Changes for page User Authentication

Last modified by Clemens Robbenhaar on 2023/02/07
<
From version < 19.2 >
edited by Thomas Mortagne
on 2008/06/20
To version < 21.1 >
edited by Jasper Siepkes
on 2008/06/23
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.ThomasMortagne
1 +XWiki.JasperSiepkes
Content
... ... @@ -181,7 +181,57 @@
181 181  # Only required if protection = encryption or all (default)
182 182  # Only required if protection = validation or all (default)
183 183  
184 +1.1 Kerberos SSO Authentication
184 184  
186 +#warning("This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!")
185 185  
188 +The following is an example of mod_auth_kerb for Apache being used to easily implement Xwiki authentication of users via by HTTP Negotiate on a linux server. This example assumes you already have a working Apache2 HTTPD and Apache Tomcat setup with mod_jk.
186 186  
190 +First of all you need to create a principal and keytab for the webserver:
191 +{code}
192 +# kadmin
193 +kadmin> addprinc -randkey HTTP/wiki.example.com
194 +kadmin> ktadd -k /etc/apache2/ssl/wiki.keytab HTTP/wiki.example.com
195 +kadmin> quit
196 +{code}
187 187  
198 +Make sure the keytab has the right permissions and ownership:
199 +{code}
200 +chown www-data:www-data /etc/apache2/ssl/wiki.keytab
201 +chmod 400 /etc/apache2/ssl/wiki.keytab
202 +{code}
203 +
204 +Install mod_auth_kerb in your linux installation. On Debian or Ubuntu this would be achieved by running:
205 +{code}
206 +aptitude install libapache2-mod-auth-kerb
207 +{code}
208 +Of course the installation procedure varies per Linux distribution.
209 +
210 +If your xwiki installation is mounted in Apache HTTPD under /xwiki, add the following to the virtual host configuration:
211 +{code}
212 +<Location /xwiki/>
213 + AuthType Kerberos
214 + AuthName "Kerberos Login"
215 + KrbAuthRealms EXAMPLE.COM
216 + Krb5Keytab "/etc/apache2/ssl/wiki.keytab"
217 + KrbMethodK5Passwd off
218 + KrbMethodNegotiate on
219 + KrbSaveCredentials on
220 + require valid-user
221 +</Location>
222 +{code}
223 +
224 +Make sure Apache Tomcat uses the authentication performed by Apache HTTPD with the "tomcatAuthentication" property in the connector description (which is in the server.xml file of Apache Tomcat):
225 +{code}
226 +<Connector port="8009" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3" />
227 +{code}
228 +
229 +Place the authkerb.jar jar in the WEB-INF/lib directory of Xwiki in Apache Tomcat.
230 +
231 +Have Xwiki use the authentication module by changing the "xwiki.authentication.authclass" property in WEB-INF/lib/xwiki.cfg file.
232 +{code}
233 +xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
234 +{code}
235 +
236 +If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https://" for all secured connections or "example.com" for all example.com subdomains.
237 +
XWiki.XWikiComments[7]
Date
... ... @@ -1,1 +1,1 @@
1 -2008-06-20 11:24:42.94
1 +2008-06-20 11:24:42.0

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected