Difference between revisions of "Samba4/HOWTO/Setup a Single Sign-On Website"

From SambaWiki
(added basic document structure)
 
m (Updated link)
 
(4 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
=== Goal ===
 
=== Goal ===
  +
This Howto aims to show a clean way to setup a website that provides:
  +
  +
* SSL encryption (HTTPS) by using a self-signed certificate
  +
* single sign-on from within your Samba4 domain
  +
* optional login from outside (user/password prompt)
  +
* full Kerberos 5 authentication security
  +
  +
The type of setup shown here is very minimal. It is intended to get you a basic idea of how the process works.
  +
 
=== Usecase ===
 
=== Usecase ===
  +
  +
You may provide a secured intranet website for your clients, hosting private content on a per-user basis.
  +
  +
It´s also possible to develop a web based application for domain management, using Kerberos/LDAP and Samba´s Python API. More information on this topic may be provided in another document.
  +
 
=== Requirements ===
 
=== Requirements ===
  +
* Samba4 setup as domain controller
  +
* a working DNS configuration
  +
* a working Kerberos configuration
  +
  +
It`s recommended to follow the setup process described at [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller]].
  +
 
== Setup ==
 
== Setup ==
 
=== Apache2 ===
 
=== Apache2 ===
  +
  +
You need a web server that hosts your site. Apache2 is widely spread these days and available as software package in (almost) all linux-distributions.
  +
  +
To install apache2, mod_ssl and mod_auth_kerb run:
  +
  +
'''Debian/Ubuntu'''
  +
  +
<pre>
  +
# apt-get install apache2 libapache2-mod-auth-kerb
  +
# a2enmod ssl auth_kerb
  +
</pre>
  +
  +
Setup a minimal ssl-site
  +
  +
NOTE: You don't need to use a secured site to get this example working, but in production environments it's highly recommended for security reasons.
  +
A minimal configuration might look like this:
  +
  +
----
  +
<tt>'''file: /etc/apache2/sites-available/default-ssl'''</tt>
  +
<pre>
  +
<IfModule mod_ssl.c>
  +
<VirtualHost _default_:443>
  +
ServerAdmin webmaster@localhost
  +
DocumentRoot /var/www
  +
  +
<Directory />
  +
Options FollowSymLinks
  +
AllowOverride None
  +
</Directory>
  +
  +
<Directory /var/www/>
  +
Options Indexes FollowSymLinks MultiViews
  +
AllowOverride None
  +
Order allow,deny
  +
allow from all
  +
</Directory>
  +
  +
#########################################################
  +
# add a private directory using kerberos authentication #
  +
#########################################################
  +
  +
<Directory /var/www/private>
  +
AuthType Kerberos
  +
AuthName "Intranet Login"
  +
KrbMethodNegotiate on
  +
KrbMethodK5Passwd on
  +
KrbVerifyKDC on
  +
KrbSaveCredentials off
  +
# our keytab
  +
Krb5Keytab /etc/apache2/http.keytab
  +
# specify your realm (upper case - like the krb5.conf)
  +
KrbAuthRealms YOUR.REALM
  +
Require valid-user
  +
</Directory>
  +
# rest of file
  +
...
  +
</pre>
  +
----
  +
 
=== Active Directory ===
 
=== Active Directory ===
 
=== Windows Client(s) ===
 
=== Windows Client(s) ===

Latest revision as of 22:50, 22 October 2016

Goal

This Howto aims to show a clean way to setup a website that provides:

  • SSL encryption (HTTPS) by using a self-signed certificate
  • single sign-on from within your Samba4 domain
  • optional login from outside (user/password prompt)
  • full Kerberos 5 authentication security

The type of setup shown here is very minimal. It is intended to get you a basic idea of how the process works.

Usecase

You may provide a secured intranet website for your clients, hosting private content on a per-user basis.

It´s also possible to develop a web based application for domain management, using Kerberos/LDAP and Samba´s Python API. More information on this topic may be provided in another document.

Requirements

  • Samba4 setup as domain controller
  • a working DNS configuration
  • a working Kerberos configuration

It`s recommended to follow the setup process described at Setting_up_Samba_as_an_Active_Directory_Domain_Controller.

Setup

Apache2

You need a web server that hosts your site. Apache2 is widely spread these days and available as software package in (almost) all linux-distributions.

To install apache2, mod_ssl and mod_auth_kerb run:

Debian/Ubuntu

  # apt-get install apache2 libapache2-mod-auth-kerb
  # a2enmod ssl auth_kerb

Setup a minimal ssl-site

NOTE: You don't need to use a secured site to get this example working, but in production environments it's highly recommended for security reasons. A minimal configuration might look like this:


file: /etc/apache2/sites-available/default-ssl

  <IfModule mod_ssl.c>
  <VirtualHost _default_:443>
      ServerAdmin webmaster@localhost
      DocumentRoot /var/www
      
      <Directory />
          Options FollowSymLinks
          AllowOverride None
      </Directory>
      
      <Directory /var/www/>
          Options Indexes FollowSymLinks MultiViews
          AllowOverride None
          Order allow,deny
          allow from all
      </Directory>   
      
      #########################################################
      # add a private directory using kerberos authentication #
      #########################################################
      
      <Directory /var/www/private>
          AuthType Kerberos
          AuthName "Intranet Login"
          KrbMethodNegotiate on
          KrbMethodK5Passwd on
          KrbVerifyKDC on
          KrbSaveCredentials off
          # our keytab
          Krb5Keytab  /etc/apache2/http.keytab
          # specify your realm (upper case - like the krb5.conf)
          KrbAuthRealms YOUR.REALM
          Require valid-user
      </Directory>
      # rest of file
      ...

Active Directory

Windows Client(s)

Troubleshooting