Overview
Use Kerberos integration to fetch valid users and their passwords from the Active Directory to authenticate access to a web directory served by Apache.System
AD Server: correladsWeb Server: correlprod
Web Service: Apache2 + mod_auth_kerb
Protected directory: /var/www/mrtg
Configuration
Apache + Kerberos
- Verify that mod_auth_kerb is available on the system (/usr/lib64/httpd/modules/). If not install it: yum install mod_auth_kerb
- Apache configuration /etc/httpd/conf.d/mrtg.conf:
LoadModule auth_kerb_module modules/mod_auth_kerb.so
Alias /mrtg /var/www/mrtg
Order allow,deny
Allow from all
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /var/www/html/mrtg/auth_kerb.keytab
KrbAuthRealm CORRELSENSE.COM
KrbMethodNegotiate off
KrbSaveCredentials off
KrbVerifyKDC off
Require valid-user
Alias /mrtg /var/www/mrtg
Order allow,deny
Allow from all
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /var/www/html/mrtg/auth_kerb.keytab
KrbAuthRealm CORRELSENSE.COM
KrbMethodNegotiate off
KrbSaveCredentials off
KrbVerifyKDC off
Require valid-user
- Create a Kerberos keytab file and make it readable by all /var/www/html/mrtg/auth_kerb.keytab:
HTTP/correlnx.correlsense.com@CORRELSENSE.COM - Kerberos configuration /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
clockskew = 300
default_realm = CORRELSENSE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
CORRELSENSE.COM = {
kdc = correlads
default_domain = correlsense.com
kdc = correlads
}
[domain_realm]
.correlsense.com = CORRELSENSE.COM
correlsense.com = CORRELSENSE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf - Restart Apache. When accessing mrtg page an authentication in front of the Active Directory is required.
