Samba4/HOWTO/Setup a Single Sign-On Website: Difference between revisions
Intruder0815 (talk | contribs) (→Requirements: added content) |
Intruder0815 (talk | contribs) (→Apache2: added content) |
||
Line 24: | Line 24: | ||
== Setup == |
== Setup == |
||
=== Apache2 === |
=== Apache2 === |
||
You need a web server that hosts your site. Apache2 is widely spread these days and available as software package in (almost) all linux-distributions. |
|||
To install apache2, mod_ssl and mod_auth_kerb run: |
|||
'''Debian/Ubuntu''' |
|||
<pre> |
|||
# apt-get install apache2 libapache2-mod-auth-kerb |
|||
# a2enmod ssl auth_kerb |
|||
</pre> |
|||
Setup a minimal ssl-site |
|||
NOTE: You don't need to use a secured site to get this example working, but in production environments it's highly recommended for security reasons. |
|||
A minimal configuration might look like this: |
|||
---- |
|||
<tt>'''file: /etc/apache2/sites-available/default-ssl'''</tt> |
|||
<pre> |
|||
<IfModule mod_ssl.c> |
|||
<VirtualHost _default_:443> |
|||
ServerAdmin webmaster@localhost |
|||
DocumentRoot /var/www |
|||
<Directory /> |
|||
Options FollowSymLinks |
|||
AllowOverride None |
|||
</Directory> |
|||
<Directory /var/www/> |
|||
Options Indexes FollowSymLinks MultiViews |
|||
AllowOverride None |
|||
Order allow,deny |
|||
allow from all |
|||
</Directory> |
|||
######################################################### |
|||
# add a private directory using kerberos authentication # |
|||
######################################################### |
|||
<Directory /var/www/private> |
|||
AuthType Kerberos |
|||
AuthName "Intranet Login" |
|||
KrbMethodNegotiate on |
|||
KrbMethodK5Passwd on |
|||
KrbVerifyKDC on |
|||
KrbSaveCredentials off |
|||
# our keytab |
|||
Krb5Keytab /etc/apache2/http.keytab |
|||
# specify your realm (upper case - like the krb5.conf) |
|||
KrbAuthRealms YOUR.REALM |
|||
Require valid-user |
|||
</Directory> |
|||
# rest of file |
|||
... |
|||
</pre> |
|||
---- |
|||
=== Active Directory === |
=== Active Directory === |
||
=== Windows Client(s) === |
=== Windows Client(s) === |
Revision as of 00:17, 24 July 2012
Goal
This Howto aims to show a clean way to setup a website that provides:
- SSL encryption (HTTPS) by using a self-signed certificate
- single sign-on from within your Samba4 domain
- optional login from outside (user/password prompt)
- full Kerberos 5 authentication security
The type of setup shown here is very minimal. It is intended to get you a basic idea of how the process works.
Usecase
You may provide a secured intranet website for your clients, hosting private content on a per-user basis.
It´s also possible to develop a web based application for domain management, using Kerberos/LDAP and Samba´s Python API. More information on this topic may be provided in another document.
Requirements
- Samba4 setup as domain controller
- a working DNS configuration
- a working Kerberos configuration
It`s recommended to follow the setup process described at Samba4/HOWTO.
Setup
Apache2
You need a web server that hosts your site. Apache2 is widely spread these days and available as software package in (almost) all linux-distributions.
To install apache2, mod_ssl and mod_auth_kerb run:
Debian/Ubuntu
# apt-get install apache2 libapache2-mod-auth-kerb # a2enmod ssl auth_kerb
Setup a minimal ssl-site
NOTE: You don't need to use a secured site to get this example working, but in production environments it's highly recommended for security reasons. A minimal configuration might look like this:
file: /etc/apache2/sites-available/default-ssl
<IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin webmaster@localhost DocumentRoot /var/www <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ######################################################### # add a private directory using kerberos authentication # ######################################################### <Directory /var/www/private> AuthType Kerberos AuthName "Intranet Login" KrbMethodNegotiate on KrbMethodK5Passwd on KrbVerifyKDC on KrbSaveCredentials off # our keytab Krb5Keytab /etc/apache2/http.keytab # specify your realm (upper case - like the krb5.conf) KrbAuthRealms YOUR.REALM Require valid-user </Directory> # rest of file ...