I'm looking for below configurations for GSSAPI authentication with Apache 2.4 for Active directory:
1. How to configure Apache HTTPServer 2.4.x with mod_auth_gssapi using Microsoft Active directory? Is there any documentation OR POC example stating the required configuration to do in Apache HTTPServer 2.4.x for GSSAPI, So as to authenticate using GSSAPI mechanism with Microsoft Active directory?
2. Does mod_auth_gssapi provides Integrity & Confidentiality security services? If yes then what configuration is required to do in Apache HTTPServer?
Reference for Integrity & Confidentiality in GSSAPI.
As per my analysis, the Active directory supports GSSAPI SASL mechanism. But, Apache HTTPserver does not support GSSAPI as an out of box configuration. However, using mod_auth_gssapi it's possible for Apache HTTPServer to lookup for users & their credentials in Active directory and thereby authenticate using GSSAPI mechanism.
Currently, I'm having Basic authentication provider configured as below in Apache HTTPServer, which needs to be replaced with mod_auth_gssapi to implement gssapi authentication mechanism:
# Basic Authentication provider
<AuthnProviderAlias ldap MyEnterpriseLdap>
AuthLDAPURL "ldap://machine1.abcd.com:389/CN=Users,DC=abcd,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=rohit,CN=Users,DC=abcd,DC=com"
AuthLDAPBindPassword "abc123"
LDAPReferrals Off
</AuthnProviderAlias>
# Authenticated resources
<LocationMatch ^/+WebApp/+(;.*)?>
AuthName "WebApp"
AuthType Basic
AuthBasicProvider MyEnterpriseLdap
Require valid-user
</LocationMatch>
Thanks.
Best Answer
I managed to make GSSAPI work using the following tutorial: http://www.jfcarter.net/~jimc/documents/bugfix/41-auth-kerb.html
What I did (I'm on Debian)
Join the domain
Install packages:
In
/etc/krb5.conf
:In
/etc/samba/smb.conf
:Disable referrals for LDAP calls:
Join the domain:
Keytab for http
Create a keytab in
/etc/krb5.keytab
:Protect it: (in my case,
www-data
is the Unix user used for serving web pages)I added a script in the crontab to renew this keytab once a day. Not sure it is still needed, but on previous versions of Debian I had some bugs when the file was outdated. So I made a script in Expect calling
net ads keytab add HTTP -U my-linux.ad-account
for me. And it is still there :)Configure Apache
Get GSSAPI for Apache:
Activating session cookies (to avoid reauthenticate user on each page) - facultative
In your Apache site config (eg.
/etc/apache2/sites-available/000-default.conf
)Restart Apache and pray
I hope I didn't forget anything.
Footing notes: the web clients won't delegate their credentials (and the SSO will not work) if:
SSLEngine on
)