Installing local wiki with Kerberos authentication
Our network
+---------+ +---------+ +---------+ | DC | | wiki | | | | Windows | | Linux- | | User-PC | | 2008 | | server | | Windows | +---------+ +---------+ +---------+ | | | +----- LAN ------+----- LAN ------+
- We have working Active Directory domain example.com
- We are going to install PicoLisp wiki on the Linux-server wiki.example.com
- Users' PCs have OS Windows connected to AD domain
On domain controller:
- create domain user "HTTPwiki"
- run following command in the elevated command prompt:
ktpass -princ HTTP/wiki.example.com@EXAMPLE.COM -mapuser HTTPwiki -crypto rc4-hmac-nt ^ -pass "my-strong-password" -ptype KRB5_NT_PRINCIPAL -out C:\<path>\HTTPwiki.keytab
- securely move HTTPwiki.keytab file to Linux-server
- enable Kerberos-delegation for user "HTTPwiki" in delegation tab.
Note that delegation tab is accessible only after step 2
On Linux server (in our case it's Ubuntu 14.04 x64):
Prerequisites:- Install gcc, ldap-utils, sasl2-bin, libsasl2-modules-gssapi-mit, krb5-user, libkrb5-dev
- Install latest picolisp.tgz
We assume that PicoLisp is installed in /opt/picoLisp and it's made global (see INSTALL in PicoLisp sources) - Check your Kerberos setup (DNS name, time synchronization, krb5.conf)
#!/bin/sh # install socialshareprivacy library into your PicoLisp installation wget http://software-lab.de/socialshareprivacy.tgz tar xzf socialshareprivacy.tgz -C /opt/picoLisp apt-get install libjs-jquery # required for socialshareprivacy # create local user "wiki" and download wiki sources useradd -d /home/wiki -m wiki mkdir /home/wiki/log wget http://software-lab.de/wiki.tgz tar xzf wiki.tgz -C /home/wiki # download kerbauth library from http://picolisp.com/wiki/?KerbAuth page: # Please check actual link on the page! wget http://picolisp.com/wiki/!download?-A301 tar xzf kerbauth.tgz -C /home/wiki # create httpgate startup script and config file for httpgate cat << 'EOF' > /etc/init.d/httpgate #!/bin/sh # # chkconfig: 35 90 10 # description: httpgate # case "$1" in start) echo "Starting httpGate ..." /usr/lib/picolisp/bin/httpGate 80 /home/wiki/httpgate.conf ;; stop) echo "Stopping httpGate ..." killall httpGate ;; *) echo "Usage: /etc/init.d/$0 {start|stop}" exit 1 ;; esac exit 0 EOF cat << 'EOF' > /home/wiki/httpgate.conf: wiki 5000 wiki /home/wiki log/wiki /usr/bin/pil wiki/main.l @lib/app.l kerbauth/kerbauth.l -main -go -wait EOF update-rc.d httpgate defaults chown -R wiki:wiki /home/wiki service httpgate startChange this lines in the beginning of /home/wiki/kerbauth/kerbauth.l according to your setup
(setq *KrbSPN "HTTP/wiki.example.com@EXAMPLE.COM"). (sys "KRB5_KTNAME" "/home/wiki/HTTPwiki.keytab")Check the path in KRB5_KTNAME line.
In the user's browser, e.g. in Mozilla Firefox:
- go to page about:config
- enter "network.negotiate-auth" in the search field
- set "network.negotiate-auth.trusted-uris" to ".example.com"
- set "network.negotiate-auth.delegation-uris" to ".example.com"
Kerbauth library provides necessary patches for wiki engine, so there is no need to manually change anything in the wiki. Additional link Domain log in will appear on the main page under "Log in" link. Click on it and you will be authenticated with your domain account. New user will be added to database on first login and 'cn and 'mail fields will be fetched from Active Directory via LDAP.
Note that you can install multiple PicoLisp applications at different ports and point httpGate to them using httpgate.conf (lines should be sorted via bin/balance -sort).
Example: multiple applications in httpgate.conf
# name port user home log cmd # default application (possibly redirector to other applications # if your server has multiple DNS CNAMEs) @ 65000 user1 /home/user1 log/app /usr/bin/pil app/main.l @lib/app.l -main -go -wait # other app app2 5001 user2 /home/user2 log/app /usr/bin/pil app/main.l @lib/app.l -main -go -wait # wiki wiki 5000 wiki /home/wiki log/wiki /usr/bin/pil wiki/main.l @lib/app.l kerbauth/kerbauth.l -main -go -wait
http://picolisp.com/wiki/?localwikikerberos
15apr15 | m_mans |