Ad Widget

**boy01** · 05-02-2010, 07:16

Originally posted by jarek

Hi all!
I've successfully integrated Zabbix with Windoze domain via kerberos. Now I have full SSO

Above works w/ minor changes on our 64-bit 5.4 CentOS and zabbix server 1.6.6:

Our .htaccess file:

Code:

AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms <domain name>
require valid-user
Krb5Keytab /etc/krb5.zabbixkerberos.keytab
KrbSaveCredentials off
KrbMethodNegotiate on
KrbMethodK5Passwd on

Following change in above index.php patch (comment one line and add one line):

Code:

                 elseif(isset($_SERVER['AUTH_TYPE']) && ($_SERVER'AUTH_TYPE']=='Negotiate')){
                        //if(!isset($sessionid)) $_REQUEST['enter'] = 'Enter';
                       $_REQUEST['enter'] = 'Enter';
                       $user_parts = explode('@',$_SERVER['REMOTE_USER']);

User has already been authenticated w/ kerberos If we have Negotiate.
Just let him/her Enter to zabbix.

Also minor change avoiding login loop (index.php):

Code:

               redirect('logout.php');
               //redirect('index.php');
               die();

Thanks!

**jarek** · 21-04-2010, 10:35

Integration with release

Is there any chance, that changes to index.php it will be integrated with official release ? I need to apply changes manually after every upgrade.

**treydock** · 22-04-2011, 03:43

Kerberos login (SSO)

Thanks both of you !!! I can confirm the above works running CentOS 5.6 x64 and Zabbix 1.8.5. For me I had to install the mod_auth_kerb package. Also you have to have a working /etc/krb5.conf file. It's easy to check if your krb5.conf is valid by doing...

kinit [email protected]

be sure to capitalize DOMAIN.COM. Then the klist command will show if the ticket was created. Both the kinit and klist commands require that krb5-workstation be installed.

I used the code provided by jarek with the included change by boy01.

Since my Apache server and zabbix frontend are using virtual hosts I made the .htaccess changes in my virtual host declaration.

Code:

       <Directory /var/www/html/zabbix>
                SSLRequireSSL
                AllowOverride All
                AuthType Kerberos
                AuthName "Kerberos Login"
                KrbVerifyKDC off

                require valid-user
        </Directory>

The Kerberos server's here at my University do not give out a trust very easily and so I don't use a keytab file. Since I don't use a keytab file I had to use the KrbVerifyKDC off option to keep Apache from checking that. Otherwise I'd get an failed to verify krb5 credentials: Server not found in Kerberos database. Also I omitted the KrbAuthRealms option because Apache will use the default domain specified in the /etc/krb5.conf file.

I go into greater detail on my blog here, http://itscblog.tamu.edu/kerberos-an...on-for-zabbix/ .

- Trey

**sire** · 26-04-2011, 11:13

Originally posted by jarek

Is there any chance, that changes to index.php it will be integrated with official release ? I need to apply changes manually after every upgrade.

Register and fill in a feature request ticket at ZABBIX Support System

**zalex_ua** · 18-03-2013, 16:42

Probably it is - https://support.zabbix.com/browse/ZBX-3779

Ad Widget

Kerberos login (SSO)

Kerberos login (SSO)

Comment

Comment

Comment

Comment

Comment