Hi All,
I have a couple of issues that I need some help on.

The intranet I work on is a Windows NT Domain. I have installed a Debian Linux server with Apache2 and am hosting several webapps (PHP and MySQL based mainly) there. The problem is that each of them require users to sign up before they are used. What I have to do is work around this problem.
For this I want the Apache server to authenticate a user when they try to view a web page there. When a user access the webapp.
Apache should authenticate them by connecting to the LDAP (??) server and if it is a valid user connecting for the first time should add an entry in the database or if an entry already exists then should just allow them to access the app.
If the user is not a valid user (Apache should let me know this) then display and error.
Does this sound correct?

My next problem is...
On the Debian server I installed Apache2 deb and when I try to see what modules are present with Apache I get this
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_log_config.c
mod_logio.c
mod_env.c
mod_setenvif.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_negotiation.c
mod_dir.c
mod_alias.c
mod_so.c
I downloaded the libapache-auth-ldap deb and then did a 'dpkg -i libapache-auth-ldap' which told me the package was successfully installed, but even after that could not see the ldap auth module with apache.
How do I get this working and how do I know it is working.
Any help on this would be greatly appreciated. Thanks in advance.

If you're looking for the user to not have to type in any credentials at all, then you'll need some way of getting Apache to do kerberos authentication, not LDAP authentication. Your windows DCs will be the Kerberos KDCs.

I am trying a search right now, but if anyone knows if there is such a module please let me know.

<edit>Found this http://modauthkerb.sourceforge.net/ </edit>

Hey, cool. That may come in handy at work at some point.

Thanks for posting it!

:D

I just found out that the Windows Domain is a Windows 2003 Domain. It has an LDAP interface (whatever that means).
so does anyone know how I can get webapps to authenticate against that?

I am not sure, but I believe you can't. (Or if you can, you probably don't want to, see below.)

DCs for Active Directory domains (2000-level and up) all support LDAP queries. But I don't believe LDAP itself has any kind of separate authentication protocol -- I know that in a Windows 2000 domain, you authenticate to the LDAP server using Kerberos. (Now, you may be able to look up credentials in the LDAP directory, but you'd have to be absolutely sure that the place you look and the format of the hashed password is never going to change. Personally, I don't trust Microsoft to be that backward-compatible.)

In short: Kerberos is available, and is already an authentication protocol. You don't have to do something special to make it into one, like you have to do with LDAP. (LDAP, at its core, is nothing more than a directory lookup protocol.)

Given the choice, I'd definitely go with Kerberos, myself.

Ok then maybe I should do that.
Anyway I found this on searching. Any idea if this Apache2NTLM (http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm) mod might help?

That would only do NTLM, not Kerberos. :)

IE works the same with either, when talking to the web server. But Kerberos is newer (and doesn't use RC4 for encryption!), and you can do a few more things with it.

One of the "more" things that you can do with Kerberos is re-authenticate, as the user, against a different Kerberos-capable server. (But only if the client gives you a special "delegatable" token.) NTLM never allows this, because the server doesn't know the client's password, only the NTLM hash of the nonce it challenged with.

I'm not sure if the Apache module can do delegation, but it should be able to, if it does Kerberos at all; AFAIK delegation is part of the Kerberos protocol spec. You will need to mark the account that your Apache server is running under as "trusted for delegation" in the AD domain, though (plus you'll need to set up SPNs for both the Apache server account and the other server's account), so it may not be possible (or even required!) in your setup. But it's still possible with Kerberos, and impossible with NTLM, so it may be a factor.

Any reason you can't just use that mod_auth_kerb extension? It looks like a good way to do what you need.

Well.... I'm doing this on a Debian server (first time using Debian) and could not find the Kerberos mod anywhere in the debian site.
Anyway I think I will try this out, only I am not sure if I have these pre-requistes.

Development enviroment for Kerberos5 and/or Kerberos4
Apache server installed with SSL support

Does anyone know how I can check if they are available?

keep in mind that the implementation of kerberos that microsoft is using is quite modified and non standard, as of right now you will need to find patches for krb5 to support their PAC scheme, support should be updated in the release of samba 4 as well

Will the Kerberos mod give me "single sign-on" in the Windows Domain (i.e. not prompting for username/password) ?
I am confused by what this means
..it retrieves a username/password pair from the browser and checks them against a Kerberos server ..Does this mean the user will have to specify a username/password?

And this one
Now you have to create an service key for the module, which is needed to perform client authentication..Any idea why this is required?

Well.... I'm doing this on a Debian server (first time using Debian) and could not find the Kerberos mod anywhere in the debian site. Have you tried looking through apt for anything Kerberos related? I'd probably go with Heimdal, but I don't really know why.

Will the Kerberos mod give me "single sign-on" in the Windows Domain (i.e. not prompting for username/password) ? If it's done correctly, it should. Kerberos is single-sign-on (I believe it's the first system that had this property, but I could be wrong on that).

