Re: SSO on Linux

From: Peter H. Lemieux (phl_at_cyways.com)
Date: 07/29/04 

Date: Wed, 28 Jul 2004 19:01:13 -0400
To: spurgeonbj@softhome.net

Spurge wrote:
> Is anyone aware of any kerberised RPMs of apache / postfix / vsftpd ?

Try mod_auth_pam for Apache (http://pam.sourceforge.net/mod_auth_pam/).
   Since your system-auth is now set to AD+Kerberos, you can tell Apache
to use the same technique to authenticate its users.

You'll need to make sure that the appropriate AddModule and LoadModule
directives for mod_auth_pam are added to httpd.conf, and you'll want to
include some authentication scheme like this in either httpd.conf or
.htaccess files as appropriate:

AuthType Basic
AuthName "Who are you?"
require valid-user

And, of course, in /etc/pam.d you'll need a file named httpd that looks
like this:

# more /etc/pam.d/httpd
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth

I don't know about postfix; I never require authentication for my SMTP
users. Using sendmail, I just control access with entries in the
/etc/mail/access.db hash database. As for vsftpd, Fedora ships a file
in /etc/pam.d for this daemon that uses system-auth. It should work out
of the box if your system-auth uses Kerberos.

Fully-Kerberized daemons were common in RedHat distributions, but Fedora
doesn't seem to support Kerberos to the same degree as RH Enterprise.
You might take a peek at WhiteBox Linux (http://www.whiteboxlinux.org),
a rebuild of RHEL from source RPMs with all the proprietary RedHat stuff
removed. Still, I would bet that once you get system-auth to use
Kerberos, it should be easy to get the other applications to use it via PAM.

Peter

Relevant Pages

  • Re: kdesktop_lock wont authenticate against AD[Scanned]
    ... However, when I lock the desktop, I can not unlock it if the logged in user is an Active Directory user. ... "Cannot unlock the session because the authentication system feiled to work; ... account include system-auth ...
    (Fedora)
  • Problems getting Apache to use PAM
    ... account and session management are carried out by Solaris. ... Apache doesnt use PAM and so we cant implement Kerberos authentication on servers running Apache because nobody will be able to login with their AD password. ...
    (SunManagers)
  • RE: SSO on Linux
    ... Using authconfig, have setup the system authentication, ... W2K KDC for kerberos authentication mechanism. ... Getting Samba 3.0.2 up and running in integrated mode with AD/Kerberos has ... My interest at this point is - kerberising other services like Apache, VSFTPD, ...
    (Focus-Linux)
  • Apache on linux, Kerberos and group auth to active directory in a "trust"
    ... authentication of a "valid-user" through Apache and Kerberos to an AD ... I am NOT a windows person and my real understanding of AD and Kerberos ... I can not do group authentication of local or corporate AD users. ...
    (comp.infosystems.www.servers.unix)
  • Re: SSO
    ... and can use the Kerberos in Active Directory. ... Apache can use mod_auth_kerb that supports SPNEGO. ... transforms Kerberos authentication to a cookie-based authentication which ...
    (comp.protocols.kerberos)