Apache w/ Windows AD SSO and LDAP Group Authorization

I had the requirement to authenticate a website using SSO (pass-through domain authentication) and restrict access to certain groups in Active Directory. This is how I achieved it.

Components used:

  • Redhat RHEL 5
  • Apache 2.2
  • mod_perl
  • mod_auth_kerb
  • Apache2::AuthZLDAP

Kerberos Service Principle setup

(Using this grolmsnet.de tutorial as guidance.)

Edit/Additions to krb5.conf

 default_realm = FULL-AD-DOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

Test Basic Kerberos Functionality

username@linux [~]$ kinit username@FULL-AD-DOMAIN.COM

AD Service Principal Setup

  • Create a dummy user account in the Active Directory domain. It must be enabled, with “password never expires” and NOT having “force change password at next login.” It should not have any administrative privileges. Assume the username is apache-kerberos-user for the next command.
  • From the domain controller, or another machine with the ktpass.exe utility, run the following
C:\>ktpass -princ HTTP/fqdn-of-webserver.domain.com@FULL-AD-DOMAIN.COM
 -mapuser apache-kerberos-user -crypto rc4-hmac-nt
 -out c:\apache.keytab
  • Move the outputted keytab file to the webserver (possibly located at /etc/httpd/conf)

Test AD Service Principal

username@linux [~]$ kinit -k -t /etc/httpd/conf/apache.keytab HTTP/fqdn-of-webserver.domain.com

Apache Setup

# yum install mod_auth_kerb mod_perl

Install Apache2::AuthZLDAP perl module

Instructions for this step vary based on your Perl installation standards. I use cpan2rpm to build Perl modules as RPM packages

httpd.conf additions

<Directory "/var/www/html/topsecret">
AuthType Kerberos
KrbServiceName HTTP
Krb5Keytab /etc/httpd/conf/apache.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthoritative off
PerlSetVar LDAPURI      ldap://fqdn-of-ad-domaincontroller.com:389
PerlSetVar LDAPuser         ldap-bind-user@full-ad-domain.com
PerlSetVar LDAPpassword     ldap-bind-password
PerlSetVar LDAPfilter       &(userPrincipalName=[uid])(memberOf=CN=LDAPGROUPNAME,OU=Department,DC=FULL-AD-DOMAIN,DC=com)
PerlAuthzHandler Apache2::AuthZLDAP
require valid-user