Difference between revisions of "Samba4/HOWTO/Setup a Single Sign-On Website"

From SambaWiki
(→‎Requirements: added content)
(→‎Apache2: added content)
Line 24: Line 24:
 
== Setup ==
 
== Setup ==
 
=== Apache2 ===
 
=== Apache2 ===
  +
  +
You need a web server that hosts your site. Apache2 is widely spread these days and available as software package in (almost) all linux-distributions.
  +
  +
To install apache2, mod_ssl and mod_auth_kerb run:
  +
  +
'''Debian/Ubuntu'''
  +
  +
<pre>
  +
# apt-get install apache2 libapache2-mod-auth-kerb
  +
# a2enmod ssl auth_kerb
  +
</pre>
  +
  +
Setup a minimal ssl-site
  +
  +
NOTE: You don't need to use a secured site to get this example working, but in production environments it's highly recommended for security reasons.
  +
A minimal configuration might look like this:
  +
  +
----
  +
<tt>'''file: /etc/apache2/sites-available/default-ssl'''</tt>
  +
<pre>
  +
<IfModule mod_ssl.c>
  +
<VirtualHost _default_:443>
  +
ServerAdmin webmaster@localhost
  +
DocumentRoot /var/www
  +
  +
<Directory />
  +
Options FollowSymLinks
  +
AllowOverride None
  +
</Directory>
  +
  +
<Directory /var/www/>
  +
Options Indexes FollowSymLinks MultiViews
  +
AllowOverride None
  +
Order allow,deny
  +
allow from all
  +
</Directory>
  +
  +
#########################################################
  +
# add a private directory using kerberos authentication #
  +
#########################################################
  +
  +
<Directory /var/www/private>
  +
AuthType Kerberos
  +
AuthName "Intranet Login"
  +
KrbMethodNegotiate on
  +
KrbMethodK5Passwd on
  +
KrbVerifyKDC on
  +
KrbSaveCredentials off
  +
# our keytab
  +
Krb5Keytab /etc/apache2/http.keytab
  +
# specify your realm (upper case - like the krb5.conf)
  +
KrbAuthRealms YOUR.REALM
  +
Require valid-user
  +
</Directory>
  +
# rest of file
  +
...
  +
</pre>
  +
----
  +
 
=== Active Directory ===
 
=== Active Directory ===
 
=== Windows Client(s) ===
 
=== Windows Client(s) ===

Revision as of 00:17, 24 July 2012

Goal

This Howto aims to show a clean way to setup a website that provides:

  • SSL encryption (HTTPS) by using a self-signed certificate
  • single sign-on from within your Samba4 domain
  • optional login from outside (user/password prompt)
  • full Kerberos 5 authentication security

The type of setup shown here is very minimal. It is intended to get you a basic idea of how the process works.

Usecase

You may provide a secured intranet website for your clients, hosting private content on a per-user basis.

It´s also possible to develop a web based application for domain management, using Kerberos/LDAP and Samba´s Python API. More information on this topic may be provided in another document.

Requirements

  • Samba4 setup as domain controller
  • a working DNS configuration
  • a working Kerberos configuration

It`s recommended to follow the setup process described at Samba4/HOWTO.

Setup

Apache2

You need a web server that hosts your site. Apache2 is widely spread these days and available as software package in (almost) all linux-distributions.

To install apache2, mod_ssl and mod_auth_kerb run:

Debian/Ubuntu

  # apt-get install apache2 libapache2-mod-auth-kerb
  # a2enmod ssl auth_kerb

Setup a minimal ssl-site

NOTE: You don't need to use a secured site to get this example working, but in production environments it's highly recommended for security reasons. A minimal configuration might look like this:


file: /etc/apache2/sites-available/default-ssl

  <IfModule mod_ssl.c>
  <VirtualHost _default_:443>
      ServerAdmin webmaster@localhost
      DocumentRoot /var/www
      
      <Directory />
          Options FollowSymLinks
          AllowOverride None
      </Directory>
      
      <Directory /var/www/>
          Options Indexes FollowSymLinks MultiViews
          AllowOverride None
          Order allow,deny
          allow from all
      </Directory>   
      
      #########################################################
      # add a private directory using kerberos authentication #
      #########################################################
      
      <Directory /var/www/private>
          AuthType Kerberos
          AuthName "Intranet Login"
          KrbMethodNegotiate on
          KrbMethodK5Passwd on
          KrbVerifyKDC on
          KrbSaveCredentials off
          # our keytab
          Krb5Keytab  /etc/apache2/http.keytab
          # specify your realm (upper case - like the krb5.conf)
          KrbAuthRealms YOUR.REALM
          Require valid-user
      </Directory>
      # rest of file
      ...

Active Directory

Windows Client(s)

Troubleshooting