Centos 7 PHP Apache SSO with Active Directory domain
Manually create computer account (for SSO Linux server) in Active Directory, set delegation to trust this computer:
create keytab file, run cmd as admin:
ktpass -princ HTTP/your_FQDN_server_name@DOMAIN.LOCAL -mapuser DOMAIN\username -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop set -pass AD_USER_PSW -out c:\temp\serversso.krb5.keytab
transfer keytab file to the Linux server /etc/httpd/conf/ directory
check the binding:
setspn -q HTTP/your_FQDN_server_name
adjust server hosts file for leaving only entries that points to your loopback address and IP address with your_FQDN_server_name
vi /etc/hosts
Deploy apache and PHP
yum install httpd php php-ldap
chkconfig httpd on
Deploy Kerberos with SASL GSSAPI
yum install krb5-workstation krb5-devel krb5-libs mod_auth_kerb cyrus-sasl-gssapi
Adjust kerberos config file adding text below:
vi /etc/krb5.conf
--------------------------------------------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN.LOCAL = {
kdc = domain.example.local
admin_server = domain.example.local
}
[domain_realm]
ssoserver.la.local = DOMAIN.LOCAL
---------------------------------------------------------------------------------------------------
Try to get Kerberos ticket:
kinit -k -t /etc/httpd/conf/serversso.krb5.keytab HTTP/ssoservername.domain.local
kvno HTTP/ssoservername.domain.local
create file: vi /etc/httpd/conf.d/auth_kerb.conf with text below:
--------------------------------------------------------------------------------------------
#
# The mod_auth_kerb module implements Kerberos authentication over
# HTTP, following the "Negotiate" protocol.
#
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Location /kerberostest>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DOMAIN.LOCAL
KrbServiceName HTTP
Krb5KeyTab /etc/httpd/conf/serversso.krb5.keytab
require valid-user
</Location>
---------------------------------------------------------------------------------------------------------
Adjust Apache config file: /etc/httpd/conf/httpd.conf adding text:
-----------------------------------------------------------------------------------------------------------
<Directory "/var/www/html">
AuthType Kerberos
KrbAuthRealms LA.LOCAL
KrbServiceName HTTP/serversso.la.local
Krb5Keytab /etc/httpd/conf/serversso.krb5.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
require valid-user
KrbLocalUserMapping on
KrbSaveCredentials on
</Directory>
------------------------------------------------------------------------------------------------------
create php info file in the /var/www/html directory:
------------------------------------------------------------------------------------------------------
<?php
// Show all information, defaults to INFO_ALL
phpinfo();
// Show just the module information.
// phpinfo(8) yields identical results.
phpinfo(INFO_MODULES);
?>
----------------------------------------------------------
Restart apache
systemctl restart httpd
Voulia!
