Samba4/HOWTO/Setup a Single Sign-On Website: Difference between revisions
Intruder0815 (talk | contribs) (→Apache2: added content) |
Mmuehlfeld (talk | contribs) m (Updated link) |
||
Line 20: | Line 20: | ||
* a working Kerberos configuration |
* a working Kerberos configuration |
||
It`s recommended to follow the setup process described at [[ |
It`s recommended to follow the setup process described at [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller]]. |
||
== Setup == |
== Setup == |
Latest revision as of 22:50, 22 October 2016
Goal
This Howto aims to show a clean way to setup a website that provides:
- SSL encryption (HTTPS) by using a self-signed certificate
- single sign-on from within your Samba4 domain
- optional login from outside (user/password prompt)
- full Kerberos 5 authentication security
The type of setup shown here is very minimal. It is intended to get you a basic idea of how the process works.
Usecase
You may provide a secured intranet website for your clients, hosting private content on a per-user basis.
It´s also possible to develop a web based application for domain management, using Kerberos/LDAP and Samba´s Python API. More information on this topic may be provided in another document.
Requirements
- Samba4 setup as domain controller
- a working DNS configuration
- a working Kerberos configuration
It`s recommended to follow the setup process described at Setting_up_Samba_as_an_Active_Directory_Domain_Controller.
Setup
Apache2
You need a web server that hosts your site. Apache2 is widely spread these days and available as software package in (almost) all linux-distributions.
To install apache2, mod_ssl and mod_auth_kerb run:
Debian/Ubuntu
# apt-get install apache2 libapache2-mod-auth-kerb # a2enmod ssl auth_kerb
Setup a minimal ssl-site
NOTE: You don't need to use a secured site to get this example working, but in production environments it's highly recommended for security reasons. A minimal configuration might look like this:
file: /etc/apache2/sites-available/default-ssl
<IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin webmaster@localhost DocumentRoot /var/www <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ######################################################### # add a private directory using kerberos authentication # ######################################################### <Directory /var/www/private> AuthType Kerberos AuthName "Intranet Login" KrbMethodNegotiate on KrbMethodK5Passwd on KrbVerifyKDC on KrbSaveCredentials off # our keytab Krb5Keytab /etc/apache2/http.keytab # specify your realm (upper case - like the krb5.conf) KrbAuthRealms YOUR.REALM Require valid-user </Directory> # rest of file ...