Installation and Maintenance

Apache site configuration

After the modules are prepared, a customized site for the Apache server is needed. Entries for the Kerberos-login are placed in the section "Directory /srv/www/ilias3/sso".
 
For your installation, change the Realm and service name entries (lines 28,29) according to your environment. To ensure that only the Kerberos negotiation mechanism is used, KrbMethodK5Passwd is set to off.
 
Line 40 and 41 handle the failure of Apache authentication by redirecting the user to the ILIAS login page.
Using this configuration the ILIAS Adminsitrator account must not use Apache authentication as default: else login may be impossible (and only correctable by disabling apache login directly in the ILIAS database, table settings or reconfiguration of the site parameters). Have at least one administrator that has teh login-method set to "ILIAS database" explicitly!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName ilias.verbund.local
ServerAlias ilias
DocumentRoot /srv/www/ilias

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /srv/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory /srv/www/ilias/intern>
Redirect / http://ilias.verbund.local/sso/index.php?force_mode_apache=1&r=http://ilias.verbund.local&cookie_path=/&ilias_path=http://ilias.verbund.local
</Directory>

<Directory /srv/www/ilias/sso>
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /etc/apache2/auth_kerb.keytab
KrbAuthRealm VERBUND.LOCAL
KrbServiceName HTTP/ilias.verbund.local
#KrbServiceName HTTP/ilias.verbund.local@VERBUND.LOCAL
KrbMethodNegotiate on
KrbSaveCredentials off
KrbMethodK5Passwd off
Krbauthoritative on
KrbLocalUSerMapping On
KrbVerifyKDC on
require valid-user
ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=http://ilias.verbund.local/login.php?passed_sso=2\"></html>"
ErrorDocument 500 "<html><meta http-equiv=\"refresh\" content=\"0;url=http://ilias.verbund.local/login.php?passed_sso=2\"></html>"
allow from all
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

</VirtualHost>

To use https, uncomment lines 7 to 9, adjust the port to 443 and store the required certificates.
 
Some remarks:

  • KrbServiceName must match the keytab entry or be only "HTTP"
  • KrbLocalUserMapping on removes the SPN-suffix from the username. Login is valid for the user with the same name in the ILIAS database, alternative login methods for this user account work without using Kerberos
  • In a production environment VerifyKDC should be set to "on"
  • Apache usually uses the DNS servername configured for the site to request or validate tickets. This works fine, if the DNS name for the ILIAS service is a normal host (A) entry in DNS. If cname entries are used in DNS authentication oftren fails. The behaivor of the Microsoft clients is to use the canonical DNS name of the service, not the cname itself. To fix this, the KrbServiceName setting of the apache configuration has to use the canonical name for the service, too. If keytabs are created with the samba method, the service principal names in the keytab use correct settings automatically.
To complete the setup, create a directory for the "intern" access and copy index.php from the sso directory to avoid errors:

mkdir /srv/www/ilias/intern
cp /srv/www/ilias/sso/index.php /srv/www/ilias/intern
chown -R www-data:www-data /srv/www/ilias/intern

Finally reload the apache configuration. Make sure no errors are reported.
Now ILIAS can be configured to use Apache authentication.



No comment has been posted yet.