Difference between revisions of "Samba4/HOWTO/Setup a Single Sign-On Website"

(Requirements: added content)
(Apache2: added content)
Line 24: Line 24:
 
== Setup ==
 
== Setup ==
 
=== Apache2 ===
 
=== Apache2 ===
 +
 +
You need a web server that hosts your site. Apache2 is widely spread these days and available as software package in (almost) all linux-distributions.
 +
 +
To install apache2, mod_ssl and mod_auth_kerb run:
 +
 +
'''Debian/Ubuntu'''
 +
 +
<pre>
 +
  # apt-get install apache2 libapache2-mod-auth-kerb
 +
  # a2enmod ssl auth_kerb
 +
</pre>
 +
 +
Setup a minimal ssl-site
 +
 +
NOTE: You don't need to use a secured site to get this example working, but in production environments it's highly recommended for security reasons.
 +
A minimal configuration might look like this:
 +
 
 +
----
 +
<tt>'''file: /etc/apache2/sites-available/default-ssl'''</tt>
 +
<pre>
 +
  <IfModule mod_ssl.c>
 +
  <VirtualHost _default_:443>
 +
      ServerAdmin webmaster@localhost
 +
      DocumentRoot /var/www
 +
     
 +
      <Directory />
 +
          Options FollowSymLinks
 +
          AllowOverride None
 +
      </Directory>
 +
     
 +
      <Directory /var/www/>
 +
          Options Indexes FollowSymLinks MultiViews
 +
          AllowOverride None
 +
          Order allow,deny
 +
          allow from all
 +
      </Directory> 
 +
     
 +
      #########################################################
 +
      # add a private directory using kerberos authentication #
 +
      #########################################################
 +
     
 +
      <Directory /var/www/private>
 +
          AuthType Kerberos
 +
          AuthName "Intranet Login"
 +
          KrbMethodNegotiate on
 +
          KrbMethodK5Passwd on
 +
          KrbVerifyKDC on
 +
          KrbSaveCredentials off
 +
          # our keytab
 +
          Krb5Keytab  /etc/apache2/http.keytab
 +
          # specify your realm (upper case - like the krb5.conf)
 +
          KrbAuthRealms YOUR.REALM
 +
          Require valid-user
 +
      </Directory>
 +
      # rest of file
 +
      ...
 +
</pre>
 +
----
 +
 
=== Active Directory ===
 
=== Active Directory ===
 
=== Windows Client(s) ===
 
=== Windows Client(s) ===
 
== Troubleshooting ==
 
== Troubleshooting ==

Revision as of 00:17, 24 July 2012

Goal

This Howto aims to show a clean way to setup a website that provides:

  • SSL encryption (HTTPS) by using a self-signed certificate
  • single sign-on from within your Samba4 domain
  • optional login from outside (user/password prompt)
  • full Kerberos 5 authentication security

The type of setup shown here is very minimal. It is intended to get you a basic idea of how the process works.

Usecase

You may provide a secured intranet website for your clients, hosting private content on a per-user basis.

It´s also possible to develop a web based application for domain management, using Kerberos/LDAP and Samba´s Python API. More information on this topic may be provided in another document.

Requirements

  • Samba4 setup as domain controller
  • a working DNS configuration
  • a working Kerberos configuration

It`s recommended to follow the setup process described at Samba4/HOWTO.

Setup

Apache2

You need a web server that hosts your site. Apache2 is widely spread these days and available as software package in (almost) all linux-distributions.

To install apache2, mod_ssl and mod_auth_kerb run:

Debian/Ubuntu

  # apt-get install apache2 libapache2-mod-auth-kerb
  # a2enmod ssl auth_kerb

Setup a minimal ssl-site

NOTE: You don't need to use a secured site to get this example working, but in production environments it's highly recommended for security reasons. A minimal configuration might look like this:


file: /etc/apache2/sites-available/default-ssl

  <IfModule mod_ssl.c>
  <VirtualHost _default_:443>
      ServerAdmin webmaster@localhost
      DocumentRoot /var/www
      
      <Directory />
          Options FollowSymLinks
          AllowOverride None
      </Directory>
      
      <Directory /var/www/>
          Options Indexes FollowSymLinks MultiViews
          AllowOverride None
          Order allow,deny
          allow from all
      </Directory>   
      
      #########################################################
      # add a private directory using kerberos authentication #
      #########################################################
      
      <Directory /var/www/private>
          AuthType Kerberos
          AuthName "Intranet Login"
          KrbMethodNegotiate on
          KrbMethodK5Passwd on
          KrbVerifyKDC on
          KrbSaveCredentials off
          # our keytab
          Krb5Keytab  /etc/apache2/http.keytab
          # specify your realm (upper case - like the krb5.conf)
          KrbAuthRealms YOUR.REALM
          Require valid-user
      </Directory>
      # rest of file
      ...

Active Directory

Windows Client(s)

Troubleshooting