多个 Active Directory 域的 SSO 身份验证
SSO Authentication for multi Active Directory domains
有一个 Nginx 服务器 配置为 SSO 身份验证与一个域 使用 krb5 和 spnego-http-auth-nginx-module
如何配置双域身份验证?
解决方案最好使用不带 Apache 的 Nginx(如果可用)。
配置来源:
- /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = DOMAIN.TEST
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.TEST = {
kdc = domain.test
admin_server = domain.test
}
[domain_realm]
.test.local = DOMAIN.TEST
test.local = DOMAIN.TEST
- /etc/nginx/conf.d/django.conf
server {
listen 80;
server_name django.test.local;
access_log /var/log/nginx/host.access.log main;
location / {
try_files $uri @backend;
auth_gss on;
auth_gss_realm DOMAIN.TEST;
auth_gss_keytab /etc/krb5.keytab;
auth_gss_service_name HTTP/django.test.local;
auth_gss_allow_basic_fallback on;
}
location @backend {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-User $remote_user;
proxy_redirect off;
proxy_pass http://0.0.0.0:8000;
}
}
- 合并域密钥表文件(source)
ktutil
read_kt domain1.keytab
read_kt domain2.keytab
write_kt /etc/krb5_multidomain.keytab
quit
- 编辑/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = DOMAIN.TEST
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.TEST = {
kdc = domain.test
admin_server = domain.test
}
DOMAIN2.TEST = { # append string
kdc = domain2.test # append string
admin_server = domain2.test # append string
} # append string
[domain_realm]
.test.local = DOMAIN.TEST
test.local = DOMAIN.TEST
.test.local = DOMAIN2.TEST # append string
test.local = DOMAIN2.TEST # append string
- 编辑/etc/nginx/conf.d/django.conf
server {
listen 80;
server_name django.test.local;
access_log /var/log/nginx/host.access.log main;
location / {
try_files $uri @backend;
auth_gss on;
# auth_gss_realm DOMAIN.TEST;
auth_gss_format_full on; # append string
auth_gss_keytab /etc/krb5_multidomain.keytab; # change string
auth_gss_service_name HTTP/django.test.local;
auth_gss_allow_basic_fallback on;
}
location @backend {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-User $remote_user;
proxy_redirect off;
proxy_pass http://0.0.0.0:8000;
}
}
有一个 Nginx 服务器 配置为 SSO 身份验证与一个域 使用 krb5 和 spnego-http-auth-nginx-module
如何配置双域身份验证?
解决方案最好使用不带 Apache 的 Nginx(如果可用)。
配置来源:
- /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = DOMAIN.TEST
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.TEST = {
kdc = domain.test
admin_server = domain.test
}
[domain_realm]
.test.local = DOMAIN.TEST
test.local = DOMAIN.TEST
- /etc/nginx/conf.d/django.conf
server {
listen 80;
server_name django.test.local;
access_log /var/log/nginx/host.access.log main;
location / {
try_files $uri @backend;
auth_gss on;
auth_gss_realm DOMAIN.TEST;
auth_gss_keytab /etc/krb5.keytab;
auth_gss_service_name HTTP/django.test.local;
auth_gss_allow_basic_fallback on;
}
location @backend {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-User $remote_user;
proxy_redirect off;
proxy_pass http://0.0.0.0:8000;
}
}
- 合并域密钥表文件(source)
ktutil
read_kt domain1.keytab
read_kt domain2.keytab
write_kt /etc/krb5_multidomain.keytab
quit
- 编辑/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = DOMAIN.TEST
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.TEST = {
kdc = domain.test
admin_server = domain.test
}
DOMAIN2.TEST = { # append string
kdc = domain2.test # append string
admin_server = domain2.test # append string
} # append string
[domain_realm]
.test.local = DOMAIN.TEST
test.local = DOMAIN.TEST
.test.local = DOMAIN2.TEST # append string
test.local = DOMAIN2.TEST # append string
- 编辑/etc/nginx/conf.d/django.conf
server {
listen 80;
server_name django.test.local;
access_log /var/log/nginx/host.access.log main;
location / {
try_files $uri @backend;
auth_gss on;
# auth_gss_realm DOMAIN.TEST;
auth_gss_format_full on; # append string
auth_gss_keytab /etc/krb5_multidomain.keytab; # change string
auth_gss_service_name HTTP/django.test.local;
auth_gss_allow_basic_fallback on;
}
location @backend {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-User $remote_user;
proxy_redirect off;
proxy_pass http://0.0.0.0:8000;
}
}