dav3860/gist:f235f1e768fd7f9e3bbf Secret

## gistfile1.txt
Kibana (or anything else) on Apache with Kerberos Single Sign-on and LDAP authorization (tested on Centos 6.3) :

1) Create a service account for Kerberos on Active Directory (for example : "krbhttpsvc" )
2) Create a service account for LDAP on Active Directory (for example : "ldaphttpsvc" )
3) Create a SPN for the HTTP service on Active Directory using the ktpass tool (must be unique in the forest ), for example with Windows 2008 :
ktpass -princ HTTP/apacheserver.domain.com@DOMAIN.COM
-mapuser krbhttpsvc
-mapOp set -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL
-pass <password> -out krb5.keytab

4) install krb5-libs, krb5-workstation and mod_auth_kerb at a minimum on the Apache server
In /etc/httpd.conf, you should have :
LoadModule auth_kerb_module modules/mod_auth_kerb.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

5) edit /etc/krb5.conf like this :
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 DOMAIN.COM = {
  kdc = dc1.domain.com
  kdc = dc2.domain.com
  admin_server = dc1.domain.com
 }

[domain_realm]
 .domain.com = DOMAIN.COM
 domain.com = DOMAIN.COM

6) copy the generated krb5.keytab in /etc/
Test that Kerberos is working with :
kinit username@DOMAIN.COM
and then :
klist

7) edit the Kibana and Elasticsearch Apache config files :
<Directory /var/www/kibana/>
  # Allow from 127.0.0.1
  # SSLRequireSSL
  # [...]

  # Kerberos authentication
  AuthName "Domain authentication"
  AuthType Kerberos
  KrbServiceName HTTP
  KrbLocalUserMapping On
  KrbMethodNegotiate on
  KrbMethodK5Passwd on
  KrbVerifyKDC off
  KrbAuthRealms DOMAIN.COM
  Krb5KeyTab /etc/krb5.keytab

  # User mapping
  # Makes Kerberos pass the right username to the LDAP module for authorization
  KrbLocalUserMapping On # mod_auth_kerb >= 5.4
  # Or fix kerberos module feature missing if mod_auth_kerb < 5.4, needs mod_map_user
  #MapUsernameRule (.*)@(.*) "$1"

  # LDAP authorization
  # Allows access to the Domain Admins group and user1 & user2
  AuthLDAPURL "ldap://dc1.domain.com dc2.domain.com/OU=Users,DC=domain,DC=com?sAMAccountName?sub?(|(objectClass=user)(objectClass=group))"
  AuthLDAPBindDN "CN=ldaphttpsvc,OU=Users,DC=domain,DC=com"
  AuthLDAPBindPassword "thesecretpassword"
  Require ldap-group cn=Domain Admins,cn=Users,dc=domain,dc=com
  Require ldap-user user1
  Require ldap-user user2
</Directory>
# Same config should be set for the ElasticSearch <Location>

8) You should proxy Elasticsearch behind Apache with a Proxypass directive or mod_rewrite. For example, with SSL and mod_rewrite :

LoadModule ssl_module modules/mod_ssl.so
Listen 443
# [...]
<VirtualHost _default_:443>
# [...]
Alias /kibana /var/www/kibana

RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} !^$
RewriteRule ^/_aliases$ http://127.0.0.1:9200/_aliases [P,L]
RewriteCond %{LA-U:REMOTE_USER} !^$
RewriteRule ^/(.*)/_search$ http://127.0.0.1:9200/$1/_search [P,L]
RewriteCond %{LA-U:REMOTE_USER} !^$
RewriteRule ^/kibana-int/dashboard/(.*)$ http://127.0.0.1:9200/kibana-int/dashboard/$1 [P,L]
RewriteCond %{LA-U:REMOTE_USER} !^$
RewriteRule ^/kibana-int/temp(.*)$ http://127.0.0.1:9200/kibana-int/temp$1 [P,L]
RewriteLog "/var/log/httpd/rewrite.log"
RewriteLogLevel 1
</VirtualHost>

As stated above, the Elasticsearch <Location> should be secured the same way as the Kibana <Directory>. LDAPSSL should be prefered too.

