httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Keith Kenneth <kedward...@gmail.com>
Subject [users@httpd] Question about apache kerberos usage with web applications.
Date Fri, 28 Aug 2015 18:05:02 GMT
Hello,

I am trying to understand the architecture for Apache kerberos:

1. I have a commercial  J2EE web application (JIRA) running on tomcat
 (https:// app1.mycomp.com:7100/JIRA)  JIRA allows kerberos authentication.

2. I know I need to install apache with auth_kerb_module (also on
https://app1.mycom.com:443)

3. We are using MS AD

4. I know I need to create a service principal for the apache server and
key tab file, then configure httpd.conf, etc, etc


QUESTION #1: Once I have the above in place, how does this all work in
terms of user function?

For instance:

A) Windows Client workstation will pull up a page on the apache server (
https://app1.mycom.com:443/portal_jira.html ??)  that references the JIRA
application, and the user clicks on the JIRA link.

B) The credentials of the user on the windows client workstation are passed
to the apache server for validation against AD, which then results in a
ticket sent back to the client workstation browser

C) the ticket is then sent by the browser to the JIRA application (https://
app1.mycomp.com:7100/JIRA) which validates the ticket and allows the user
in ???


QUESTION #2

A) What would the apache config look like given the above scenerio?

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/mypubliccert.pem
SSLCertificateKeyFile /etc/pki/tls/private/privatekey.pem
ProxyPreserveHost On
ProxyRequests Off
ServerName app1.mycomp.com
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
SSLProxyEngine On

    <Location />
        AuthType Kerberos
        AuthName "Jira Kerberos Auth"
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms MYREALM
        Krb5KeyTab /etc/httpd/httpd.keytab
        KrbLocalUserMapping On
        require valid-user
        RequestHeader set X-Forwarded-User %{REMOTE_USER}s
    </Location>
</VirtualHost>





Thank you for ANY and ALL help!!

Ed

Mime
View raw message