Installing local wiki with Kerberos authentication

Our network

+---------+      +---------+      +---------+
|   DC    |      |  wiki   |      |         |
| Windows |      | Linux-  |      | User-PC |
|  2008   |      | server  |      | Windows |
+---------+      +---------+      +---------+
     |                |                |
     +----- LAN ------+----- LAN ------+

On domain controller:

  1. create domain user "HTTPwiki"
  2. run following command in the elevated command prompt:
    ktpass -princ HTTP/wiki.example.com@EXAMPLE.COM -mapuser HTTPwiki -crypto rc4-hmac-nt ^
    -pass "my-strong-password" -ptype KRB5_NT_PRINCIPAL -out C:\<path>\HTTPwiki.keytab
  3. securely move HTTPwiki.keytab file to Linux-server
  4. enable Kerberos-delegation for user "HTTPwiki" in delegation tab.
    Note that delegation tab is accessible only after step 2

On Linux server (in our case it's Ubuntu 14.04 x64):

Prerequisites: install script
#!/bin/sh

# install socialshareprivacy library into your PicoLisp installation
wget http://software-lab.de/socialshareprivacy.tgz
tar xzf socialshareprivacy.tgz -C /opt/picoLisp
apt-get install libjs-jquery # required for socialshareprivacy

# create local user "wiki" and download wiki sources
useradd -d /home/wiki -m wiki
mkdir /home/wiki/log
wget http://software-lab.de/wiki.tgz
tar xzf wiki.tgz -C /home/wiki

# download kerbauth library from http://picolisp.com/wiki/?KerbAuth page:
# Please check actual link on the page!
wget http://picolisp.com/wiki/!download?-A301
tar xzf kerbauth.tgz -C /home/wiki

# create httpgate startup script and config file for httpgate
cat << 'EOF' > /etc/init.d/httpgate
#!/bin/sh
#
# chkconfig: 35 90 10
# description: httpgate
#
case "$1" in
   start)
      echo "Starting httpGate ..."
      /usr/lib/picolisp/bin/httpGate 80 /home/wiki/httpgate.conf
      ;;

   stop)
      echo "Stopping httpGate ..."
      killall httpGate
      ;;

   *)
      echo "Usage: /etc/init.d/$0 {start|stop}"
      exit 1
      ;;
esac

exit 0
EOF

cat << 'EOF' > /home/wiki/httpgate.conf:
wiki 5000 wiki /home/wiki log/wiki /usr/bin/pil wiki/main.l @lib/app.l kerbauth/kerbauth.l -main -go -wait
EOF

update-rc.d httpgate defaults
chown -R wiki:wiki /home/wiki
service httpgate start
Change this lines in the beginning of /home/wiki/kerbauth/kerbauth.l according to your setup
(setq *KrbSPN "HTTP/wiki.example.com@EXAMPLE.COM").
(sys "KRB5_KTNAME" "/home/wiki/HTTPwiki.keytab")
Check the path in KRB5_KTNAME line.

In the user's browser, e.g. in Mozilla Firefox:

  1. go to page about:config
  2. enter "network.negotiate-auth" in the search field
  3. set "network.negotiate-auth.trusted-uris" to ".example.com"
  4. set "network.negotiate-auth.delegation-uris" to ".example.com"
Now your wiki is available at http://wiki.example.com/wiki/
Kerbauth library provides necessary patches for wiki engine, so there is no need to manually change anything in the wiki. Additional link Domain log in will appear on the main page under "Log in" link. Click on it and you will be authenticated with your domain account. New user will be added to database on first login and 'cn and 'mail fields will be fetched from Active Directory via LDAP.

Note that you can install multiple PicoLisp applications at different ports and point httpGate to them using httpgate.conf (lines should be sorted via bin/balance -sort).

Example: multiple applications in httpgate.conf
# name port user home log cmd
# default application (possibly redirector to other applications
# if your server has multiple DNS CNAMEs)
@ 65000 user1 /home/user1 log/app /usr/bin/pil app/main.l @lib/app.l -main -go -wait
# other app
app2 5001 user2 /home/user2 log/app /usr/bin/pil app/main.l @lib/app.l -main -go -wait
# wiki
wiki 5000 wiki /home/wiki log/wiki /usr/bin/pil wiki/main.l @lib/app.l kerbauth/kerbauth.l -main -go -wait

http://picolisp.com/wiki/?localwikikerberos

15apr15    m_mans
Revision History