Kerberos Login Authentication

[skizzerz]

File Name: Kerberos Login Authentication

File Submitter: skizzerz

File Submitted: 23 Feb 2013

File Category: Integration

Introduction
The Kerberos Loginauth method allows you to authenticate your users against an external Kerberos server (such as Active Directory) in cases where LDAP may not be available.

Requirements
A working kerberos installation must be present on your server. The Ubuntu package name for this is krb5-user. You must also install the development libraries in order to compile the krb5 extension for PHP. You can verify your kerberos installation by running the "kinit" command.

This loginauth module requires the PHP krb5 extension, which may be downloaded at http://svn.php.net/repository/pecl/krb5/trunk/. To download and install the extension on Linux, follow these steps: [*]change directory to where the files downloaded [*]run phpize [*]run ./configure [*]run make && make install To install, extract the .zip file into your IPB install, the module's directory structure is already present inside of the zip file so it should be placed in the correct location automatically. To verify this, check that you see a directory named 'krb5' in your admin/sources/loginauth directory. Once present, navigate to your Admin CP -> System -> Tools & Settings -> Log In Management and click the Install icon next to "Kerberos." To uninstall, navigate to your Admin CP -> System -> Tools & Settings -> Log In Management and select Uninstall from the dropdown next to "Kerberos." Configuration Configuring Kerberos authentication is done via two separate methods, the configuration pane in the Admin CP and by creating a krb5.conf file. Regardless of configuration, local database authentication to the Admin CP is always allowed to ensure that in the event of misconfiguration, an admin can log in and fix the issues. Admin CP There are many configuration options available in the Admin CP. You can access these by clicking the gear icon next to the "Kerberos" method in Log In Management.

[*]run svn checkout

http://svn.php.net/repository/pecl/krb5/trunk/











Kerberos Default Authentication Realm - This is the realm (aka domain) that you are authenticating against if one is not specified by the user when logging in. This usually must be ALL UPPERCASE in order for Kerberos to recognize it. This configuration option is REQUIRED and must be specified. User Can Specify Alternative Realms - If "Yes" user may log into a realm other than the default realm above by passing username@REALM as their username. These realms still need to be configured in the krb5.conf file. If "No", the default realm specified above is automatically appended to the username and any realm the user specifies is stipped out. Use Alternative Configuration File - If "Yes" the alternative configuration file below will be used to get kdc and realm information, otherwise the system default (usually /etc/krb5.conf) will be used. Make sure to specify a full path to the file, as if the file does not exist or is not readable, all logins will fail. Alternative Configuration File - Specifies the path to the alternative configuration file. You may wish to copy your system's krb5.conf and modify it from there. This should be a full path to the file and the file must be readable. If this is specified and "Use Alternative Configuration File" is "Yes", the default configuration file will be ignored and this used in its place. Require Local User - Requires that a local user with the same username already exist before allowing Kerberos logins. This is useful in scenarios where you only wish for certain people to be able to log in (on a whitelist basis). If this is "Yes", and admin must first create a local user account for each user before they may log in with their Kerberos credentials. Email Address Pattern - What to set as the e-mail address when creating a new local account. Leave this blank to force the user to type in an email address when they first log in. The following variables are replaced in the pattern:

• {USERNAME} - Username
• {REALM} - Authentication realm (lowercase)
  
  

krb5.conf

[url= here to download this file

Installation/Uninstallation

For example, if this was "{USERNAME}@mail.{REALM}" and a user logged in as username@MYDOMAIN.COM, this would set their email address when creating their local account to "username@mail.mydomain.com". This setting only applies when creating a NEW local user account, it will not adjust the email addresses of an existing account. [*]Update Local Password - Upon successful Kerberos login, should we update the user's local password to match? If set to "Yes", the password stored in the local database is updated to match the password used to log into Kerberos. If no, the password in the local database is not modified. You may either use the system's krb5.conf file (usually located at /etc/krb5.conf) or specify your own via the configuration in the Admin CP. The krb5.conf file must specify what realms you are allowing users to log in with as well as the Key Distribution Centers (KDCs) for those realms. The syntax and configuration of krb5.conf is beyond the scope of this readme and many good guides exist on the internet. Bugs/Feedback Please report all bugs and feedback to the thread in the IPS Marketplace.