-
Notifications
You must be signed in to change notification settings - Fork 1
Nginx module for SPNEGO/GSS(API)/Kerberos aka MS Windows (TM) Single Sign-on (TM) authentication.
License
ypb/ngx_http_auth_sso_module
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
ngx_http_auth_sso_module - single sign-on authentication module for Nginx ============================================================================== What is it? ----------- This is a port of version 0.0.5 of Apache mod_auth_gss_krb5 module (see https://modgssapache.sf.net) to Nginx (see https://nginx.org). It enables handling of the so called "Single Sign-on" authentication. Technically speaking it uses Simple and Protected Generic Security Service Application Program Interface (GSS-API - see RFC 2743) Negotiation Mechanism (SPNEGO - see RFC 4178) in Kerberos (see RFC 4120) enabled environments (like the so called MS Active Directory) to permit browsing of restricted content through HTTP after only authenticating to the system once upon logging into workstation or other terminal. Compilation ----------- First you need to install the spnegohelp dynamic library. Executing 'make' in that sub-directory should compile it. Next put it by hand in a place where linker and loader can find it (most probably '/usr/lib' by default or you may prefer using '/usr/local/lib' in order to not pollute system with non-packaged software). When compiling Nginx from source build as usual adding another add-module option to the command: ./configure --add-module=PATH_TO_NGX_HTTP_AUTH_SSO_MODULE_DIRECTORY executed inside top of the Nginx source directory. Configuration ------------- The module has following directives: - auth_gss: "on"/"off", defaults to "off" even if you set other options, - auth_gss_realm: what Kerberos realm name to use, for now only used to remove it from fully qualified user@REALM names, (default: LOCALDOMAIN) - auth_gss_keytab: absolute path-name to keytab file containing service credentials, (default: /etc/krb5.keytab) - auth_gss_service_name: what service name to use when acquiring credentials, (default: HTTP) TOFIX: should be a list in case of some other browsers asking for "khttp" or "http" - auth_gss_format_full: "on"/"off", preserve @REALM part in user name added to the http header upon successful authentication. (default: off) all switches are hierarchy aware supporting http, server and location scope. Example ------- http { auth_gss_realm MY.LOCAL.DOMAIN.TM; auth_gss_keytab /usr/local/nginx/conf/krb5.keytab; auth_gss_service_name HTTP; auth_gss_format_full on; server { location /topsecret { auth_gss on; } }} Additional notes... ------------------- TOFIX: add instructions on how to create the service keytab and other important notes about otherwise setting up the environment.
About
Nginx module for SPNEGO/GSS(API)/Kerberos aka MS Windows (TM) Single Sign-on (TM) authentication.
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published