Installation and Maintenance
Allow basic authentication
As an alternative to solely login to Kerberos by negotiation and tickets the Kerberos basic authetication can be used. The user is presented a standard login windows by teh browser and login credentials are transferred to the Apache server. Apache then verifies the login data by contacting the Kerberos service.
To enable this configuration some modifications are neccessary:
- enable Kerberos passwords in the Apache site configuration
- (recommended) enable ssl transport from client to Apache
- accept Basic authentication in the ILIAS configuration
If you accept the Kerberos basic login, non-Kerberos users have to cancel the Kerberos login page to be redirected to the ILIAS login page.
To use the configuration below, the modules headers (to insert additional headers to requests) and mod_ssl (to edit some headers, even if you are not using ssl transports) must be active too.
a2enmod mod_auth_kerb
a2enmod mod_ssl
service apache2 restart
1 | <VirtualHost *:443> |
The listing above shows a site configuration file modified to accept both, Kerberos negotiation and Kerberos passoword. To turn off these features, comment lines 35 and 36 and set KrbMethodK5Passwd to off (line 32).
The RequestHeader directives requires the module headers to be enabled, using the vales of the variables in this notation reqires the module ssl.
Independently of this ssl can be turned off by commentinid lines 7-9 and changing port 443 to 80 in line 1.
Since the user-password is handled unencrypted use of ssl is strongly recommended. Possible tampering of headers hasn't been tested yet.
In the ILIAS settings few adjustments have to be made.
Set the ILIAS Apache login indicator to the header HTTP_X_ILIAS_AXU with a value of "Basic". Since ILIAS Apache-login only accepts one header value, the content of "AUTH_TYPE" is copied to this header and if "Negotiate" was given replaced by "Basic" via the Apache site configuration (line 37). This is the reasyon why the Apache modules ssl and headers were required.
For the first tests of your setup you may want to accept Kerberos basic. Thus you can verify that Kerberos works by entering valid credentials in the browser login window. If this window appears for clients which should use negotiation, this is a hint for improperly generated keytab files or browser problems.