Apache 中的 Kerberos 用户身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/43459/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Kerberos user authentication in Apache
提问by Vagnerr
can anybody recommend some really good resources for how to get Apache authenticating users with Kerberos.
任何人都可以推荐一些非常好的资源,以了解如何使用 Kerberos 对 Apache 用户进行身份验证。
Background reading on Kerberos would also be useful
关于 Kerberos 的背景阅读也很有用
Thanks
谢谢
Peter
彼得
采纳答案by Joseph Daigle
mod_auth_kerb is a good start: http://modauthkerb.sourceforge.net/. If you need Active Directory support, look here: http://support.microsoft.com/?id=555092.
mod_auth_kerb 是一个好的开始:http: //modauthkerb.sourceforge.net/。如果您需要 Active Directory 支持,请查看此处:http: //support.microsoft.com/?id=555092。
回答by schlenk
I found mod_auth_spnego also quite okay, as it can use SSPI on windows instead of requiring MIT Kerberos. mod_spnego
我发现 mod_auth_spnego 也很不错,因为它可以在 Windows 上使用 SSPI 而不是需要 MIT Kerberos。mod_spnego
回答by s00th
Here's an example using Active Directory as the KDC: http://oslabs.mikro-net.com/krb_apache.html
以下是使用 Active Directory 作为 KDC 的示例:http: //oslabs.mikro-net.com/krb_apache.html
回答by Tomas Tomecek
I liked this article about configuring apache to use Kerberos:
我喜欢这篇关于配置 apache 以使用 Kerberos 的文章:
http://www.roguelynn.com/words/apache-kerberos-for-django/
http://www.roguelynn.com/words/apache-kerberos-for-django/
(you may skip parts about django if you are not interested)
(如果你不感兴趣,你可以跳过关于 django 的部分)
EDIT:
编辑:
Fullblown answer
全面的答案
It is pretty easy to configure apache to use Kerberos authentication.
配置 apache 以使用 Kerberos 身份验证非常容易。
I am assuming you have correctly configured Kerberos on your machine.
我假设您已经在您的机器上正确配置了 Kerberos。
1) Your webserver has to have keytab [1].
1) 您的网络服务器必须有密钥表 [1]。
Bottom line, your webserver hasto be able to read the keytab!
底线,你的网络服务器已经能够读取密钥表!
2) You have to have proper httpd module for authentication -- mod_auth_kerb:
2)您必须有适当的httpd模块进行身份验证-- mod_auth_kerb:
LoadModule auth_kerb_module modules/mod_auth_kerb.so
3) Then you have to tell apache about Kerberos:
3)然后你必须告诉apache关于Kerberos:
<Location />
AuthName "Kerberos Authentication -- this will be showed to users via BasicAuth"
AuthType Kerberos
KrbMethodNegotiate On
KrbMethodK5Passwd Off
# this is the principal from your keytab (you may lose the FQDN part)
KrbServiceName HTTP/$FQDN
KrbAuthRealms KERBEROS_DOMAIN
Krb5KeyTab /path/to/http.keytab
Require valid-user
Order Deny,Allow
Deny from all
</Location>
Then apache will pass the user to your app via REMOTE_USERHTTP header.
然后 apache 将通过REMOTE_USERHTTP 标头将用户传递给您的应用程序。
And that's it.
就是这样。
I also advice you to turn on debugging logging in apache during setup. Be sure that you have correct time and httpd can read keytab, that's all.
我还建议您在安装过程中打开 apache 中的调试日志记录。确保您有正确的时间并且 httpd 可以读取密钥表,仅此而已。
[1] http://kb.iu.edu/data/aumh.html
[1] http://kb.iu.edu/data/aumh.html
[2] Main resource: http://www.roguelynn.com/words/apache-kerberos-for-django/
[2] 主要资源:http: //www.roguelynn.com/words/apache-kerberos-for-django/
