Active Directory® and Apache®: Using Kerberos and Apache to
Download
Report
Transcript Active Directory® and Apache®: Using Kerberos and Apache to
Active Directory® and
Apache®
Using Kerberos and Apache to
Authenticate via Microsoft Active
Directory
History
Team of four system administrators
Responsible for 100+ hosts running a
variety of operating systems
Using Microsoft Access and Excel to store
user names, passwords, hostnames, ip
addresses, operating systems, etc
Needed a better way to store and access
information.
History cont’d
Why not create an sql database with a
web-based front-end?
How to protect sensitive data in the
database?
Motivation
Need to protect database.
Could create new password.
Why not allow users to log in with their
current credentials which were stored in
Active Directory?
Enter Kerberos
Kerberos
Network authentication protocol
Strong authentication for client/server
applications
Uses secret-key cryptography
FREE!!
Apache
Web server
Covered extensively in this course.
Also FREE!!
Solution
Host web site on:
VMWare Virtual Server
CentOS
MySQL – Database
PHP – Access to the Database
Linux, Apache, MySQL, PHP = LAMP
Kerberos Configuration
Step 1: Create a keytab file
echo
HTTP/[email protected]
ctory.server.com > /path/auth_kerb.keytab
chmod ugo+r /path/auth_kerb.keytab
Kerberos Configuration Cont’d
Step 2: Modify /etc/krb5.conf
[logging] default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = FULLY.QUALIFIED.DOMAIN.NAME
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arc four-hmac-md5
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arc four-hmac-md5
[realms]
FULLY.QUALIFIED.DOMAIN.NAME = {
kdc = dc1.fully.qualified.domain.name
kdc = dc2.fully.qualified.domain.name
admin_server = dc3.fully.qualified.domain.name
default_domain = FULLY.QUALIFIED.DOMAIN.NAME
}
[domain_realm]
.fully.qualified.domain.name = FULLY.QUALIFIED.DOMAIN.NAME
fully.qualified.domain.name = FULLY.QUALIFIED.DOMAIN.NAME
Kerberos can be tested by using the kinit
command. See the krb5 man page for
details.
Apache Configuration
Modify httpd.conf
Add the following inside the <directory> you wish to safeguard
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
AuthName "COS Enterprise Labs Organization"
AuthType Kerberos
Krb5Keytab /var/www/passwd/kerberos/auth_kerb.keytab
KrbAuthRealm EXAMPLE.COM
KrbMethodNegotiate off
KrbSaveCredentials off
KrbVerifyKDC off
Require user [email protected] [email protected] ...
Restart the Apache daemon
Questions?