12.09.2016 13:31, Paul Groves пишет:
Hi All, Back looking at this problem again.
using the information provided here
https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Direct...
This link describes how to configure SAMBA domain, not Windows domain.
I have installed mod-auth_kerb and enabled it and apache starts without error The server is already added to the domain in yast > Windows Domain Membership and I can successfully log in locally as a domain user
i have managed to add the following to my apache configuration and the service starts just fine.
Alias /private /srv/www/htdocs/private <Directory /srv/www/htdocs/private> AuthType Kerberos AuthName "Network Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms HARVEY.SCHOOL require valid-user Krb5KeyTab /etc/apache2/conf.d/krb5.keytab KrbLocalUserMapping On </Directory>
When I browse to the http://server/private I am greeted with a login prompt. If I cancel, it correctly denies access.
If you get login prompt, something is already wrong.
Here is the problem: If I type in any domain username I get continuous login boxes. I have tried username username@domain domain\username but it does not log in or error.
You may misunderstand how it should work. The goal is not to let Apache to log you into AD - you should not get any login prompt at all. Your exiting Kerberos credentials (or MS AD if you are working from Windows client) must be sufficient to transparently grant you access to resources.
I suspect the keytab but might be wrong..? But honestly I am guessing at this. I have used the keytab created when I added the computer to the domain from /etc/krb5.keytab and copied it to /etc/apache2/conf.d I also set the group to www using chown and added 640 permissions so apache can read the file.
Your Kerberos libraries on Apache host must be properly configured; you need to add HTTP principal to account used for Apache and of course export keytab with this principal for use on http server. There are some reports that adding HTTP principal to machine account in AD does not work and recommendation to create normal user account for it (BTW link you mention does the same - it creates separate user account). Your client (web browser) must support Kerberos authentication and be configured to actually use it. And of courses you must obtain valid ticket before attempting to contact server.
On 29 June 2016 at 18:52, Paul Groves <paul.groves.787@gmail.com> wrote:
On 29/06/16 11:03, Werner Flamme wrote:
Paul Groves [29.06.2016 11:32]:
Hi All,
Still trying to figure this one out. Had no response at all from the apache forum.
Just to recap, We have a windows domain and an opensuse 42.1 apache 2.4 web /Lamp server
I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully. in the command line.
Now we have several websites that need to use active directory authentication. (osticket and some of our own creations). This is where I am stuck. I cannot figure out how to get apache to use this authentication method.
What do you mean by "SSO" and "active directory authentication"? Do you want the users to log in via username and password, and have apache verfify this agains LDAP, or do you want to login passwordless via Kerberos ticket?
If you want to use AD as LDAP, it is quite simple. But you need a user in AD that is allowed to check the user/password combination. Howtos are easily found using a search engine of your choice, as I did ... and found
<http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication.html>, for example. Maybe you prefer <https://support.microsoft.com/en-us/kb/555092>, which shows another way to do it (as can be expected by M$ :D)
HTH, Werner
by sso I mean single sign on (like in IIS) so that when a domain user logged in opens Internet explorer it logs in automatically (firefox and chrome prompt for login). Exactly like on our IIS server.
Which way would you reccomend? Worst case scenario, I would at least like to be able to authenticate against AD with apache even if it is not automatic.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org