Installation and Maintenance
Apache site configuration
After the modules are prepared, a customized site for the Apache server is needed. Entries for the Kerberos-login are placed in the section "Directory /srv/www/ilias3/sso".
For your installation, change the Realm and service name entries (lines 28,29) according to your environment. To ensure that only the Kerberos negotiation mechanism is used, KrbMethodK5Passwd is set to off.
Line 40 and 41 handle the failure of Apache authentication by redirecting the user to the ILIAS login page.
Using this configuration the ILIAS Adminsitrator account must not use Apache authentication as default: else login may be impossible (and only correctable by disabling apache login directly in the ILIAS database, table settings or reconfiguration of the site parameters). Have at least one administrator that has teh login-method set to "ILIAS database" explicitly!
1 | <VirtualHost *:80> |
To use https, uncomment lines 7 to 9, adjust the port to 443 and store the required certificates.
Some remarks:
- KrbServiceName must match the keytab entry or be only "HTTP"
- KrbLocalUserMapping on removes the SPN-suffix from the username. Login is valid for the user with the same name in the ILIAS database, alternative login methods for this user account work without using Kerberos
- In a production environment VerifyKDC should be set to "on"
- Apache usually uses the DNS servername configured for the site to request or validate tickets. This works fine, if the DNS name for the ILIAS service is a normal host (A) entry in DNS. If cname entries are used in DNS authentication oftren fails. The behaivor of the Microsoft clients is to use the canonical DNS name of the service, not the cname itself. To fix this, the KrbServiceName setting of the apache configuration has to use the canonical name for the service, too. If keytabs are created with the samba method, the service principal names in the keytab use correct settings automatically.
mkdir /srv/www/ilias/intern
cp /srv/www/ilias/sso/index.php /srv/www/ilias/intern
chown -R www-data:www-data /srv/www/ilias/intern
Finally reload the apache configuration. Make sure no errors are reported.
Now ILIAS can be configured to use Apache authentication.