Red Hat Training

A Red Hat training course is available for Red Hat JBoss Web Server

6.2. mod_auth_kerb Example

This section contains instructions for a basic example for configuring Kerberos authentication with Red Hat JBoss Web Server's Apache HTTP Server and mod_auth_kerb on Red Hat Enterprise Linux.

6.2.1. mod_auth_kerb Example Prerequisites

The following is a list of prerequisites for the working example. Ensure that all prerequisites are met before attempting to use the example instructions.
  • Install mod_auth_kerb on Red Hat Enterprise Linux.
  • Install curl with GSS-negotiated support.
  • Configure and run a Kerberos or LDAP server (for example ApacheDS) on the same host as your Red Hat JBoss Web Server.
  • Create the following LDAP users:
    • Create the user krbtgt:
      dn: uid=krbtgt,ou=Users,dc=example,dc=com
      objectClass: top
      objectClass: person
      objectClass: inetOrgPerson
      objectClass: krb5principal
      objectClass: krb5kdcentry
      cn: KDC Service
      sn: Service
      uid: krbtgt
      userPassword: secret
      krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
      krb5KeyVersionNumber: 0
    • Create the user ldap:
      dn: uid=ldap,ou=Users,dc=example,dc=com
      objectClass: top
      objectClass: person
      objectClass: inetOrgPerson
      objectClass: krb5principal
      objectClass: krb5kdcentry
      cn: LDAP
      sn: Service
      uid: ldap
      userPassword: randall
      krb5PrincipalName: ldap/localhost@EXAMPLE.COM
      krb5KeyVersionNumber: 0
    • Create the user HTTP:
      dn: uid=HTTP,ou=Users,dc=example,dc=com
      objectClass: top
      objectClass: person
      objectClass: inetOrgPerson
      objectClass: krb5principal
      objectClass: krb5kdcentry
      cn: HTTP
      sn: Service
      uid: HTTP
      userPassword: secretpwd
      krb5PrincipalName: HTTP/localhost@EXAMPLE.COM
      krb5KeyVersionNumber: 0
    • Create user hnelson (test user):
      dn: uid=hnelson,ou=Users,dc=example,dc=com
      objectClass: top
      objectClass: person
      objectClass: inetOrgPerson
      objectClass: krb5principal
      objectClass: krb5kdcentry
      cn: Horatio Nelson
      sn: Nelson
      uid: hnelson
      userPassword: secret
      krb5PrincipalName: hnelson@EXAMPLE.COM
      krb5KeyVersionNumber: 0

6.2.2. Configure the Kerberos Client

Use the following procedure to configure a Kerberos client for testing purposes:

Procedure 6.1. Configure the Kerberos Client

  1. Create the Kerberos Configuration File

    Create the krb5.conf configuration file in the /etc directory and add the following to the file:
    [logging]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
      default_realm = EXAMPLE.COM
      default_tgs_enctypes = des-cbc-md5,des3-cbc-sha1-kd
      default_tkt_enctypes = des-cbc-md5,des3-cbc-sha1-kd
      dns_lookup_realm = false
      dns_lookup_kdc = false
      allow_weak_crypto = yes
      ticket_lifetime = 24h
      renew_lifetime = 7d
      forwardable = yes  
    
    [realms]
      EXAMPLE.COM = {
        kdc = localhost:60088
        admin_server = localhost:60088
      }
    
    [domain_realm]
      .example.com = EXAMPLE.COM
      example.com = EXAMPLE.COM
  2. Create a Key Tab

    Create a key tab in the /etc/httpd folder with the following contents:
    # ktutil
    ktutil: addent -password -p HTTP/localhost@EXAMPLE.COM -k 0 -e des-cbc-md5
    Password for HTTP/localhost@EXAMPLE.COM: secretpwd
    ktutil: list
    slot KVNO Principal
    ---- ---- ---------------------------------------------------------------------
       1    0               HTTP/localhost@EXAMPLE.COM
    ktutil: wkt krb5.keytab
    ktutil: quit
    As the root user, run the following commands to apply the correct group and permissions to the key tab:
    # chgrp apache /etc/httpd/krb5.keytab
    # chmod 640 /etc/httpd/krb5.keytab
  3. Check the Hosts File

    Ensure that the following host configuration is included in the /etc/hosts file:
    127.0.0.1 localhost

6.2.3. Configure mod_auth_kerb

Use the following procedure to configure mod_auth_kerb. As a prerequisite, ensure that the Kerberos Client is configured (see Section 6.2.2, “Configure the Kerberos Client”).

Procedure 6.2. Configure mod_auth_kerb

  • Create the auth_kerb.conf configuration file in the JWS_HOME/httpd/conf.d/ folder and add the following information to the file:
    #
    # The mod_auth_kerb module implements Kerberos authentication over
    # HTTP, following the "Negotiate" protocol.
    # 
    
    LoadModule auth_kerb_module modules/mod_auth_kerb.so
    
    <Location /kerberostest>
      AuthType Kerberos
      AuthName "Kerberos Login"
      KrbMethodNegotiate On
      KrbMethodK5Passwd Off
      KrbAuthRealms EXAMPLE.COM
      KrbServiceName HTTP
      Krb5KeyTab /etc/httpd/krb5.keytab
      require valid-user
    </Location>

6.2.4. Test the Kerberos Authentication

Use the following instructions to test the Kerberos authentication. As a prerequisite for this procedure, ensure that the Kerberos Client is configured (see Section 6.2.2, “Configure the Kerberos Client”).

Procedure 6.3. Test the Kerberos Authentication

  1. Create a Test Page

    Create a test page named auth_kerb_page.html in JWS_HOME/httpd/www/html/kerberostest/.
  2. Add the Contents of the Test Page

    Add the following contents to the test page (auth_kerb_page.html):
    <html>
    <body>
        <h1>mod_auth_kerb successfully authenticated!</h1>
    </body>
    </html>
  3. Optional: Set Log Level

    Optionally, set the log level for debugging in JWS_HOME/httpd/conf/httpd.conf.
  4. Start httpd

    The the Installation Guide for details.
  5. Test Authentication

    Test the authentication as follows:
    1. Initiate Kerberos authentication for the test user hnelson:
      $ kinit hnelson
    2. View the details for the test user hnelson:
      $ klist
      A result similar to the following appears:
      Ticket cache: FILE:/tmp/krb5cc_18602
      Default principal: hnelson@EXAMPLE.COM
      
      Valid starting     Expires            Service principal
      06/03/13 14:21:13  06/04/13 14:21:13  krbtgt/EXAMPLE.COM@EXAMPLE.COM
      renew until 06/10/13 14:21:13
    3. Testing Apache HTTP Server Kerberos Authentication

      Test Apache HTTP Server Kerberos authentication as follows:
      $ curl --negotiate -u : http://localhost/kerberostest/auth_kerb_page.html
      If working correctly, the following result appears:
      <html>
      <body>
          <h1>mod_auth_kerb successfully authenticated!</h1>
      </body>
      </html>
See http://modauthkerb.sourceforge.net/ for more information about mod_auth_kerb.