Dear Aleksey,
please open a bug report for this:
https://github.com/Graylog2/graylog-plugin-auth-sso/issues
thank you
Von: Aleksey Chudov
Antworten: graylog2@googlegroups.com
Datum: 15. September 2016 at 09:32:52
An: Graylog Users
Betreff: [graylog2] Re: Graylog Kerberos Single Sign-On Configuration
Dear Graylog developers,
Should I register a bug or a feature request on this issue?
Aleksey
On Thursday, September 8, 2016 at 2:23:00 PM UTC+3, Aleksey Chudov wrote:
Hi,
Thanks for SSO Authentication Plugin for Graylog!
I'm trying to setup Kerberos Single Sign-On to Graylog 2.1 on my Apache HTTP
Server proxy.
My current Apache HTTP Server proxy configuration:
SSLRequireSSL
RequestHeader set X-Graylog-Server-URL
"https://graylog.example.com/api/";
ProxyPass http://127.0.0.1:9000/
ProxyPassReverse http://127.0.0.1:9000/
First of all I've created user ad...@example.com via Graylog WEB UI
/system/authentication/users and configured SSO Plugin
/system/authentication/config/sso to trust X-Remote-User HTTP header.
To test SSO plugin works as expected I've added static header to my
configuration:
SSLRequireSSL
RequestHeader set X-Graylog-Server-URL
"https://graylog.example.com/api/";
RequestHeader set X-Remote-User "ad...@example.com"
ProxyPass http://127.0.0.1:9000/
ProxyPassReverse http://127.0.0.1:9000/
With the above configuration I always login as ad...@example.com without
prompting for password.
So, the Kerberos part uses mod_auth_gssapi
https://github.com/modauthgssapi/mod_auth_gssapi
SSLRequireSSL
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/httpd/conf/krb5.keytab
GssapiUseSessions On
Require valid-user
RequestHeader set X-Graylog-Server-URL
"https://graylog.example.com/api/";
RequestHeader set X-Remote-User %{REMOTE_USER}s
Session On
SessionCookieName gssapi_session path=/;httponly;secure;
ProxyPass http://127.0.0.1:9000/
ProxyPassReverse http://127.0.0.1:9000/
With the above configuration Apache HTTP Server authenticates me as
ad...@example.com but Graylog API session is not authorized
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET / HTTP/1.1"
200 500 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET /config.js
HTTP/1.1" 200 136 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET
/assets/polyfill.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0
(X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:20 +0300] "GET
/assets/plugin/org.graylog.plugins.pipelineprocessor.ProcessorPlugin/plugin.org.graylog.plugins.pipelineprocessor.PipelineProcessorPlugin.052c725323b2a784f7b0.js.map
HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions
HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92
Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions
HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:21 +0300] "GET
/assets/plugin/org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin/plugin.org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin.cac9c48526f92b69f0dc.js.map
HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:21 +0300] "GET
/assets/plugin/org.graylog.plugins.map.MapWidgetPlugin/plugin.org.graylog.plugins.map.MapWidgetPlugin.2d9b16670c4a97bedae2.js.map
HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:22 +0300] "GET
/api/system/cluster/node HTTP/1.1" 200 223 "https://graylog.example.com/";
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:22 +0300] "GET /api/system/sessions
HTTP/1.1" 401 381 "https://graylog.example.com/"; "Mozilla/5.0 (X11; Linux
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92
Safari/537.3