Feature #175
Updated by Daniel Curtis over 10 years ago
During the integration of Kerberos and OpenLDAP I still needed to retain the access and management of @phpldapadmin@. First start off by installing the required package:
<pre>
sudo apt-get install libapache2-mod-auth-kerb
</pre>
h2. 1. Create a service principal for the Apache2 service on the web server
<pre>
kadmin -p admin
addprinc -randkey http/www.example.com
ktadd http/www.example.com
</pre>
h2. 2. Set phpLDAPadmin vhost configuration file to use Kerberos
<pre>
vi /etc/phpldapadmin/apache2.conf
</pre>
> <Directory /usr/share/phpldapadmin/htdocs/>
>
> DirectoryIndex index.php
> Options +FollowSymLinks
> AllowOverride None
>
> Order allow,deny
> Allow from all
>
> AuthType Kerberos
> AuthName "LDAP Admin"
> KrbAuthRealms EXAMPLE.COM
> KrbVerifyKDC off
> KrbServiceName http
> KrbMethodNegotiate On
> KrbMethodK5Passwd On
> Krb5KeyTab /etc/apache2/apache2.keyfile
> KrbSaveCredentials on
> require valid-user
> ...
> </Directory>
h2. 3. Enable Kerberos authentication in phpldapadmin configuration file
<pre>
vi /etc/phpldapadmin/config.php
</pre>
> $servers->setValue('login','bind_id','');
> $servers->setValue('login','auth_type','sasl');
> $servers->setValue('sasl','mech','GSSAPI');
> $servers->setValue('sasl','realm','EXAMPLE.COM'); $servers->setValue('sasl','realm','ALTSERVICE.COM');
> $servers->setValue('sasl','authz_id_regex','/^uid=([^,]+)(.+)/i');
> $servers->setValue('sasl','authz_id_replacement','$1');