Kerberos Single Sign-on


#1

I just got Re:Dash working with Kerberos Single Sign-on in an Active Directory Environment and wanted to share my results.

This makes use of the fairly undocumented feature in re:Dash: REMOTE_USER_LOGIN_ENABLED. With this enabled, Re:dash trusts a proxy to send a valid and pre-authenticated username as a header.

Since I wanted to use kerberos, I opted to switch out nginx with apache. Apache is not as optimal an nginx, however they do provide the module I needed: mod_auth_kerb.

The biggest problem with mod_auth_kerb is that the usernames are suffixed with the Kerberos realm and thus may not be valid emails. They were not for us. The solution was to use an option to strip the realm and manually append our domain after the username. This works because our usernames and mailboxes use the same name. Other setups may be different.

Kerberos setup can be a real pain to setup. I used Centrify DirectControl to help. With this, I can join my linux box to the windows domain and it automatically sets up the kerberos config file: /etc/krb5.conf and populates the keytab: /etc/krb5.keytab. No having to mess around with ktpass on the domain controller and manually adding spn’s. This can be done manually and there are several how-tos out there.

##Steps:

  1. Remove or disable nginx
  2. Install apache with mod_auth_kerb
  3. Install Centrify DirectControl.
  4. Change permisions on /etc/krb5.keytab so that it is readable by apache user
  5. Configure Apache (see configuration below)
    1. mod_auth_kerb to point to system keytab: /etc/krb5.keytab
    2. Configure apache as a proxy
    3. Configure the /remote_user/login url to require and forward a valid credential
  6. Configure re:dash to use remote_user login (do not disable password login yet)
  7. Login using the “remote user” link on the main login page to create the user
  8. Using the admin login, grant the newly created account admin privilege
  9. Disable password login in re:dash

##My configuration files:
####Apache configuration:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # Setup proxy
        ProxyPass "/" "http://127.0.0.1:5000/"
        ProxyPassReverse "/" "http://127.0.0.1:5000/"
        ProxyPreserveHost On

        # Extra Headers for re:Dash
        RequestHeader set X-Real-IP expr=%{REMOTE_ADDR}

        # Add domain name to create an email from a username 
        RequestHeader set X-Forwarded-Remote-User expr=%{REMOTE_USER}@mydomain.org

        # logging. Very useful for debugging kerberos errors
        #LogLevel debug

        # Require kerberos just for the remote_user login
        # Other pages protected by auth cookie set by re:dash
        <ProxyMatch https?://[^/]+/remote_user/login>
                AuthType Kerberos
                KrbMethodNegotiate on
                KrbMethodK5Passwd Off

                # Strip kerberos realm from login name
                KrbLocalUserMapping on

                # This is needed for Centrify as mod_auth_kerb defaults to HTTP
                KrbServiceName http

                Require valid-user
        </ProxyMatch>

 </VirtualHost>

Redash .env

export REDASH_REMOTE_USER_LOGIN_ENABLED=true
# only disable after you have granted Admin rights to a domain user
# export REDASH_PASSWORD_LOGIN_ENABLED=false

If you have any questions, I would be happy to answer them