[omd-users] AD Single Sign On

FRANK Michael michael.frank at faurecia.com
Thu Jun 22 09:44:33 CEST 2017

Hello Dirk,

I have that also on my roadmap but didn't found the time to get deeper in to that. For SSO we are planning to use AD accounts and Kerberos.
For the Kerberos implementation on system level I could recommend PBIS Open (https://www.beyondtrust.com/products/powerbroker-identity-services-open/)
You need to create a service principal name in HTTP/www.example.com in your domain and download the keytab file to your host.
Finally the configuration needs to be done in the web server. You need to load and configure a Kerberos module to make it happen.

Possibly something like that:

LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so

Beispielkonfig für Kerberos:
<Location /SITENAME>
  AuthType Kerberos
  AuthName "Acme Corporation"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  Krb5Keytab /etc/apache2/http.keytab
  Require user dougal at EXAMPLE.COM<mailto:dougal at EXAMPLE.COM> brian at EXAMPLE.COM<mailto:brian at EXAMPLE.COM> ermintrude at EXAMPLE.COM<mailto:ermintrude at EXAMPLE.COM> dylan at EXAMPLE.COM<mailto:dylan at EXAMPLE.COM> </Location>

As I said, I never found the time to test this and its just a collection of information but I hope it helps and would be happy to get a feedback from you.



From: omd-users [mailto:omd-users-bounces at lists.mathias-kettner.de] On Behalf Of Dirk Laurenz
Sent: Mittwoch, 21. Juni 2017 09:49
To: omd-users at lists.mathias-kettner.de
Subject: [omd-users] AD Single Sign On

Hello @All,

just want to ask - has anyone already connected omd to an AD to user SSO?
I found several manuales regarding parts of omd, but not omd in a whole....


This electronic transmission (and any attachments thereto) is intended solely for the use of the addressee(s). It may contain confidential or legally privileged information. If you are not the intended recipient of this message, you must delete it immediately and notify the sender. Any unauthorized use or disclosure of this message is strictly prohibited.  Faurecia does not guarantee the integrity of this transmission and shall therefore never be liable if the message is altered or falsified nor for any virus, interception or damage to your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mathias-kettner.de/pipermail/omd-users/attachments/20170622/838dd609/attachment-0001.html>

More information about the omd-users mailing list