[英]LADP - Kerberos Setup on Apache with Wordpress Single Sign-On not working
We had a local network setup with Active Directory.我们使用 Active Directory 进行了本地网络设置。 We developed a website which will be hosted and accessible only from the local network.我们开发了一个只能从本地网络托管和访问的网站。 If a user is already logged in to the Active Directory on the OS we would like to have the user automatically signed in on our Wordpress website as soon as they visit it.如果用户已经登录到操作系统上的 Active Directory,我们希望用户在访问我们的 Wordpress 网站时立即自动登录。
When following up documentations only we still where facing issues which we found it very difficult to fix and it took us a lot of time to have such a setup successfully woking.在仅跟踪文档时,我们仍然面临着我们发现很难修复的问题,我们花了很多时间才能成功启动这样的设置。 Some of the errors were:一些错误是:
The answer will be listing all the issues that we faced and how we managed to tackle them, in case some on faces the same problems when setting this up.答案将列出我们面临的所有问题以及我们如何设法解决这些问题,以防某些人在设置时遇到相同的问题。
Create Keytab file on the Active Directory Domain Controller在 Active Directory 域控制器上创建 Keytab 文件
ktpass -princ HTTP/intranet.domain.com@DOMAIN.COM -pass "{PASSWORD}" -mapuser username@DOMAIN.COM -Ptype KRB5_NT_PRINCIPAL -out website-auth.keytab
/etc/httpd/kerberos-credentials/website-auth.keytab
我们将它存储在/etc/httpd/kerberos-credentials/website-auth.keytab
Install Kerberos Client Libraries On The Web Server:在 Web 服务器上安装 Kerberos 客户端库:
Configure the Active Directory domain in the Kerberos Configuration file在 Kerberos 配置文件中配置 Active Directory 域
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = DOMAIN.COM
default_tkt_enctypes = aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-crc aes256-cts-hmac-sha1-96 des-cbc-md5 arcfour-hmac-md5
default_tgs_enctypes = aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-crc aes256-cts-hmac-sha1-96 des-cbc-md5 arcfour-hmac-md5
permitted_enctypes = aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-crc aes256-cts-hmac-sha1-96 des-cbc-md5 arcfour-hmac-md5
[realms]
DOMAIN.COM = {
admin_server = DOMAIN.COM
kdc = DOMAIN.COM
}
[domain_realm]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = true
Install the auth_kerb module for Apache为 Apache 安装 auth_kerb 模块
Configure Kerberos SSO for the site directory为站点目录配置 Kerberos SSO
LoadModule auth_kerb_module /usr/lib64/httpd/modules/mod_auth_kerb.so
<Directory "/var/www/html">
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "username used in keytab"
KrbAuthRealms DOMAIN.COM
KrbServiceName HTTP/intranet.domain.com@DOMAIN.COM
Krb5Keytab /etc/httpd/kerberos-credentials/website-auth.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbVerifyKDC On
require valid-user
</Directory>
Check httpd_can_network_connect on apache在 apache 上检查 httpd_can_network_connect
httpd_can_network_connect
setting on he apache server.经过一些研究,我们注意到我们需要在 apache 服务器上启用httpd_can_network_connect
设置。 To do so run:为此,请运行:
getsebool -a | grep httpd
getsebool -a | grep httpd
: it was returning httpd_can_network_connect --> off getsebool -a | grep httpd
:它正在返回 httpd_can_network_connect --> offsetsebool -P httpd_can_network_connect on
: Enabled the setting setsebool -P httpd_can_network_connect on
: 启用设置Add wordpress website to local intranet on OS将 wordpress 网站添加到 OS 上的本地内网
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.