Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

6.2. mod_auth_kerb Example

This section contains instructions for a basic example for configuring Kerberos authentication with Red Hat JBoss Web Server's Apache HTTP Server and mod_auth_kerb on Red Hat Enterprise Linux.
Report a bug

6.2.1. mod_auth_kerb Example Prerequisites
复制链接

The following is a list of prerequisites for the working example. Ensure that all prerequisites are met before attempting to use the example instructions.
  • Install mod_auth_kerb on Red Hat Enterprise Linux.
  • Install curl with GSS-negotiated support.
  • Configure and run a Kerberos or LDAP server (for example ApacheDS) on the same host as your Red Hat JBoss Web Server.
  • Create the following LDAP users:
    • Create the user krbtgt: 
      dn: uid=krbtgt,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: KDC Service
sn: Service
uid: krbtgt
userPassword: secret
krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
krb5KeyVersionNumber: 0
      Copy to Clipboard Toggle word wrap
    • Create the user ldap: 
      dn: uid=ldap,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: LDAP
sn: Service
uid: ldap
userPassword: randall
krb5PrincipalName: ldap/localhost@EXAMPLE.COM
krb5KeyVersionNumber: 0
      Copy to Clipboard Toggle word wrap
    • Create the user HTTP: 
      dn: uid=HTTP,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: HTTP
sn: Service
uid: HTTP
userPassword: secretpwd
krb5PrincipalName: HTTP/localhost@EXAMPLE.COM
krb5KeyVersionNumber: 0
      Copy to Clipboard Toggle word wrap
    • Create user hnelson (test user): 
      dn: uid=hnelson,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userPassword: secret
krb5PrincipalName: hnelson@EXAMPLE.COM
krb5KeyVersionNumber: 0
      Copy to Clipboard Toggle word wrap
Report a bug

6.2.2. Configure the Kerberos Client
复制链接

Use the following procedure to configure a Kerberos client for testing purposes:

Procedure 6.1. Configure the Kerberos Client

  1. Create the Kerberos Configuration File

    Create the krb5.conf configuration file in the /etc directory and add the following to the file: 
    [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = EXAMPLE.COM
  default_tgs_enctypes = des-cbc-md5,des3-cbc-sha1-kd
  default_tkt_enctypes = des-cbc-md5,des3-cbc-sha1-kd
  dns_lookup_realm = false
  dns_lookup_kdc = false
  allow_weak_crypto = yes
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = yes  

[realms]
  EXAMPLE.COM = {
    kdc = localhost:60088
    admin_server = localhost:60088
  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  2. Create a Key Tab

    Create a key tab in the /etc/httpd folder with the following contents: 
    # ktutil
ktutil: addent -password -p HTTP/localhost@EXAMPLE.COM -k 0 -e des-cbc-md5
Password for HTTP/localhost@EXAMPLE.COM: secretpwd
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    0               HTTP/localhost@EXAMPLE.COM
ktutil: wkt krb5.keytab
ktutil: quit
    Copy to Clipboard Toggle word wrap
    As the root user, run the following commands to apply the correct group and permissions to the key tab: 
    # chgrp apache /etc/httpd/krb5.keytab
# chmod 640 /etc/httpd/krb5.keytab
    Copy to Clipboard Toggle word wrap

  3. Check the Hosts File

    Ensure that the following host configuration is included in the /etc/hosts file: 
    127.0.0.1 localhost
    Copy to Clipboard Toggle word wrap
Report a bug

6.2.3. Configure mod_auth_kerb
复制链接

Use the following procedure to configure mod_auth_kerb. As a prerequisite, ensure that the Kerberos Client is configured (see Section 6.2.2, “Configure the Kerberos Client”).

Procedure 6.2. Configure mod_auth_kerb

  • Create the auth_kerb.conf configuration file in the JWS_HOME/httpd/conf.d/ folder and add the following information to the file: 
    #
# The mod_auth_kerb module implements Kerberos authentication over
# HTTP, following the "Negotiate" protocol.
# 

LoadModule auth_kerb_module modules/mod_auth_kerb.so

<Location /kerberostest>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms EXAMPLE.COM
  KrbServiceName HTTP
  Krb5KeyTab /etc/httpd/krb5.keytab
  require valid-user
</Location>
    Copy to Clipboard Toggle word wrap
Report a bug

6.2.4. Test the Kerberos Authentication
复制链接

Use the following instructions to test the Kerberos authentication. As a prerequisite for this procedure, ensure that the Kerberos Client is configured (see Section 6.2.2, “Configure the Kerberos Client”).

Procedure 6.3. Test the Kerberos Authentication

  1. Create a Test Page

    Create a test page named auth_kerb_page.html in JWS_HOME/httpd/www/html/kerberostest/.

  2. Add the Contents of the Test Page

    Add the following contents to the test page (auth_kerb_page.html): 
    <html>
<body>
    <h1>mod_auth_kerb successfully authenticated!</h1>
</body>
</html>
    Copy to Clipboard Toggle word wrap

  3. Optional: Set Log Level

    Optionally, set the log level for debugging in JWS_HOME/httpd/conf/httpd.conf.

  4. Start httpd

    The the Installation Guide for details.

  5. Test Authentication

    Test the authentication as follows:
    1. Initiate Kerberos authentication for the test user hnelson: 
      $ kinit hnelson
      Copy to Clipboard Toggle word wrap
    2. View the details for the test user hnelson: 
      $ klist
      Copy to Clipboard Toggle word wrap
      A result similar to the following appears: 
      Ticket cache: FILE:/tmp/krb5cc_18602
Default principal: hnelson@EXAMPLE.COM

Valid starting     Expires            Service principal
06/03/13 14:21:13  06/04/13 14:21:13  krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/10/13 14:21:13
      Copy to Clipboard Toggle word wrap

    3. Testing Apache HTTP Server Kerberos Authentication

      Test Apache HTTP Server Kerberos authentication as follows: 
      $ curl --negotiate -u : http://localhost/kerberostest/auth_kerb_page.html
      Copy to Clipboard Toggle word wrap
      If working correctly, the following result appears: 
      <html>
<body>
    <h1>mod_auth_kerb successfully authenticated!</h1>
</body>
</html>
      Copy to Clipboard Toggle word wrap
See http://modauthkerb.sourceforge.net/ for more information about mod_auth_kerb.
Report a bug
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat