|
|
| Subject: | [SOLVED] Zenoss SSO behind apache proxy |
| Author: | [Not Specified] |
| Posted: | 2014-04-01 04:11 |
Hi everyone
I come to you with probably a rather common problem. Unfortunately I wasn't abel to solve it eventhough there were a lot similar threads all over the internet.
We have the following setup:
A server (let's call it zenossserver) with zenoss up and running on it. We have also LDAP-Login configured, so that credentials are checked against an AD. That's working flawlessly. We don't even have to set up the users in zenoss. It's sufficient to login with an appropriate account (that exists in the AD) and zenoss creates the according zenossaccount.
We now like to setup kerberos SSO like we have already for multiple other sites, so that we don't have to type in our credentials at zenoss login, but so that our webbrowser forwards an existing kerberos TGT to the browser.
To do so we have an apache proxy in front of the zenoss/zope instance. Both of them are running on the same server "zenossserver".
Here's the apache-config vor the zenoss-vhost:
ServerName zenossserver.domain.local
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1
ServerName zenossserver.domain.local
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/zenossserver_server.pem
SSLCertificateKeyFile /etc/pki/tls/private/zenossserver_privatekey.pem
RequestHeader set X_FORWARDED_PROTO "https"
RewriteEngine On
Order deny,allow
Deny from all
Allow from 10.0.0.0/8
RewriteRule ^/(.*) http://127.0.0.1:8080/VirtualHostBase/https/%{SERVER_NAME}:443/VirtualHostRoot/$1 [L,P]
AuthType Kerberos
AuthName "Logon with AD account"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.LOCAL
Krb5KeyTab /etc/httpd/http.keytab
KrbLocalUserMapping on
AuthLDAPURL "ldap://dc.domain.local:3268/dc=domain,dc=localsAMAccountNamesub(objectClass=*)"
AuthzLDAPAuthoritative on
AuthLDAPBindDN "CN=srvad,OU=ServiceAccounts,DC=domain,DC=local"
AuthLDAPBindPassword "XXXXXXXXXXXXX"
require ldap-group CN=some,OU=AGroups,OU=Groups,OU=Employees,DC=domain,DC=local
note, that there are no other config files that overrides the virtualhost directives.
Situation A)
------------
Now, when we have a valid ticketgrantingticket from our AD (after doing some "kinit"), then our firefoxbroser sends it to the apache (because whe configured it like the following: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Li...)
Prove, that we have a TGT:
[root]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@DOMAIN.LOCAL
Valid starting Expires Service principal
01.04.2014 08:54:59 01.04.2014 18:54:58 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 02.04.2014 08:54:59
[root]$
Apache then authenticates correctly and without the need of any input we are redirected to zenoss. But there we land ar the loginscreen of zenoss. So zope recieves not the right (user-)information to login correctly.
Situation B)
------------
When we have NO valid TGT:
[root]$ klist
[root]$
The situation is different: Our browser has nothing to send, so apache asks for username and password. that's working fine and apache then redirects us to the zope-side. In this case, zope accepts the credentials entered on apache-side by hand and no login-screen is shown, but we are logged in automatically.
I came about the following posts in the internet:
http://community.zenoss.org/message/34044
http://nosq.com/2009/07/passing-apache-reverse-proxy-auth-from-windows-t...
http://old.zope.org/Members/regebro/Zope_and_Apache
I tried several combinations with
RewriteCond %{LA-U:REMOTE_USER} (.*)
RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}]
and
RequestHeader set X-Remote-User "%{RU}e" env=RU
In the vhostconfig, unfortunately to no avail. I wonder if its really necessary, since, when theres no TGT to be send to apache and we log in with username/password, the apache seems to send enough information to zope, so that it uses the right user.
I did some tcpdumps of the traffic between apache and zope (on the loopbackinterface). here you'll find the packets which sends the authorization information:
Sitation A)
-----------
(with TGT, apache logs in automatically, zope loginpage is shown)
No. Time Source Destination Protocol Length Info
112 5.085782 127.0.0.1 127.0.0.1 HTTP 4098 GET /VirtualHostBase/http/zenossserver.domain.local:80/VirtualHostRoot/zport/dmd/ HTTP/1.1
Frame 112: 4098 bytes on wire (32784 bits), 4098 bytes captured (32784 bits)
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
Transmission Control Protocol, Src Port: 43077 (43077), Dst Port: http-alt (8080), Seq: 1, Ack: 1, Len: 4032
Hypertext Transfer Protocol
GET /VirtualHostBase/http/zenossserver.domain.local:80/VirtualHostRoot/zport/dmd/ HTTP/1.1\r\n
Host: 127.0.0.1:8080\r\n
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-US,en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
Cookie: jobswidget_update=1395836986.91; _ZopeId="06990779A6W9kzxP7GY"\r\n
[truncated] Authorization: Negotiate YIIJwQYGKwYBBQUCoIIJtTCCCbGgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCCYQEggmAYIIJfAYJKoZIhvcSAQICAQBugglrMIIJZ6ADAgEFoQMCAQ6iBwMFAAAAAACjggE9YYIBOTCCATWgAwIBBaESGxBCSUVMQklFTk5FLkxPQ0FMoi
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
Simple Protected Negotiation
negTokenInit
mechTypes: 4 items
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
MechType: 1.3.5.1.5.2 (iso.3.5.1.5.2)
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
MechType: 1.3.6.1.5.2.5 (iso.3.6.1.5.2.5)
mechToken: 6082097c06092a864886f71201020201006e82096b308209...
krb5_blob: 6082097c06092a864886f71201020201006e82096b308209...
KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 00000000
0... .... .... .... .... .... .... .... = reserved: RESERVED bit off
.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required
Ticket
Tkt-vno: 5
Realm: domain.LOCAL
Server Name (Service and Host): HTTP/zenossserver.domain.local
Name-type: Service and Host (3)
Name: HTTP
Name: zenossserver.domain.local
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: 6c83ae81b9167f7967cf3c5f76ed1d01b53344db573f6c74...
Authenticator aes256-cts-hmac-sha1-96
Via: 1.1 httpproxyserver.domain.local (squid/3.1.10)\r\n
X-Forwarded-For: XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX\r\n
Cache-Control: max-age=259200\r\n
X-Forwarded-Host: zenossserver.domain.local\r\n
X-Forwarded-Server: zenossserver.domain.local\r\n
Connection: Keep-Alive\r\n
\r\n
[Full request URI: http://127.0.0.1:8080/VirtualHostBase/http/zenossserver.domain.local:80/...
So there's no X-Forwarded-User or similar
Sitation B)
-----------
(no TGT, apache login with username/password, zenoss is logging in automatically)
Frame 68: 782 bytes on wire (6256 bits), 782 bytes captured (6256 bits)
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
Transmission Control Protocol, Src Port: 43305 (43305), Dst Port: http-alt (8080), Seq: 1, Ack: 1, Len: 716
Hypertext Transfer Protocol
GET /VirtualHostBase/http/zenossserver.domain.local:80/VirtualHostRoot/zport/dmd/ HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /VirtualHostBase/http/zenossserver.domain.local:80/VirtualHostRoot/zport/dmd/ HTTP/1.1\r\n]
[Message: GET /VirtualHostBase/http/zenossserver.domain.local:80/VirtualHostRoot/zport/dmd/ HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: GET
Request URI: /VirtualHostBase/http/zenossserver.domain.local:80/VirtualHostRoot/zport/dmd/
Request Version: HTTP/1.1
Host: 127.0.0.1:8080\r\n
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-US,en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
Cookie: jobswidget_update=1395841181.34; _ZopeId="22475936A6W9rCU7f7s"\r\n
Authorization: Basic c2NobXA6cDRCSUVMMzQ1Kioq\r\n
Credentials: user:PASSWORD
Via: 1.1 httpproxyserver.domain.local (squid/3.1.10)\r\n
X-Forwarded-For: XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX\r\n
Cache-Control: max-age=259200\r\n
X-Forwarded-Host: zenossserver.domain.local\r\n
X-Forwarded-Server: zenossserver.domain.local\r\n
Connection: Keep-Alive\r\n
\r\n
[Full request URI: http://127.0.0.1:8080/VirtualHostBase/http/zenossserver.domain.local:80/...
eventhough zope logs in automatically, there's no X-Forwarded-User or similar. The only information about the user is in the "Authorization: Basic"-Block.
When i set X-Forwarded-User in vhost-config, its shown in the tcpdump, but zope still shows the login-screen and doesn't do it automatically.
So now, my question:
Is there anything additional that I have to configure in my apache-instance or ist there something I have to configure on the zope-side If you guys need some additional information (config-files or similar), I'm happy to provide them.
Thank you very much
Philippe
| Subject: | additional infos |
| Author: | [Not Specified] |
| Posted: | 2014-04-01 07:11 |
[root@zenossserver ~]# yum list installed httpd zenoss
Loaded plugins: downloadonly, fastestmirror, security
Loading mirror speeds from cached hostfile
* base: mirror.switch.ch
* epel: mirror.switch.ch
* extras: mirror.switch.ch
* updates: mirror.switch.ch
Installed Packages
httpd.x86_64 2.2.15-29.el6.centos @base
zenoss.x86_64 4.2.4-1897.el6 @/zenoss_core-4.2.4-1897.el6.x86_64
[root@zenossserver ~]#
<\code>
| Subject: | no ideas? |
| Author: | [Not Specified] |
| Posted: | 2014-04-03 07:04 |
no ideas
| Subject: | solved |
| Author: | [Not Specified] |
| Posted: | 2014-04-22 03:53 |
We finally got a a solution for that one. You'll find the steps needed to set up your zenossinstallation with single sign on.
Useful links:
1) If you need knowledge in how kerberos is working you should visit the following page. There's a lot of insight on how to debug common kerberos related stuff:
http://www.grolmsnet.de/kerbtut/
2) Microsofts recommendations on how to use Kerberos between Windows and Linux. http://technet.microsoft.com/en-us/library/bb742433.aspx
3) There's a good site on how to set up plone (which uses zope webserver like zenoss) SSO with AD. Unfortunately this is in german language. You'll find the important stuff later on.
http://www.plone-entwicklerhandbuch.de/plone-entwicklerhandbuch/authenti...
Setup:
- Client (your Notebook/PC/whatever)
- Apache Proxy (This server takes your webrequests and sends it to the zope-webserver which handels the zenosspages)
- Zope Webserver (Zenoss). Takes the forwarded stuff from apache and answers the clients request if he has been successfully authenticated and authorized.
In our environment the Apache Proxy and Zope Webserver is on the same physical Server. This doesn't change anything from a logical point of view.
Assumptions:
- You have a working Kerberos-Infrastructure (AD) with a working KDC (Key Distribution Center, in this case the Windows domain controllers).
- You have valid service principals for the webserver against which you want to authenticate. If you don't have the principals, read the tutorial 1 and 2 under "useful links".
SETUP:
-----------
CLIENT:
1) First of all, you have your local machine configured to be able to obtain kerberostickets from the KDC (AD). If you're running a windows-machine you're allready fine. If your running linux you have to set up a /etc/krb.conf that serves your desired realm.
Put in your existing /etc/krb5.conf the new realm (in our case "DOMAIN.LOCAL") with the domaincontrollers you have:
[realms]
...
DOMAIN.LOCAL = {
kdc = dc1.domain.local
kdc = dc2.domain.local
kdc = dc3.domain.local
}
...
that's all you need. You should now be able to get a ticket from your realm:
[user@laptop ~]$ username@DOMAIN.LOCAL
[user@laptop ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: username@DOAMIN.LOCAL
Valid starting Expires Service principal
16.04.2014 13:24:27 16.04.2014 23:24:24 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 17.04.2014 13:24:27
If klist doesn't show anything, fix this first.
2) You have to be sure that your webbrowser sends kerberos-tickets to the webserver. If your're running windows with internet explorer you should be fine. If you're using firefox you can follow the follwing steps:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Li...
Now your client should be fine.
APACHE PROXY:
Now we setup the apache-proxy to authenticate the client (with the sent kerberos-ticket) to the KDC (AD). Everything is done in an apache virtualhost configfile (/etc/httpd/conf.d/zenoss.conf):
ServerName zenossserver.domain.local
ServerAdmin webmaster@domain.local
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1
ServerName zenossserver.domain.local
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/zenossserver_server.pem
SSLCertificateKeyFile /etc/pki/tls/private/zenossserver_privatekey.pem
RequestHeader set X_FORWARDED_PROTO "https"
AuthType Kerberos
AuthName "Logon with your Windows account"
KrbMethodNegotiate On
## as a fallback method, we let users enter their username and password: (it's secure since we go through ssl)
KrbMethodK5Passwd On
KrbAuthRealms domain.LOCAL
Krb5KeyTab /etc/httpd/http.keytab
##It is now possible in mod_auth_kerb 5.4 to strip the realm from REMOTE_USER with the following config directive:
KrbLocalUserMapping On
KrbVerifyKDC On
KrbAuthoritative On
KrbServiceName HTTP
require valid-user
RequestHeader set X_REMOTE_USER %{REMOTE_USER}s
# the small s after {REMOTE_USER} is very important since we are using https. check mod_header documentation for insight: http://httpd.apache.org/docs/current/mod/mod_headers.html# (under section "Header Directive")
RewriteEngine On
RewriteRule ^/(.*) http://127.0.0.1:8080/VirtualHostBase/https/%{SERVER_NAME}:443/VirtualHostRoot/$1 [L,P]
The X-REMOTE-HEADER is what later the zope-server (the webAuthHelper plugin) will use as information for authentication.
We have also a namevirtualhost.conf in /etc/httpd/conf.d/ with just one line of content:
NameVirtualHost *:80
Be sure to have the kerberos keytabfile on the apache-proxy. To learn about keytabfiles read the link provided under 1). In our example the keytab is located under /etc/. On the apache proxy we have the following /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN.LOCAL = {
kdc = dc1.domain.local
kdc = dc2.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
Now our apache proxy send everything needed to the zope server. You have to enable mod_auth_kerb and mod_rewrite in order to be able to use the needed functionality.
ZENOSS/ZOPE:
Now we have to set up zope so that it can handle the request sent by the client through the apache proxy. For that we install WebServerAuth in our zope-instance (https://pypi.python.org/pypi/Products.WebServerAuth). To do so, we switch to zenoss user (as root "su - zenoss" and install it with "easy-install WebServerAuth")
[root@zenossserver conf.d]# su - zenoss
[zenoss@zenossserver ~]$ easy_install -U Products.WebserverAuth
[zenoss@zenossserver ~]$ service zenoss restart
After done that, we have to enable and configure the WebServerAuth-Component. To do so access the zope-config page under https://zenossserver.domain.local/zport/manage
On the left side, click acl_users and then on the right side, select "WebServerAuth Plugin" from the dropdown and "Add". Then you see a new entry "webAuthHelper" (or whatever you named it in the step before). Klick it, go to the Tab "activate" and select all four checkboxes (Extraction, Authentication, CHallenge and User_Enumeration").
We have additionally configured our Zenoss server to use LDAP as authentication backend. If that's the case you don't have to set up the users in zope manually but you can set up the user with the needed group in the AD and zenoss checks against the AD if you are allowed to login or not. A good how-to to configure that can be found here:
http://community.zenoss.org/message/74331#74331
http://community.zenoss.org/docs/DOC-2510
If you have problems with LDAP <-> Zenoss role mapping check this:
http://community.zenoss.org/message/30124#30124
If you have problems after successful login with a "site error" shown, you could find the following useful:
http://wiki.cementhorizon.com/display/CH/Zenoss+LDAP+Authentication+-+Si...
After thats done you can access the zenoss-page without logging in. As long as you have a valid kerberos ticket...
| < |
Previous WMI Error |
Next Have a log of who made changes to servers |
> |