The user provides their username and password to the domain controller when they log on (well, actually it's their username and a keyed hash of a random value, but whatever -- and in Kerberos, the DC is acting as a KDC), which issues them a "ticket" if they provide the correct hash. Then, when they have to authenticate to another service, they provide the name of the other service (its Service Principal Name) along with a value based on their ticket to the KDC, which gives them a ticket for that service if everything is OK (this new ticket is valid for only a few minutes). They provide this ticket to the service, and the service uses it to verify that the KDC authorized the client.

I am confused by what this means
Does this mean the user will have to specify a username/password? No, it means the person writing the documentation was a little confused about how Kerberos actually works. ;) Or, that the module will also work in Basic authentication mode (where it doesn't get a ticket, just a username and password).

And this one
Any idea why this is required? Because for Kerberos, each service has to have its own secret, shared with the KDC. Without the secret, the KDC won't be able to issue tickets to clients for that service; without a ticket, authentication must fail.

as of right now you will need to find patches for krb5 to support their PAC scheme But PAC support isn't needed for this, I don't think. (I could be wrong on that, though. I thought PAC was something unrelated to the basic Kerberos protocol.)

you can setup generic single sign-on with a *nix KDC but if you want to use a windows domain tree you will have to use a windows system as the KDC

@dkeav: didn't quite get that.
I have apache running on a Debian box.
Is there some config that has to be done (other than installing the Krb mod) to enable this single sign-on?

@bwkaz: How do I create a service key for the module?

you can setup generic single sign-on with a *nix KDC but if you want to use a windows domain tree you will have to use a windows system as the KDC Which Architect already has. It's a Windows Server 2003 domain; the 2003 DCs are Kerberos KDCs. ;)

@bwkaz: How do I create a service key for the module? I don't know. Does the modauthkerb page tell you how? If not, try looking at your distro's Kerberos package's documentation. (I've never set up Kerberos for a Linux machine before, so I don't know how to do most of this stuff. I do know how much of Kerberos works at a network level, just not how to get it set up and running.)

The SPN (if you need to know it to create this service key, or to create the account in AD) will probably be something like HTTP/webserver's-FQDN:80 (so e.g. HTTP/apachebox.domain.com:80). Not at all sure if that matters though.

Not done anything with an SPN before. What do I do with it? Where do I store/user it?

In Windows, an SPN is assigned to every service account (that is, accounts that services run under) and machine account (if the service runs as localsystem). In Kerberos, an SPN must exist for each "principal" (entity that users want to authenticate to). That means that the account that the admins create for you needs an SPN, otherwise Kerberos won't work.

I'm guessing you can have your domain admin(s) create a normal user account for your Apache installation. Then you can give them the SPN I mentioned above (HTTP/apachebox.domain.whatever:80), and have the admins assign that SPN to the account they created. (If they don't know how, tell them to look into the setspn.exe tool.) Set the account's password to be the Kerberos key that you generated for the module (...I think, anyway; this is the part I'm not sure about).

Ok so I guess I should go ask the domain admins to create a user account for the apache web server (or is it an account for the debian box?).
Then I give them the SPN (HTTP/<FQDN>:80) and ask them to assign that SPN to the new account(not really sure what this means) using the setspn.exe tool.
Finally set the account's password to be the Kerberos key generated (how do I generate this?)

Thanks a lot for the info so far and thanks in advance

Ok so I guess I should go ask the domain admins to create a user account for the apache web server (or is it an account for the debian box?). It's a user account, for the Apache server. Microsoft's page (see below) seems to concur.

(Kerberos doesn't care which account the SPN maps to, it just has to map to an account that the target server (Apache) knows the Kerberos secret for.)

Then I give them the SPN (HTTP/<FQDN>:80) and ask them to assign that SPN to the new account(not really sure what this means) using the setspn.exe tool. Actually, no, this was wrong. (Well... it may work for the SPN mapping, but it probably won't generate the keytab file. See below; Microsoft says they should use ktpass instead.)

Finally set the account's password to be the Kerberos key generated As it turns out, no, see below.

(how do I generate this?) It comes out from ktpass, based on the password that the admins assigned to the user that they created. (I don't think you will even need to know that user's password, as long as you have the keytab file.)

This will probably help. It applies to 2000, but it's hopefully fairly easy to map it over to 2003. The tools should (hopefully!) still be there.

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EFAA

(Found this Googling for "generate keytab kerberos", trying to find out how to generate a keytab file.) Under the "Support for Kerberos Services" section (the rest of it applies to machines logging onto the domain, or Win2K clients logging onto a Unix Kerberos server), you'll need to have your admins follow those steps -- i.e., create an account, assign it any password, then run:

ktpass princ HTTP/apachebox.AD-domain-name@AD-domain-name -mapuser the-user-name-they-used pass the-password-they-used out apache.keytab Then have them give you this apache.keytab file, and copy it over to the Apache box. Then point modauthkerb to it.

