Linux Active Directory Integration with LikeWise Open

Scott Alan Miller — Sun, 01 Mar 2009 23:27:12 +0000

I downloaded the latest RPM package (for Red Hat, Suse, CentOS and Fedora) from the LikeWise web site (you need to register before starting your download.) I downloaded the RPM package to the /tmp directory. The version that I am testing is the Winter 2009 Edition.

Warning: LikeWise modifies many configuration files and its uninstall routine does not replace these. Installing LikeWise and then uninstalling again will likely cause you to lose the ability to log back in to your machine. Treat modifying authentication systems with the utmost care.

The RPM download still uses a script so you will need to add execute permissions.

chmod a+x LikewiseIdentityServiceOpen-5.1.0.5220-linux-x86_64-rpm.sh

./LikewiseIdentityServiceOpen-5.1.0.5220-linux-x86_64-rpm.sh

The package steps you through the installation program. You will need to accept the license as there are actually several packages, covered under various licenses, that need to be installed to support LikeWise. If you are installing on an AMD64 platform then you will be questioned as to whether or not you want to install 32-bit support libraries. Unless you really know what you need just select the “auto” option. After that, the installation will take care of itself.

If you use SELinux like you should, you will need to turn this off during the configuration.

setenforce Permissive

Then we can join the Linux machine to the Active Directory domain.

/opt/likewise/bin/domainjoin-cli join exampledomain.com domainadminuser

At this point basic authentication is already working. You will need to make some changes to your setup if you have existing accounts as well, but we can address that later.

Test your login:

ssh -l exampledomain\\username linuxhostname

Once you are all set do not forget to turn SELinux back on.

setenforce Enforcing

The big caveat with using LikeWise Open for your Unix to AD integration needs is that there is no Windows to UNIX GID/UID mapping so your UNIX (Linux, Solaris, Mac OSX, etc.) machines are stuck using Windows IDs. This is not necessarily the end of the world depending on your environmental needs but it can be quite a pain if you are introducing AD into a large, established Unix environment. LikeWise Enterprise does not suffer from this limitation, but it is obviously not free.

Managing Apache and Subversion Through Active Directory (Part 1 – Authentication)

Scott Alan Miller — Thu, 15 Jan 2009 20:01:28 +0000

In my previous article, Installing Subversion on RHEL5, we went over how to install the Subversion server and how to make it accessible through the Apache web server. This solution is great but leaves us without any user authorization and authentication. For most Subversion instances these are features that we will want to have. We have many choices for our A/A solution and I have decided to integrate my example repository with a Microsoft Active Directory (AD) system running on Windows 2003. This, I feel, is probably the most commonly desired scenario for enterprise shops although a non-AD based LDAP and Kerberos system may also be very popular. We will start by address authentication via Kerberos in this article.

In addition to using Kerberos for secure authentication, we are also switching from using plain HTTP as our transport to HTTP over SSL so be aware that after applying the Apache configuration file here that you will need to access your Subversion directory with HTTPS rather than HTTP and that, unless otherwise configured, you will need to open your firewall both locally and remotely to allow port 443 traffic out instead of (or in addition to) port 80 traffic.

Installing Necessary Components

As with anything else in the Red Hat world, most of the heavy lifting is done by our friends at Red Hat engineering and we just need to leverage what they have already done for us. We need to install the module for SSL transport and Kerberos authentication in Apache:

yum -y install mod_auth_kerb

This will automatically install the file /etc/httpd/conf.d/auth_kerb.conf which will take care of loading the Kerberos module into Apache and will provide a sample configuration if you want to learn more about Kerberos authentication in Apache.

Setting Up the Apache KeyTab File

Now we need to set up our Apache to Kerberos authentication table. The Red Hat standard for this file is to be located at /etc/httpd/conf/keytab although you control its location through your Apache configuration. We will not deviate from the standard here.

This file needs to contain

echo HTTP/[email protected] >> /etc/httpd/conf/keytab chown apache.apache /etc/httpd/conf/keytab

Setting Access Control

The traditional examples will generally tell you to use the .htaccess file to manage your authentication mechanisms. For most cases it is better to avoid the use of the .htaccess file and to switch to configuring these details within your section in your Apache configuration files. This is better for performance reasons as well as for ease of security management. Now you only need to worry about specifying your security information in a single location and Apache need not traverse the entire directory structure seeking out .htaccess files for each access attempt.

I use the file /etc/httpd/conf.d/subversion.conf for the configuration of my Subversion repository. Here are its contents:

   
     DAV svn
     SVNPath /var/projects/svn/
     AuthName "Active Directory Login"
     AuthType Kerberos
     Krb5Keytab /etc/httpd/conf/keytab
     KrbAuthRealm EXAMPLE.COM
     KrbMethodNegotiate Off
     KrbSaveCredentials off
     KrbVerifyKDC off
     Require valid-user
     SSLRequireSSL

Configuration of Kerberos

Kerberos is configured in Red Hat Linux in the /etc/krb5.conf file. Obviously replace EXAMPLE.COM and ad.example.com with the name of your Domain and your KDC. This file should have been created for you using almost exactly these settings by the RPM installer so there is very little here that needs to be changed.

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 EXAMPLE.COM = {
  kdc = ad.example.com:88
 }

[domain_realm]
 example.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Enable HTTPS Access Through Firewall

Use the Red Hat management tool to enable HTTPS connection through your host firewall.

system-config-securitylevel-tui

Restart Apache

Now, all that we need to do is to restart the web server to have it pick up the changes that we have made and voila, Kerberos authentication to Active Directory should be working.

/etc/init.d/httpd restart

Testing Your Connection

In order to test your connection you can use a web browser or use the Subversion command line client as below:

svn list https://localhost/svn/

Error Notes:

If you set KrbMethodNegotiate On then, in my experience, you will see Firefox work just fine but Internet Explorer (IE) and Chrome will fail with a 500 error. In the logs I discovered the following entry:

gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 213)

References:

Providing Active Directory Authentication via Kerberos Procol in Apache by Alex Yu, MVP, Microsoft Support

authentication – Sheep Guarding Llama

Linux Active Directory Integration with LikeWise Open

Managing Apache and Subversion Through Active Directory (Part 1 – Authentication)