11 April,19 at 11:49 AM
What you'll need
Implementation Steps
Information gathering
$ uname -a Linux engcen8.centrifyimage.vms 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux $ adinfo -v adinfo (CentrifyDC 5.2.0-218) $ adinfo -C | grep http http/cen3.corp.contoso.com http/cen3 $ dzdo service httpd status httpd (pid 2811) is running... $ httpd -V Server version: Apache/2.2.15 (Unix) Architecture: 64-bit $ httpd -l | grep mod_so.c mod_so.c
It looks like my server is running CentOS 6.x and Centrify 5.2; the SPN for HTTP is cen3.corp.contoso.com. As far as Apache goes it is a 64 bit Apache 2.2. Based on this information, I will download the package "DirectControl for Apache HTTP Server on RHEL 4, 5, 6, Fedora 14, 15, 16, 17 x86_64" the version is 4.4.3 as of the original post in November 2014.
Installation
Unpack and install the SSO plugin
$ tar xzvf centrify-apache-4.4.4-rhel3-x86_64.tgz
The installation file on RHEL for this version is called centrifydc-apache-4.4.4-rhel3-x86_64.rpm, so perform a yum or rpm install.
$ dzdo rpm -Uvh centrifydc-apache-4.4.4-rhel3-x86_64.rpm
Preparing... ########################################### [100%]
1:CentrifyDC-apache ########################################### [100%]
Configuration of the Sample Application
Centrify provides a working sample app that can be used to see how to use the directives of the plugin. To enable it, just include the path to the corresponding config file in the /etc/httpd/conf/httpd.conf file. The sample app is in /usr/share/centrifydc/apache/samples and since I'm running Apache 2.2.x 64 bit, all I need to do is add this line
Include /usr/share/centrifydc/apache/samples/conf/centrify22_64.conf
and restart the Web Server.
$ dzdo vi /etc/httpd/conf/httpd.conf
==>then 'G' to go to the end and 'o'' to insert a line
# Include of Centrify Samples
Include /usr/share/centrifydc/apache/samples/conf/centrify22_64.conf
==>Then wq! to save
$ dzdo service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Verify that all is working as expected
Ticket # 0 is a Kerberos TGT and #1 is a service ticket that was requested by Jerry to access the Apache HTTP service on CEN3.
From a domain-joined computer, as it's configured by default, any valid AD user should have access. The directives to add to your Apache web sites is as follows:
AuthType CENTRIFYDC # This directive enables the Centrify Plugin for the Site.
EnableBasicAuth true # This directive enables Basic Auth (use only with SSL)
EnableNtlmAuth true # This directive enables NTLM authentication
EnableKerberosAuth true # This directive enables Kerberos authentication
Require valid-user # This directive controls authorization. Valid user is any AD authenticated user.
The require directive can be used for AD-based authorization, For example, if I want to only allow the members of the "Demo Users" AD group, the Require will look like this:
Require group "Demo Users"
Plugin in Action - phpPgAdmin
In this example, we'll use the Apache SSO Plugin to AD-enable the phpPgAdmin app. phpPgAdmin provides a web interface to manage PostgreSQL. To install it (e.g. in CentOS 6.x)
Add the repository
$ wget http://yum.postgresql.org/9.1/redhat/rhel-6.3-x86_64/pgdg-centos91-9.1-4.noarch.rpm
$ rpm -Uvh pgdg-centos91-9.1-4.noarch.rpm
Install the app
$ dzdo yum install phpPgAdmin
Configure the App to accept local connections
Edit the /etc/httpd/conf.d/phpPgAdmin.conf for example:
allow all from 10.0.0.0
Restart the Web Server
$ dzdo service centrifydc restart
Verify Access by browsing to your server in the /phpPgAdmin virtual directory:
To enable access with the Centrify plugin, just add the directives below inside the Location stanza of the /etc/httpd/conf.d/phpPgAdmin.conf file. In this case we are limiting access based on membership on the Demo Users AD group.
AuthType CENTRIFYDC
EnableBasicAuth true
EnableNtlmAuth true
EnableKerberosAuth true
Require group "Demo Users"
Don't forget to restart the Apache Server!!!
Video Playlist
(11 minutes, 30 seconds total)