-ng/auth.keytab
      KrbVerifyKDC <span class="kw2">On</span>
      KrbServiceName Any
      <span class="kw1">require</span> valid-<span class="kw1">user</span>
    &lt;/<span class="kw3">IfModule</span>&gt;
  &lt;/If&gt;</pre>

</div>
<!-- EDIT6 SECTION "Web Server Kerberos module" [1717-] --></div>
</body>
</html>