小贝子编程

多Active Directory域的SSO身份验证



有一个Nginx服务器配置为使用krb5spnego http auth Nginx模块对一个域进行SSO身份验证

如何配置双域身份验证?

如果可用的话,该解决方案最好使用不带Apache的Nginx。

配置来源:

  • /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = DOMAIN.TEST
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.TEST = {
kdc = domain.test
admin_server = domain.test
}
[domain_realm]
.test.local = DOMAIN.TEST
test.local = DOMAIN.TEST
  • /etc/nginx/conf.d/jango.conf
server {
listen       80;
server_name  django.test.local;
access_log  /var/log/nginx/host.access.log  main;
location / {
try_files $uri @backend;
auth_gss on;
auth_gss_realm DOMAIN.TEST;
auth_gss_keytab /etc/krb5.keytab;
auth_gss_service_name HTTP/django.test.local;
auth_gss_allow_basic_fallback on;
}
location @backend {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-User $remote_user;
proxy_redirect off;
proxy_pass http://0.0.0.0:8000;
}
}
  • 合并域键选项卡文件(源代码(
ktutil
read_kt domain1.keytab
read_kt domain2.keytab
write_kt /etc/krb5_multidomain.keytab
quit
  • 编辑/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = DOMAIN.TEST
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.TEST = {
kdc = domain.test
admin_server = domain.test
}
DOMAIN2.TEST = {               # append string
kdc = domain2.test            # append string
admin_server = domain2.test   # append string
}                              # append string
[domain_realm]
.test.local = DOMAIN.TEST
test.local = DOMAIN.TEST
.test.local = DOMAIN2.TEST       # append string
test.local = DOMAIN2.TEST        # append string
  • 编辑/etc/nginx/conf.d/jango.conf
server {
listen       80;
server_name  django.test.local;
access_log  /var/log/nginx/host.access.log  main;
location / {
try_files $uri @backend;        
auth_gss on;
# auth_gss_realm DOMAIN.TEST;
auth_gss_format_full on;                       # append string
auth_gss_keytab /etc/krb5_multidomain.keytab;  # change string
auth_gss_service_name HTTP/django.test.local;
auth_gss_allow_basic_fallback on;
}
location @backend {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-User $remote_user;
proxy_redirect off;
proxy_pass http://0.0.0.0:8000;
}
}

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium