[zanata-users] Auth with kerberos
Ramann, Björn
Bjoern.Ramann at governikus.de
Tue Sep 22 13:36:03 UTC 2015
Ok thanks.
Is there another way to authorized users against a windows active directory?
Von: Carlos Munoz [mailto:camunoz at redhat.com]
Gesendet: Dienstag, 22. September 2015 14:32
An: Ramann, Björn
Cc: zanata-users at redhat.com
Betreff: Re: [zanata-users] Auth with kerberos
Hi Bjorn,
Kerberos authentication is tricky to debug as so many things can go wrong. I can make a couple of suggestions though:
1. It looks like you are running on Linux, so try looking at your /etc/krb5.conf file on the server. It should contain your kerberos authentication information including the locations of KDCs and admin servers for the Kerberos realms of interest.
2. Since you have debug set to true on the configuration below, take a look at the Zanata logs when attempting to log in, they usually have some indication of what might have gone wrong.
Regards,
Carlos
On Tuesday, 22 September 2015, Ramann, Björn <Bjoern.Ramann at governikus.de<mailto:Bjoern.Ramann at governikus.de>> wrote:
hi at all,
i try to auth users with Kerberos to our windows Active directory and configure:
<bindings>
<!-- <simple name="java:global/zanata/security/auth-policy-names/internal" value="zanata.internal"/> -->
<!-- <simple name="java:global/zanata/security/auth-policy-names/openid" value="zanata.openid"/> -->
<simple name="java:global/zanata/security/auth-policy-names/kerberos" value="zanata.kerberos"/>
<simple name="java:global/zanata/security/admin-users" value="admin"/>
<simple name="java:global/zanata/files/document-storage-directory" value="${user.home}/zanata/files"/>
<simple name="java:global/zanata/email/default-from-address" value="noreply at blub.com<http://blub.com>"/>
</bindings>
…
<security-domain name="zanata.kerberos">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="sufficient">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
<module-option name="removeRealmFromPrincipal" value="true"/>
<module-option name="usernamePasswordDomain" value="krb5"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="krb5">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="sufficient">
<module-option name="storePass" value="false"/>
<module-option name="clearPass" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="doNotPrompt" value="false"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="host">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/dc01.domain.com<http://domain.com>@DOMAIN.COM<http://DOMAIN.COM>"/>
<module-option name="keyTab" value="/opt/zanata/wildfly/standalone/configuration/jboss.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
But on the page, when I press login, I get da 403 and there is no fiel to type my credentials in.
Soft:
13:25:45,457Z INFO [org.quartz.core.QuartzScheduler] (ServerService Thread Pool -- 58) Scheduler DefaultQuartzScheduler_$_NON_CLUSTERED started.
13:25:45,755Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) App server release codename: Kenny
13:25:45,755Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) App server release version: 1.0.1.Final
13:25:45,755Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) WildFly Full version: 9.0.1.Final
13:25:45,757Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) ============================================
13:25:45,757Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) _____ _
13:25:45,757Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) /__ / ____ _____ ____ _/ /_____ _
13:25:45,757Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) / / / __ `/ __ \/ __ `/ __/ __ `/
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) / /__/ /_/ / / / / /_/ / /_/ /_/ /
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) /____/\__,_/_/ /_/\__,_/\__/\__,_/
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) Application version: 3.7.2
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) SCM: git-server-3.7.2
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) Red Hat Inc 2008-2015
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) ============================================
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) SPNEGO/Kerberos authentication: enabled
13:25:45,759Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) Enable copyTrans: true
Please advise!
Thanks
bjoern
--
Carlos A. Muñoz
Software Engineering Supervisor
Globalization
Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/zanata-users/attachments/20150922/fe9eb0b0/attachment.htm>
More information about the zanata-users
mailing list