0

What is the proper/cleanest way of setting up apache to support SSO using NTLM, or preferably Kerberos, with CentOS7 running sssd connected to an Active Directory domain controller?

With realmd, joining the domain is now real easy, but I was unable to get apache to work in an evening. It seems that google is not well seeded with answers on this topic as of yet.

I have gotten SSO working with SSH using gssapi with putty. All I have done after a fresh install of CentOS 7 is run realm join --user=admin@domain.fqdn --computer-ou=OU=Servers and add default_domain_suffix to sssd.conf.

Morten Nilsen
  • 278
  • 5
  • 15

1 Answers1

0

You need to:

  1. Create a HTTP/hostname.fqdn@REALM.TEST service in FreeIPA
  2. Download HTTP service keytab on the web server with ipa-getkeytab and make it accessible to (only) apache
  3. Configure apache and mod_auth_kerb to secure some URI with Kerberos

See this example or this example. For more advanced integration between your Web service and SSSD, check Web_App_Authentication article on FreeIPA.org.

Martin Kosek
  • 386
  • 1
  • 3
  • I have never before even heard of FreeIPA, our domain is running Active Directory.. – Morten Nilsen Nov 05 '14 at 09:14
  • Doing the same procedure with ktpass on windows seems to have worked, but I do wish I could create a keytab that used the machine account rather than creating a service account in the directory.. – Morten Nilsen Nov 05 '14 at 17:01
  • This suddenly stopped working, and I was unable to get it to work again. Kerberos is always a major pita... I have been forced to go back to using NTLM now. – Morten Nilsen Nov 17 '14 at 17:50