This is a long story. It all started in 2015…well, let’s forget about the story and get to the practical example. The goal is the next: we want a website that is only visible for selected members of an AD directory. The scenario, we have already a CentOS 7.X server called web, already a part of a domain, able to identify an AD user through kerberos, with httpd service active and displaying some web pages. Now I’m following a variation of the solution I found on serverworld. Let’s have a look at the kerberos configuration:
[root@web ~]# yum -y install mod_auth_kerb [root@web ~]# vi /etc/krb5.conf
On the already existing kerberos configuration (krb5.conf) we pay attention to the sections [realms] and [domain_realm]. In our case, it looks like this:
[realms] RESEARCH.GOV = { kdc = research.gov admin_server = research.gov } [domain_realm] .research.gov = RESEARCH.GOV research.gov = RESEARCH.GOV
So we will say our “realm” is RESEARCH.GOV instead of SRV.WORLD. The same for the domain. We create the httpd keytab according to this change.
root@web ~ ## > echo "HTTP/web.research.gov@RESEARCH.GOV" > /etc/httpd/conf.d/krb5.keytab
As I wrote, our server web.research.gov has already all the kerberos credentials in order, so we simply used them. Otherwise we will need to create a new keytab first. Now we want to password-protect a folder called auth-kerberos. We will need to create a new httpd configuration file. For the given folder it should look like this:
root@web ~ ## > more /etc/httpd/conf.d/auth_kerberos.conf <Directory /var/www/html/auth-kerberos> AuthType Kerberos AuthName "Kerberos Authntication" KrbAuthRealms RESEARCH.GOV Krb5Keytab /etc/httpd/conf.d/krb5.keytab KrbMethodNegotiate Off KrbSaveCredentials Off KrbVerifyKDC Off #All AD users allowed #Require valid-user #Only listed AD users allowed Require user josmith@RESEARCH.GOV kereave@RESEARCH.GOV </Directory>
The webpage also we create after the example:
[root@web ~]# vi /var/www/html/auth-kerberos/index.html <html> <body> Test Page for RESEARCH.GOV on WEB </body> </html>
We only need to restart the httpd service and we will get the picture on the top of the article (taken from serverworld once more). More or less, of course. More or less. Just in case you don’t have enough, here you have another example from easyredmine and another one from a typo3 documentation. An a very detailed one with a lot of technicalities that I don’t need to touch in general. And I think now it’s time to continue with the quarantine posts 🙂
Pingback: Notes for a responsible Dashboard Layout With CSS and html | Bits and Dragons