<
From version < 19.2 >
edited by Thomas Mortagne
on 2008/06/20
To version < 20.1 >
edited by Jasper Siepkes
on 2008/06/23
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.ThomasMortagne
1 +XWiki.JasperSiepkes
Content
... ... @@ -181,7 +181,55 @@
181 181  # Only required if protection = encryption or all (default)
182 182  # Only required if protection = validation or all (default)
183 183  
184 +1.1 Kerberos SSO Authentication
184 184  
186 +The following is an example of mod_auth_kerb for Apache being used to easily implement Xwiki authentication of users via by HTTP Negotiate on a linux server. This example assumes you already have a working Apache2 HTTPD and Apache Tomcat setup with mod_jk.
185 185  
188 +First of all you need to create a principal and keytab for the webserver:
189 +{code}
190 +# kadmin
191 +kadmin> addprinc -randkey HTTP/wiki.example.com
192 +kadmin> ktadd -k /etc/apache2/ssl/wiki.keytab HTTP/wiki.example.com
193 +kadmin> quit
194 +{code}
186 186  
196 +Make sure the keytab has the right permissions and ownership:
197 +{code}
198 +chown www-data:www-data /etc/apache2/ssl/wiki.keytab
199 +chmod 400 /etc/apache2/ssl/wiki.keytab
200 +{code}
187 187  
202 +Install mod_auth_kerb in your linux installation. On Debian or Ubuntu this would be achieved by running:
203 +{code}
204 +aptitude install libapache2-mod-auth-kerb
205 +{code}
206 +Of course the installation procedure varies per Linux distribution.
207 +
208 +If your xwiki installation is mounted in Apache HTTPD under /xwiki, add the following to the virtual host configuration:
209 +{code}
210 +<Location /xwiki/>
211 + AuthType Kerberos
212 + AuthName "Kerberos Login"
213 + KrbAuthRealms EXAMPLE.COM
214 + Krb5Keytab "/etc/apache2/ssl/wiki.keytab"
215 + KrbMethodK5Passwd off
216 + KrbMethodNegotiate on
217 + KrbSaveCredentials on
218 + require valid-user
219 +</Location>
220 +{code}
221 +
222 +Make sure Apache Tomcat uses the authentication performed by Apache HTTPD with the "tomcatAuthentication" property in the connector description (which is in the server.xml file of Apache Tomcat):
223 +{code}
224 +<Connector port="8009" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3" />
225 +{code}
226 +
227 +Place the authkerb.jar jar in the WEB-INF/lib directory of Xwiki in Apache Tomcat.
228 +
229 +Have Xwiki use the authentication module by changing the "xwiki.authentication.authclass" property in WEB-INF/lib/xwiki.cfg file.
230 +{code}
231 +xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
232 +{code}
233 +
234 +If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https://" for all secured connections or "example.com" for all example.com subdomains.
235 +
XWiki.XWikiComments[7]
Date
... ... @@ -1,1 +1,1 @@
1 -2008-06-20 11:24:42.94
1 +2008-06-20 11:24:42.0

Get Connected