6.2. mod_auth_kerb Example
This section contains instructions for a basic example for configuring Kerberos authentication with Red Hat JBoss Web Server's Apache HTTP Server and mod_auth_kerb on Red Hat Enterprise Linux.
6.2.1. mod_auth_kerb Example Prerequisites
The following is a list of prerequisites for the working example. Ensure that all prerequisites are met before attempting to use the example instructions.
- Install mod_auth_kerb on Red Hat Enterprise Linux.
- Install curl with GSS-negotiated support.
- Configure and run a Kerberos or LDAP server (for example ApacheDS) on the same host as your Red Hat JBoss Web Server.
- Create the following LDAP users:
- Create the user
krbtgt:dn: uid=krbtgt,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: KDC Service sn: Service uid: krbtgt userPassword: secret krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM krb5KeyVersionNumber: 0
- Create the user
ldap:dn: uid=ldap,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: LDAP sn: Service uid: ldap userPassword: randall krb5PrincipalName: ldap/localhost@EXAMPLE.COM krb5KeyVersionNumber: 0
- Create the user
HTTP:dn: uid=HTTP,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: HTTP sn: Service uid: HTTP userPassword: secretpwd krb5PrincipalName: HTTP/localhost@EXAMPLE.COM krb5KeyVersionNumber: 0
- Create user
hnelson(test user):dn: uid=hnelson,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: Horatio Nelson sn: Nelson uid: hnelson userPassword: secret krb5PrincipalName: hnelson@EXAMPLE.COM krb5KeyVersionNumber: 0
6.2.2. Configure the Kerberos Client
Use the following procedure to configure a Kerberos client for testing purposes:
Procedure 6.1. Configure the Kerberos Client
Create the Kerberos Configuration File
Create thekrb5.confconfiguration file in the/etcdirectory and add the following to the file:[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM default_tgs_enctypes = des-cbc-md5,des3-cbc-sha1-kd default_tkt_enctypes = des-cbc-md5,des3-cbc-sha1-kd dns_lookup_realm = false dns_lookup_kdc = false allow_weak_crypto = yes ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes [realms] EXAMPLE.COM = { kdc = localhost:60088 admin_server = localhost:60088 } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COMCreate a Key Tab
Create a key tab in the/etc/httpdfolder with the following contents:#
ktutilktutil:addent -password -p HTTP/localhost@EXAMPLE.COM -k 0 -e des-cbc-md5Password for HTTP/localhost@EXAMPLE.COM:secretpwdktutil:listslot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 0 HTTP/localhost@EXAMPLE.COM ktutil:wkt krb5.keytabktutil:quitAs the root user, run the following commands to apply the correct group and permissions to the key tab:# chgrp apache /etc/httpd/krb5.keytab # chmod 640 /etc/httpd/krb5.keytab
Check the Hosts File
Ensure that the following host configuration is included in the/etc/hostsfile:127.0.0.1 localhost
6.2.3. Configure mod_auth_kerb
Use the following procedure to configure mod_auth_kerb. As a prerequisite, ensure that the Kerberos Client is configured (see Section 6.2.2, “Configure the Kerberos Client”).
Procedure 6.2. Configure mod_auth_kerb
- Create the
auth_kerb.confconfiguration file in theJWS_HOME/httpd/conf.d/folder and add the following information to the file:# # The mod_auth_kerb module implements Kerberos authentication over # HTTP, following the "Negotiate" protocol. # LoadModule auth_kerb_module modules/mod_auth_kerb.so <Location /kerberostest> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM KrbServiceName HTTP Krb5KeyTab /etc/httpd/krb5.keytab require valid-user </Location>
6.2.4. Test the Kerberos Authentication
Use the following instructions to test the Kerberos authentication. As a prerequisite for this procedure, ensure that the Kerberos Client is configured (see Section 6.2.2, “Configure the Kerberos Client”).
Procedure 6.3. Test the Kerberos Authentication
Create a Test Page
Create a test page namedauth_kerb_page.htmlinJWS_HOME/httpd/www/html/kerberostest/.Add the Contents of the Test Page
Add the following contents to the test page (auth_kerb_page.html):<html> <body> <h1>mod_auth_kerb successfully authenticated!</h1> </body> </html>Optional: Set Log Level
Optionally, set the log level for debugging inJWS_HOME/httpd/conf/httpd.conf.Start httpd
The the Installation Guide for details.Test Authentication
Test the authentication as follows:- Initiate Kerberos authentication for the test user
hnelson:$ kinit hnelson
- View the details for the test user
hnelson:$ klist
A result similar to the following appears:Ticket cache: FILE:/tmp/krb5cc_18602 Default principal: hnelson@EXAMPLE.COM Valid starting Expires Service principal 06/03/13 14:21:13 06/04/13 14:21:13 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 06/10/13 14:21:13
Testing Apache HTTP Server Kerberos Authentication
Test Apache HTTP Server Kerberos authentication as follows:$ curl --negotiate -u : http://localhost/kerberostest/auth_kerb_page.html
If working correctly, the following result appears:<html> <body> <h1>mod_auth_kerb successfully authenticated!</h1> </body> </html>
See http://modauthkerb.sourceforge.net/ for more information about mod_auth_kerb.
