Difference between revisions of "Samba4/HOWTO/Setup a Single Sign-On Website"
Intruder0815 (talk | contribs) (→Requirements: added content) |
Intruder0815 (talk | contribs) (→Apache2: added content) |
||
| Line 24: | Line 24: | ||
== Setup == | == Setup == | ||
=== Apache2 === | === Apache2 === | ||
| + | |||
| + | You need a web server that hosts your site. Apache2 is widely spread these days and available as software package in (almost) all linux-distributions. | ||
| + | |||
| + | To install apache2, mod_ssl and mod_auth_kerb run: | ||
| + | |||
| + | '''Debian/Ubuntu''' | ||
| + | |||
| + | <pre> | ||
| + | # apt-get install apache2 libapache2-mod-auth-kerb | ||
| + | # a2enmod ssl auth_kerb | ||
| + | </pre> | ||
| + | |||
| + | Setup a minimal ssl-site | ||
| + | |||
| + | NOTE: You don't need to use a secured site to get this example working, but in production environments it's highly recommended for security reasons. | ||
| + | A minimal configuration might look like this: | ||
| + | |||
| + | ---- | ||
| + | <tt>'''file: /etc/apache2/sites-available/default-ssl'''</tt> | ||
| + | <pre> | ||
| + | <IfModule mod_ssl.c> | ||
| + | <VirtualHost _default_:443> | ||
| + | ServerAdmin webmaster@localhost | ||
| + | DocumentRoot /var/www | ||
| + | |||
| + | <Directory /> | ||
| + | Options FollowSymLinks | ||
| + | AllowOverride None | ||
| + | </Directory> | ||
| + | |||
| + | <Directory /var/www/> | ||
| + | Options Indexes FollowSymLinks MultiViews | ||
| + | AllowOverride None | ||
| + | Order allow,deny | ||
| + | allow from all | ||
| + | </Directory> | ||
| + | |||
| + | ######################################################### | ||
| + | # add a private directory using kerberos authentication # | ||
| + | ######################################################### | ||
| + | |||
| + | <Directory /var/www/private> | ||
| + | AuthType Kerberos | ||
| + | AuthName "Intranet Login" | ||
| + | KrbMethodNegotiate on | ||
| + | KrbMethodK5Passwd on | ||
| + | KrbVerifyKDC on | ||
| + | KrbSaveCredentials off | ||
| + | # our keytab | ||
| + | Krb5Keytab /etc/apache2/http.keytab | ||
| + | # specify your realm (upper case - like the krb5.conf) | ||
| + | KrbAuthRealms YOUR.REALM | ||
| + | Require valid-user | ||
| + | </Directory> | ||
| + | # rest of file | ||
| + | ... | ||
| + | </pre> | ||
| + | ---- | ||
| + | |||
=== Active Directory === | === Active Directory === | ||
=== Windows Client(s) === | === Windows Client(s) === | ||
== Troubleshooting == | == Troubleshooting == | ||
Revision as of 00:17, 24 July 2012
Contents
Goal
This Howto aims to show a clean way to setup a website that provides:
- SSL encryption (HTTPS) by using a self-signed certificate
- single sign-on from within your Samba4 domain
- optional login from outside (user/password prompt)
- full Kerberos 5 authentication security
The type of setup shown here is very minimal. It is intended to get you a basic idea of how the process works.
Usecase
You may provide a secured intranet website for your clients, hosting private content on a per-user basis.
It´s also possible to develop a web based application for domain management, using Kerberos/LDAP and Samba´s Python API. More information on this topic may be provided in another document.
Requirements
- Samba4 setup as domain controller
- a working DNS configuration
- a working Kerberos configuration
It`s recommended to follow the setup process described at Samba4/HOWTO.
Setup
Apache2
You need a web server that hosts your site. Apache2 is widely spread these days and available as software package in (almost) all linux-distributions.
To install apache2, mod_ssl and mod_auth_kerb run:
Debian/Ubuntu
# apt-get install apache2 libapache2-mod-auth-kerb # a2enmod ssl auth_kerb
Setup a minimal ssl-site
NOTE: You don't need to use a secured site to get this example working, but in production environments it's highly recommended for security reasons. A minimal configuration might look like this:
file: /etc/apache2/sites-available/default-ssl
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
#########################################################
# add a private directory using kerberos authentication #
#########################################################
<Directory /var/www/private>
AuthType Kerberos
AuthName "Intranet Login"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbVerifyKDC on
KrbSaveCredentials off
# our keytab
Krb5Keytab /etc/apache2/http.keytab
# specify your realm (upper case - like the krb5.conf)
KrbAuthRealms YOUR.REALM
Require valid-user
</Directory>
# rest of file
...