12.09.2016 13:31, Paul Groves пишет:
Hi All, Back looking at this problem again.
using the information provided here
This link describes how to configure SAMBA domain, not Windows domain.
I have installed mod-auth_kerb and enabled it and
apache starts without error
The server is already added to the domain in yast > Windows Domain
Membership and I can successfully log in locally as a domain user
i have managed to add the following to my apache configuration and the
service starts just fine.
Alias /private /srv/www/htdocs/private
AuthName "Network Login"
When I browse to the http://server/private
I am greeted with a login
prompt. If I cancel, it correctly denies access.
If you get login prompt, something is already wrong.
Here is the problem:
If I type in any domain username I get continuous login boxes. I have
tried username username@domain domain\username but it does not log in
You may misunderstand how it should work. The goal is not to let Apache
to log you into AD - you should not get any login prompt at all. Your
exiting Kerberos credentials (or MS AD if you are working from Windows
client) must be sufficient to transparently grant you access to resources.
I suspect the keytab but might be wrong..? But
honestly I am guessing at this.
I have used the keytab created when I added the computer to the domain
from /etc/krb5.keytab and copied it to /etc/apache2/conf.d
I also set the group to www using chown and added 640 permissions so
apache can read the file.
Your Kerberos libraries on Apache host must be properly configured; you
need to add HTTP principal to account used for Apache and of course
export keytab with this principal for use on http server. There are some
reports that adding HTTP principal to machine account in AD does not
work and recommendation to create normal user account for it (BTW link
you mention does the same - it creates separate user account). Your
client (web browser) must support Kerberos authentication and be
configured to actually use it. And of courses you must obtain valid
ticket before attempting to contact server.
On 29 June 2016 at 18:52, Paul Groves <paul.groves.787(a)gmail.com> wrote:
> On 29/06/16 11:03, Werner Flamme wrote:
>> Paul Groves [29.06.2016 11:32]:
>>> Hi All,
>>> Still trying to figure this one out. Had no response at all from the
>>> apache forum.
>>> Just to recap, We have a windows domain and an opensuse 42.1 apache
>>> 2.4 web /Lamp server
>>> I have set up Yast > Windows Domain Membership and I can log in as a
>>> domain user successfully. in the command line.
>>> Now we have several websites that need to use active directory
>>> authentication. (osticket and some of our own creations). This is
>>> where I am stuck. I cannot figure out how to get apache to use this
>>> authentication method.
>> What do you mean by "SSO" and "active directory
authentication"? Do you
>> want the users to log in via username and password, and have apache
>> verfify this agains LDAP, or do you want to login passwordless via
>> Kerberos ticket?
>> If you want to use AD as LDAP, it is quite simple. But you need a user
>> in AD that is allowed to check the user/password combination. Howtos are
>> easily found using a search engine of your choice, as I did ... and
>> for example. Maybe you prefer
>> <https://support.microsoft.com/en-us/kb/555092>, which shows another way
>> to do it (as can be expected by M$ :D)
>> HTH, Werner
> by sso I mean single sign on (like in IIS) so that when a domain user logged
> in opens Internet explorer it logs in automatically (firefox and chrome
> prompt for login). Exactly like on our IIS server.
> Which way would you reccomend? Worst case scenario, I would at least like to
> be able to authenticate against AD with apache even if it is not automatic.
To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse+owner(a)opensuse.org