Apache SSO

first make AD account

in powershell admin run :

ktpass /princ HTTP/ticket.mabnaco.local@MABNACO.LOCAL /mapuser zammad /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /pass 123456 -SetPass +DumpSalt /target pdc01.mabnaco.local /out zammad.keytab

Successfully mapped HTTP/ticket.mabnaco.local to zammad. Building salt with principalname HTTP/ticket.mabnaco.local and domain MABNACO.LOCAL (encryption type 18)... Hashing password with salt "MABNACO.LOCALHTTPticket.mabnaco.local". Key created. Output keytab to zammad.keytab: Keytab version: 0x502 keysize 90 HTTP/ticket.mabnaco.local@MABNACO.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 9 etype 0x12 (AES256-SHA1) keylength 32 (0x539a24f8627ff3e7c95c015f5548c24e65a77369f20f6eca97dfc2c88bace3d8)

Copy the zammad.keytab file to your host with right permission

chown www-data:www-data /etc/apache2/zammad.keytab
chmod 400 /etc/apache2/zammad.keytab

#
# this is an example apache 2.4 config for zammad
# Please visit https://docs.zammad.org for further input on how to configure
# your apache to work with Zammad
#

# security - prevent information disclosure about server version
ServerTokens Prod

<VirtualHost *:80>
    ServerName ticket.mabnaco.local
    Redirect / https://ticket.mabnaco.local/
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

    SSLCertificateFile /etc/ssl/zammad.cer
    SSLCertificateKeyFile /etc/ssl/zammad.key
#    SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem

    # replace 'localhost' with your fqdn if you want to use zammad from remote
    ServerName ticket.mabnaco.local

    ## don't loose time with IP address lookups
    HostnameLookups Off

    ## needed for named virtual hosts
    UseCanonicalName Off

    ## configures the footer on server-generated documents
    ServerSignature Off

    ProxyRequests Off
    ProxyPreserveHost On

    <Proxy 127.0.0.1:3000>
      Require local
    </Proxy>

    ProxyPass /assets !
    ProxyPass /favicon.ico !
    ProxyPass /apple-touch-icon.png !
    ProxyPass /robots.txt !
    ProxyPass /ws ws://127.0.0.1:6042/
    ProxyPass / http://127.0.0.1:3000/

    # change this line in an SSO setup
#    RequestHeader unset X-Forwarded-User

    # Use settings below if proxying does not work and you receive HTTP-Errror 404
    # if you use the settings below, make sure to comment out the above two options
    # This may not apply to all systems, applies to openSuse
    #ProxyPass /ws ws://127.0.0.1:6042/ "retry=1 acque=3000 timeout=600 keepalive=On"
    #ProxyPass / http://127.0.0.1:3000/ "retry=1 acque=3000 timeout=600 keepalive=On"

    DocumentRoot "/opt/zammad/public"

    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>

    <Directory "/opt/zammad/public">
        Options FollowSymLinks
	      Require all granted
    </Directory>

<LocationMatch "/auth/sso">
#   SSLRequireSSL
   AuthType Kerberos
   AuthName "Your Zammad"
   KrbMethodNegotiate On
   KrbMethodK5Passwd On
   KrbAuthRealms MABNACO.LOCAL
   KrbLocalUserMapping on                 # strips @REALM suffix from REMOTE_USER variable
   KrbServiceName HTTP/ticket.mabnaco.local
   Krb5KeyTab /etc/apache2/zammad.keytab
   require valid-user

   RewriteEngine On
   RewriteCond %{LA-U:REMOTE_USER} (.+)
   RewriteRule . - [E=RU:%1,NS]
   RequestHeader set X-Forwarded-User "%{RU}e" env=RU
</LocationMatch>

</VirtualHost>

PreviousZammad and Xmpp NextUnacceptable TLS Certificate

Last updated 4 years ago

Was this helpful?

# # this is an example apache 2.4 config for zammad # Please visit https://docs.zammad.org for further input on how to configure # your apache to work with Zammad # # security - prevent information disclosure about server version ServerTokens Prod <VirtualHost *:80> ServerName ticket.mabnaco.local Redirect / https://ticket.mabnaco.local/ </VirtualHost> <VirtualHost *:443> SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLCertificateFile /etc/ssl/zammad.cer SSLCertificateKeyFile /etc/ssl/zammad.key # SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem # replace 'localhost' with your fqdn if you want to use zammad from remote ServerName ticket.mabnaco.local ## don't loose time with IP address lookups HostnameLookups Off ## needed for named virtual hosts UseCanonicalName Off ## configures the footer on server-generated documents ServerSignature Off ProxyRequests Off ProxyPreserveHost On <Proxy 127.0.0.1:3000> Require local </Proxy> ProxyPass /assets ! ProxyPass /favicon.ico ! ProxyPass /apple-touch-icon.png ! ProxyPass /robots.txt ! ProxyPass /ws ws://127.0.0.1:6042/ ProxyPass / http://127.0.0.1:3000/ # change this line in an SSO setup # RequestHeader unset X-Forwarded-User # Use settings below if proxying does not work and you receive HTTP-Errror 404 # if you use the settings below, make sure to comment out the above two options # This may not apply to all systems, applies to openSuse #ProxyPass /ws ws://127.0.0.1:6042/ "retry=1 acque=3000 timeout=600 keepalive=On" #ProxyPass / http://127.0.0.1:3000/ "retry=1 acque=3000 timeout=600 keepalive=On" DocumentRoot "/opt/zammad/public" <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory "/opt/zammad/public"> Options FollowSymLinks Require all granted </Directory> <LocationMatch "/auth/sso"> # SSLRequireSSL AuthType Kerberos AuthName "Your Zammad" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms MABNACO.LOCAL KrbLocalUserMapping on # strips @REALM suffix from REMOTE_USER variable KrbServiceName HTTP/ticket.mabnaco.local Krb5KeyTab /etc/apache2/zammad.keytab require valid-user RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1,NS] RequestHeader set X-Forwarded-User "%{RU}e" env=RU </LocationMatch> </VirtualHost>