Er, hang on -- I'm also re-reading the modauthkerb configuration page again, and it looks like it'll be easier if you use the MIT kerberos package (not Heimdal). You have to install one more "dummy-library" package if you use Heimdal, plus Microsoft's article is talking about MIT.

Thanks bwkaz. I will be asking them pretty soon and didn't want to mess anything up.
Will let you know what happens.

I still haven't had a chance to talk to the admin guys but I tried out some stuff and have a doubt.
I just tried logging in to the Debian box and tried the kinit command. This is what I got.

user1@deb_box:~$ kinit
kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials
user1@deb_box:~$
user1@deb_box:~$ kinit -4
Password for user1@winpk1:
kinit(v4): Can't send request (send_to_kdc)

Any idea what could be wrong?

Looks like it can't find a KDC; have you configured Kerberos yet? You will probably have to give it a "default realm" (this will be your Windows domain's DNS name) and a KDC IP address (this will be your DC's address).

Is the realm the windows server name?
or is it "winpk1"? (form the output I've shown above)

the realm is your dns name, like your network is foo.org, go to a domain machine and look what they call the domain, that is your realm

Actually there are 3 entries in the dns suffix.
Do I use all 3? if so how?

It's not necessarily the DNS search suffix. Go to a 2K Pro machine (I hope you have one, because I don't know if this is in the same place anymore on XP), right-click my computer, go to properties, go to the "network identification" tab, and check the "domain:" field. This should be the DNS domain name (which is the same as the Kerberos realm).

On XP, it may be in a similar place, but they changed a whole bunch of stuff around with XP for no good reason, so maybe not.

I dont have access to a 2K Pro machine :(.
Is there any way else I can get it from an XP box?

its the same on xp boxes

?? Can't see a "Network id" tab there
There is a "Computer Name" tab with a "Full computer name" and "Domain", is that the one you are referring to?

yes, it is that domain listed there is your kerberos relm

Ok the kinit stuff worked and klist showed me a ticket.
I guess I have to get the network admin to do the stuff on the KDC now.

I was just checking out the modules that are loaded by Apache2.
From the phpinfo(); I got I can see that there is no mod_auth_kerb loaded?
So I think there was a problem in the installation. I saw that the when I do a ./configure there is a '--with-apache' directive that should specify the Apache installation location.
I am not very sure where this is in Debian? Is there some way to find which the install dir is?

From the phpinfo(); I got I can see that there is no mod_auth_kerb loaded? If you haven't changed Apache's configuration, then you're right, it won't be loaded.

Apache does not load all available modules. You have to tell it which ones to load in its config file. Since you're using Debian, that's probably easiest to do by checking in /etc/apache2/mods-available for something related to mod_auth_kerb. If it's there, then it should be as simple as symlinking to it from /etc/apache2/mods-enabled. (And it should be there, if you can find a mod_auth_kerb Debian package -- "apt-cache search kerb | grep auth" on my Debian box at work shows "libapache2-mod-auth-kerb" as an available package. I'd use that.)

I saw that the when I do a ./configure there is a '--with-apache' directive that should specify the Apache installation location. I'd install it from the Debian package above, not from source.

Ok I've installed the libapache2-mod_auth_kerb package and restarted my apache2.
Now phpinfo() shows that it is available.
Does anyone have info/experience configuring and using this?
Or is it the same as was discussed previously in this thread?

It should be the same. You might have to edit the /etc/apache2/mods-available/ file, but that's marked as a config file in dpkg. It might conflict if you upgrade the Debian package.

It might be better to put the configuration settings that you need to change into a new /etc/apache2/sites-available/ file, then symlink it from sites-enabled. Or, add it to a new mods-available file (with a .conf extension), since that won't conflict either. The sites-available files are generally for virtual hosts; that might be way too much overhead for your installation.

I spoke to my network admin and he is of the opnion that the LDAP plugin method would be faster and easier.
Any takes on this?

I don't know. He may be right, but I suspect that since LDAP is not an authentication protocol (I think I said this before... ;)), it's not going to be a good fit for what you need.

(Especially since AFAIK no browser will authenticate to a web server using LDAP, whether the user provides credentials or not. IE and FF both use one of NTLM, Kerberos, Digest, or Basic authentication. If you want your users to log on automatically, you have to use either NTLM or Kerberos, and NTLM requires that the server have the cleartext password for every user. (Basic auth might be able to use the LDAP backend, but Basic won't be automatic for the user.) Kerberos is the only automatic-logon authentication protocol that I know of where the passwords can be stored on a machine other than the web server.)

I just found out that the Windows Domain is a Windows 2003 Domain. It has an LDAP interface (whatever that means).
so does anyone know how I can get webapps to authenticate against that?

PHP has LDAP functionality. Been looking into that my self lately to standardize the 8 or so authentcation scenarios our company uses.

http://ca3.php.net/ldap

You could use that to tie each application in and even use it as your userbase.

I've been able to get basic authentication working but very little else. I think I'll work on that this afternoon.