5 php apache kerberos single-sign-on
我正在尝试使用 Windows Server 2008 中的 ActiveDirectory 使用 kerberos 设置集成 Windows 身份验证,一切正常,我能够在成功登录时获得 kerberos 票证。我在将此票转发到配置了 Apache 的服务器时遇到问题。转发票证时 KRB5CCNAME 未在 Apache/PHP 环境变量中设置。
我的 kerberos 配置文件(krb5.conf)是
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DIVAMI.COM
default_keytab_file = /etc/krb5.keytab
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DIVAMI.COM = {
kdc = meluha.divami.com:88
admin_server = meluha.divami.com:749
default_domain = divami.com
}
[domain_realm]
meluha.divami.com = DIVAMI.COM
divami.com = DIVAMI.COM
Apache mod_auth_kerb 配置文件(auth_kerb)是
<Location /perfmon>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DIVAMI.COM
Krb5KeyTab /etc/httpd/conf.d/apache.keytab
KrbSaveCredentials On
KrbServiceName HTTP/greenplum.divami.com
require valid-user
ErrorDocument 404 "No favicon"
</Location>
浏览器配置
火狐
Set network.negotiate-auth.delegation-uris to greenplum.divami.com.
Set network.negotiate-auth.trusted-uris to greenplum.divami.com
IE
In Internet Explorer, select Tools > Internet Options.
In the Local Internet (Advanced) dialog box, enter all relative domain names that will be used on the intranet (e.g. greenplum.divami.com).
当我将 KrbMethodK5Passwd 设置为 On 时,会生成浏览器提示输入 kerberos 用户名和密码以提供有效凭据票证,并且它的缓存位置在 Apache/PHP 环境变量 KRB5CCNAME 中设置。使用这个变量 KRB5CCNAME,我们可以使用 kerberos 票证作为认证凭证。
当 KrbMethodK5Passwd 关闭时,我收到以下错误消息。
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1939): [client 10.81.17.156] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1939): [client 10.81.17.156] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1278): [client 10.81.17.156] Acquiring creds for HTTP/greenplum.divami.com
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1691): [client 10.81.17.156] Verifying client data using KRB5 GSS-API
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1707): [client 10.81.17.156] Client didn't delegate us their credential
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1726): [client 10.81.17.156] GSS-API token of length 180 bytes will be sent back
plum.divami.com/perfmon/login.php
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1691): [client 10.81.17.156] Verifying client data using KRB5 GSS-API , referer:http://greenplum.divami.com/perfmon/login.php
我不知道是浏览器无法选择 kerberos 票证还是浏览器选择了票证但无法在 KRB5CCNAME 中设置缓存位置。请帮我解决这个问题。
per*_*o25 -1
检查你的密钥表文件
\n\n猫 apache.keytab
\n\n如果您看到纯文本并且没有奇怪的字符,则您的密钥表未正确生成。可能是AD方面的事情。
\n\n正确的密钥表应该如下所示,
\n\ncat httpd.keytab \n.G..COMPANY.LOCALweb01.httpd.[N5\xef\xbf\xbd...\xef\xbf\xbd\xef\xbf\xbdf\\.Z\xef\xbf\xbdGR._x?\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd.G..COMPANY.LOCALweb01.httpd.[N5\xef\xbf\xbd...\xef\xbf\xbd=.\xef\xbf\xbd.\xef\xbf\xbd6w!k\xef\xbf\xbde\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd.W..COMPANY.LOCALweb01.httpd.[N5\xef\xbf\xbd.. ]c\xef\xbf\xbd\xef\xbf\xbd84\xef\xbf\xbd\xef\xbf\xbdw\xef\xbf\xbd1Jo\xef\xbf\xbd.zH\xef\xbf\xbdrDY>\xef\xbf\xbd\n \xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbdB.F..COMPANY.LOCAL.HTTtestlogs.[N5\xef\xbf\xbd...\xef\xbf\xbd\xef\xbf\xbdf\\.Z\xef\xbf\xbdGR._x?\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd.F..COMPANY.LOCAL.HTTtestlogs.[N5\xef\xbf\xbd...\xef\xbf\xbd=.\xef\xbf\xbd.\xef\xbf\xbd6w!k\xef\xbf\xbde\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd.V..\n| 归档时间: |
|
| 查看次数: |
6062 次 |
| 最近记录: |