Installation and Maintenance

Allow basic authentication

As an alternative to solely login to Kerberos by negotiation and tickets the Kerberos basic authetication can be used. The user is presented a standard login windows by teh browser and login credentials are transferred to the Apache server. Apache then verifies the login data by contacting the Kerberos service.
 
To enable this configuration some modifications are neccessary:
 

  • enable Kerberos passwords in the Apache site configuration
  • (recommended) enable ssl transport from client to Apache
  • accept Basic authentication in the ILIAS configuration
This can be needed in some environments or for troubleshooting Kerberos problems.
 
If you accept the Kerberos basic login, non-Kerberos users have to cancel the Kerberos login page to be redirected to the ILIAS login page.

To use the configuration below, the modules headers (to insert additional headers to requests) and mod_ssl (to edit some headers, even if you are not using ssl transports) must be active too.

a2enmod mod_auth_kerb
a2enmod mod_ssl
service apache2 restart

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName ilias.verbund.local
ServerAlias ilias
DocumentRoot /srv/www/ilias

SSLEngine on
SSLCertificateKeyFile /etc/apache2/myssl/iliaslocal.pem
SSLCertificateFile /etc/apache2/myssl/iliaslocal-cert.pem
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /srv/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory /srv/www/ilias/intern>
Redirect / http://ilias.verbund.local/sso/index.php?force_mode_apache=1&r=http://ilias.verbund.local&cookie_path=/&ilias_path=http://ilias.verbund.local
</Directory>

<Directory /srv/www/ilias/sso>
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /etc/apache2/auth_kerb.keytab
KrbAuthRealm VERBUND.LOCAL
KrbServiceName HTTP/ilias.verbund.local@VERBUND.LOCAL
KrbMethodNegotiate on
KrbSaveCredentials off
KrbMethodK5Passwd on
Krbauthoritative on
KrbLocalUSerMapping On
KrbVerifyKDC on
RequestHeader add "X-ILIAS-AXU" %{AUTH_TYPE}s
RequestHeader edit "X-ILIAS-AXU" Negotiate Basic
require valid-user
ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=http://ilias.verbund.local/login.php\"></html>"
allow from all
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

</VirtualHost>

The listing above shows a site configuration file modified to accept both, Kerberos negotiation and Kerberos passoword. To turn off these features, comment lines 35 and 36 and set KrbMethodK5Passwd to off (line 32).
The RequestHeader directives requires the module headers to be enabled, using the vales of the variables in this notation reqires the module ssl.
 
Independently of this ssl can be turned off by commentinid lines 7-9 and changing port 443 to 80 in line 1.
Since the user-password is handled unencrypted use of ssl is strongly recommended. Possible tampering of headers hasn't been tested yet.

In the ILIAS settings few adjustments have to be made.
Set the ILIAS Apache login indicator to the header HTTP_X_ILIAS_AXU with a value of "Basic". Since ILIAS Apache-login only accepts one header value, the content of "AUTH_TYPE" is copied to this header and if "Negotiate" was given replaced by "Basic" via the Apache site configuration (line 37). This is the reasyon why the Apache modules ssl and headers were required.

Apache using negotiate and basic

For the first tests of your setup you may want to accept Kerberos basic. Thus you can verify that Kerberos works by entering valid credentials in the browser login window. If this window appears for clients which should use negotiation, this is a hint for improperly generated keytab files or browser problems.



No comment has been posted yet.