Difference between revisions of "Samba4/HOWTO/Setup a Single Sign-On Website"
Intruder0815 (talk | contribs) (→Requirements: added content) |
Intruder0815 (talk | contribs) (→Apache2: added content) |
||
Line 24: | Line 24: | ||
== Setup == | == Setup == | ||
=== Apache2 === | === Apache2 === | ||
+ | |||
+ | You need a web server that hosts your site. Apache2 is widely spread these days and available as software package in (almost) all linux-distributions. | ||
+ | |||
+ | To install apache2, mod_ssl and mod_auth_kerb run: | ||
+ | |||
+ | '''Debian/Ubuntu''' | ||
+ | |||
+ | <pre> | ||
+ | # apt-get install apache2 libapache2-mod-auth-kerb | ||
+ | # a2enmod ssl auth_kerb | ||
+ | </pre> | ||
+ | |||
+ | Setup a minimal ssl-site | ||
+ | |||
+ | NOTE: You don't need to use a secured site to get this example working, but in production environments it's highly recommended for security reasons. | ||
+ | A minimal configuration might look like this: | ||
+ | |||
+ | ---- | ||
+ | <tt>'''file: /etc/apache2/sites-available/default-ssl'''</tt> | ||
+ | <pre> | ||
+ | <IfModule mod_ssl.c> | ||
+ | <VirtualHost _default_:443> | ||
+ | ServerAdmin webmaster@localhost | ||
+ | DocumentRoot /var/www | ||
+ | |||
+ | <Directory /> | ||
+ | Options FollowSymLinks | ||
+ | AllowOverride None | ||
+ | </Directory> | ||
+ | |||
+ | <Directory /var/www/> | ||
+ | Options Indexes FollowSymLinks MultiViews | ||
+ | AllowOverride None | ||
+ | Order allow,deny | ||
+ | allow from all | ||
+ | </Directory> | ||
+ | |||
+ | ######################################################### | ||
+ | # add a private directory using kerberos authentication # | ||
+ | ######################################################### | ||
+ | |||
+ | <Directory /var/www/private> | ||
+ | AuthType Kerberos | ||
+ | AuthName "Intranet Login" | ||
+ | KrbMethodNegotiate on | ||
+ | KrbMethodK5Passwd on | ||
+ | KrbVerifyKDC on | ||
+ | KrbSaveCredentials off | ||
+ | # our keytab | ||
+ | Krb5Keytab /etc/apache2/http.keytab | ||
+ | # specify your realm (upper case - like the krb5.conf) | ||
+ | KrbAuthRealms YOUR.REALM | ||
+ | Require valid-user | ||
+ | </Directory> | ||
+ | # rest of file | ||
+ | ... | ||
+ | </pre> | ||
+ | ---- | ||
+ | |||
=== Active Directory === | === Active Directory === | ||
=== Windows Client(s) === | === Windows Client(s) === | ||
== Troubleshooting == | == Troubleshooting == |
Revision as of 00:17, 24 July 2012
Contents
Goal
This Howto aims to show a clean way to setup a website that provides:
- SSL encryption (HTTPS) by using a self-signed certificate
- single sign-on from within your Samba4 domain
- optional login from outside (user/password prompt)
- full Kerberos 5 authentication security
The type of setup shown here is very minimal. It is intended to get you a basic idea of how the process works.
Usecase
You may provide a secured intranet website for your clients, hosting private content on a per-user basis.
It´s also possible to develop a web based application for domain management, using Kerberos/LDAP and Samba´s Python API. More information on this topic may be provided in another document.
Requirements
- Samba4 setup as domain controller
- a working DNS configuration
- a working Kerberos configuration
It`s recommended to follow the setup process described at Samba4/HOWTO.
Setup
Apache2
You need a web server that hosts your site. Apache2 is widely spread these days and available as software package in (almost) all linux-distributions.
To install apache2, mod_ssl and mod_auth_kerb run:
Debian/Ubuntu
# apt-get install apache2 libapache2-mod-auth-kerb # a2enmod ssl auth_kerb
Setup a minimal ssl-site
NOTE: You don't need to use a secured site to get this example working, but in production environments it's highly recommended for security reasons. A minimal configuration might look like this:
file: /etc/apache2/sites-available/default-ssl
<IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin webmaster@localhost DocumentRoot /var/www <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ######################################################### # add a private directory using kerberos authentication # ######################################################### <Directory /var/www/private> AuthType Kerberos AuthName "Intranet Login" KrbMethodNegotiate on KrbMethodK5Passwd on KrbVerifyKDC on KrbSaveCredentials off # our keytab Krb5Keytab /etc/apache2/http.keytab # specify your realm (upper case - like the krb5.conf) KrbAuthRealms YOUR.REALM Require valid-user </Directory> # rest of file ...