Jump to content

Welcome to DevFuse Forums

Sign In  Log in with Facebook

Create Account
Welcome to DevFuse Forums, like most online communities you must register to view or post in our community, but don't worry this is a simple free process that requires minimal information for you to signup. Be apart of DevFuse Forums by signing in or creating an account.
  • Start new topics and reply to others
  • Subscribe to topics and forums to get email updates
  • Get your own profile page and make new friends
  • Send personal messages to other members.
Guest Message by DevFuse

(View All Products)Featured Products

  • Donations

    Help fund your forum with donations, setup goals and track member donations. Offer rewards for members donating.
  • Timeslips

    Have your members submit their race times and share with others.
  • Videos

    Allows your members to submit their own videos for community viewing. Support is included for all the major video sites.
  • Forms

    Build your own forms for your members without coding experience. Support included for pm, email and topics.
  • Collections

    Build a community database of items for your members. Full features custom fields included.


[IPS] Kerberos Login Authentication

This topic has been archived. This means that you cannot reply to this topic.
No replies to this topic

#1 News Bot

News Bot

    Dedicated Member

  • Members
  • PipPipPipPipPip
  • 1,909 posts
  • IP.Board Version:N/A

Posted 23 February 2013 - 06:09 PM

<strong class='bbc'><span style='font-size: 18px;'>Introduction</span></strong><br />The Kerberos Loginauth method allows you to authenticate your users against an external Kerberos server (such as Active Directory) in cases where LDAP may not be available.<br /> <br /><strong class='bbc'><span style='font-size: 18px;'>Requirements</span></strong><br />A working kerberos installation must be present on your server. The Ubuntu package name for this is krb5-user. You must also install the development libraries in order to compile the krb5 extension for PHP. You can verify your kerberos installation by running the "kinit" command.<br /> <br />This loginauth module requires the PHP krb5 extension, which may be downloaded at <a href='http://svn.php.net/r...cl/krb5/trunk/.' class='bbc_url' title='External link' rel='nofollow external'>http://svn.php.net/r...cl/krb5/trunk/.</a> To download and install the extension on Linux, follow these steps:<ul class='bbcol decimal'><li>run svn checkout <a href='http://svn.php.net/r...ecl/krb5/trunk/' class='bbc_url' title='External link' rel='nofollow external'>http://svn.php.net/r...ecl/krb5/trunk/</a></li><li>change directory to where the files downloaded</li><li>run phpize</li><li>run ./configure</li><li>run make && make install</li></ul><strong class='bbc'><span style='font-size: 18px;'>Installation/Uninstallation</span></strong><br />To install, extract the .zip file into your IPB install, the module's directory structure is already present inside of the zip file so it should be placed in the correct location automatically. To verify this, check that you see a directory named 'krb5' in your admin/sources/loginauth directory.<br /> <br />Once present, navigate to your Admin CP -&gt; System -&gt; Tools & Settings -&gt; Log In Management and click the Install icon next to "Kerberos."<br /> <br />To uninstall, navigate to your Admin CP -&gt; System -&gt; Tools & Settings -&gt; Log In Management and select Uninstall from the dropdown next to "Kerberos."<br /> <br /><strong class='bbc'><span style='font-size: 18px;'>Configuration</span></strong><br />Configuring Kerberos authentication is done via two separate methods, the configuration pane in the Admin CP and by creating a krb5.conf file. Regardless of configuration, local database authentication to the Admin CP is always allowed to ensure that in the event of misconfiguration, an admin can log in and fix the issues.<br /> <br /><strong class='bbc'><span style='font-size: 14px;'>Admin CP</span></strong><br />There are many configuration options available in the Admin CP. You can access these by clicking the gear icon next to the "Kerberos" method in Log In Management.<ul class='bbc'><li><em class='bbc'>Kerberos Default Authentication Realm</em> - This is the realm (aka domain) that you are authenticating against if one is not specified by the user when logging in. This usually must be ALL UPPERCASE in order for Kerberos to recognize it. This configuration option is REQUIRED and must be specified.</li><li><em class='bbc'>User Can Specify Alternative Realms</em> - If "Yes" user may log into a realm other than the default realm above by passing username@REALM as their username. These realms still need to be configured in the krb5.conf file. If "No", the default realm specified above is automatically appended to the username and any realm the user specifies is stipped out.</li><li><em class='bbc'>Use Alternative Configuration File</em> - If "Yes" the alternative configuration file below will be used to get kdc and realm information, otherwise the system default (usually /etc/krb5.conf) will be used. Make sure to specify a full path to the file, as if the file does not exist or is not readable, all logins will fail.</li><li><em class='bbc'>Alternative Configuration File</em> - Specifies the path to the alternative configuration file. You may wish to copy your system's krb5.conf and modify it from there. This should be a full path to the file and the file must be readable. If this is specified and "Use Alternative Configuration File" is "Yes", the default configuration file will be ignored and this used in its place.</li><li><em class='bbc'>Require Local User</em> - Requires that a local user with the same username already exist before allowing Kerberos logins. This is useful in scenarios where you only wish for certain people to be able to log in (on a whitelist basis). If this is "Yes", and admin must first create a local user account for each user before they may log in with their Kerberos credentials.</li><li><em class='bbc'>Email Address Pattern</em> - What to set as the e-mail address when creating a new local account. Leave this blank to force the user to type in an email address when they first log in. The following variables are replaced in the pattern:<br /><ul class='bbc'><li>{USERNAME} - Username</li><li>{REALM} - Authentication realm (lowercase)</li></ul>For example, if this was "{USERNAME}@mail.{REALM}" and a user logged in as username@MYDOMAIN.COM, this would set their email address when creating their local account to "username@mail.mydomain.com". This setting only applies when creating a NEW local user account, it will not adjust the email addresses of an existing account.</li><li><em class='bbc'>Update Local Password</em> - Upon successful Kerberos login, should we update the user's local password to match? If set to "Yes", the password stored in the local database is updated to match the password used to log into Kerberos. If no, the password in the local database is not modified.</li></ul><strong class='bbc'><span style='font-size: 14px;'>krb5.conf</span></strong><br />You may either use the system's krb5.conf file (usually located at /etc/krb5.conf) or specify your own via the configuration in the Admin CP. The krb5.conf file must specify what realms you are allowing users to log in with as well as the Key Distribution Centers (KDCs) for those realms. The syntax and configuration of krb5.conf is beyond the scope of this readme and many good guides exist on the internet.<br /> <br /><strong class='bbc'><span style='font-size: 18px;'>Bugs/Feedback</span></strong><br />Please report all bugs and feedback to the thread in the IPS Marketplace.

View Resource