多个 Active Directory 域的 SSO 身份验证

SSO Authentication for multi Active Directory domains

有一个 Nginx 服务器 配置为 SSO 身份验证与一个域 使用 krb5spnego-http-auth-nginx-module

如何配置双域身份验证?

解决方案最好使用不带 Apache 的 Nginx(如果可用)。

配置来源:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = DOMAIN.TEST
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 DOMAIN.TEST = {
  kdc = domain.test
  admin_server = domain.test
 }

[domain_realm]
 .test.local = DOMAIN.TEST
 test.local = DOMAIN.TEST
server {
    listen       80;
    server_name  django.test.local;
    access_log  /var/log/nginx/host.access.log  main;

    location / {
        try_files $uri @backend;

        auth_gss on;
        auth_gss_realm DOMAIN.TEST;
        auth_gss_keytab /etc/krb5.keytab;
        auth_gss_service_name HTTP/django.test.local;
        auth_gss_allow_basic_fallback on;
    }

    location @backend {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-User $remote_user;
        proxy_redirect off;
        proxy_pass http://0.0.0.0:8000;
    }
}
ktutil
read_kt domain1.keytab
read_kt domain2.keytab
write_kt /etc/krb5_multidomain.keytab
quit
  • 编辑/etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 # default_realm = DOMAIN.TEST
 # default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 DOMAIN.TEST = {
  kdc = domain.test
  admin_server = domain.test
 }
 DOMAIN2.TEST = {               # append string
  kdc = domain2.test            # append string
  admin_server = domain2.test   # append string
 }                              # append string

[domain_realm]
 .test.local = DOMAIN.TEST
 test.local = DOMAIN.TEST
 .test.local = DOMAIN2.TEST       # append string
 test.local = DOMAIN2.TEST        # append string
  • 编辑/etc/nginx/conf.d/django.conf
server {
    listen       80;
    server_name  django.test.local;
    access_log  /var/log/nginx/host.access.log  main;

    location / {
        try_files $uri @backend;        

        auth_gss on;
        # auth_gss_realm DOMAIN.TEST;
        auth_gss_format_full on;                       # append string
        auth_gss_keytab /etc/krb5_multidomain.keytab;  # change string
        auth_gss_service_name HTTP/django.test.local;
        auth_gss_allow_basic_fallback on;
    }

    location @backend {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-User $remote_user;
        proxy_redirect off;
        proxy_pass http://0.0.0.0:8000;
    }
}