Hope this helps...
	Kibana (or anything else) on Apache with Kerberos Single Sign-on and LDAP authorization (tested on Centos 6.3) :

	1) Create a service account for Kerberos on Active Directory (for example : "krbhttpsvc" )
	2) Create a service account for LDAP on Active Directory (for example : "ldaphttpsvc" )
	3) Create a SPN for the HTTP service on Active Directory using the ktpass tool (must be unique in the forest ), for example with Windows 2008 :
	ktpass -princ HTTP/apacheserver.domain.com@DOMAIN.COM
	-mapuser krbhttpsvc
	-mapOp set -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL
	-pass <password> -out krb5.keytab

	4) install krb5-libs, krb5-workstation and mod_auth_kerb at a minimum on the Apache server
	In /etc/httpd.conf, you should have :
	LoadModule auth_kerb_module modules/mod_auth_kerb.so
	LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

	5) edit /etc/krb5.conf like this :
	[logging]
	default = FILE:/var/log/krb5libs.log
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmind.log

	[libdefaults]
	default_realm = DOMAIN.COM
	dns_lookup_realm = true
	dns_lookup_kdc = true
	ticket_lifetime = 24h
	renew_lifetime = 7d
	forwardable = true

	[realms]
	DOMAIN.COM = {
	kdc = dc1.domain.com
	kdc = dc2.domain.com
	admin_server = dc1.domain.com
	}

	[domain_realm]
	.domain.com = DOMAIN.COM
	domain.com = DOMAIN.COM

	6) copy the generated krb5.keytab in /etc/
	Test that Kerberos is working with :
	kinit username@DOMAIN.COM
	and then :
	klist

	7) edit the Kibana and Elasticsearch Apache config files :
	<Directory /var/www/kibana/>
	# Allow from 127.0.0.1
	# SSLRequireSSL
	# [...]

	# Kerberos authentication
	AuthName "Domain authentication"
	AuthType Kerberos
	KrbServiceName HTTP
	KrbLocalUserMapping On
	KrbMethodNegotiate on
	KrbMethodK5Passwd on
	KrbVerifyKDC off
	KrbAuthRealms DOMAIN.COM
	Krb5KeyTab /etc/krb5.keytab

	# User mapping
	# Makes Kerberos pass the right username to the LDAP module for authorization
	KrbLocalUserMapping On # mod_auth_kerb >= 5.4
	# Or fix kerberos module feature missing if mod_auth_kerb < 5.4, needs mod_map_user
	#MapUsernameRule (.)@(.) "$1"

	# LDAP authorization
	# Allows access to the Domain Admins group and user1 & user2
	AuthLDAPURL "ldap://dc1.domain.com dc2.domain.com/OU=Users,DC=domain,DC=com?sAMAccountName?sub?(\|(objectClass=user)(objectClass=group))"
	AuthLDAPBindDN "CN=ldaphttpsvc,OU=Users,DC=domain,DC=com"
	AuthLDAPBindPassword "thesecretpassword"
	Require ldap-group cn=Domain Admins,cn=Users,dc=domain,dc=com
	Require ldap-user user1
	Require ldap-user user2
	</Directory>
	# Same config should be set for the ElasticSearch <Location>

	8) You should proxy Elasticsearch behind Apache with a Proxypass directive or mod_rewrite. For example, with SSL and mod_rewrite :

	LoadModule ssl_module modules/mod_ssl.so
	Listen 443
	# [...]
	<VirtualHost _default_:443>
	# [...]
	Alias /kibana /var/www/kibana

	RewriteEngine On
	RewriteCond %{LA-U:REMOTE_USER} !^$
	RewriteRule ^/_aliases$ http://127.0.0.1:9200/_aliases [P,L]
	RewriteCond %{LA-U:REMOTE_USER} !^$
	RewriteRule ^/(.*)/_search$ http://127.0.0.1:9200/$1/_search [P,L]
	RewriteCond %{LA-U:REMOTE_USER} !^$
	RewriteRule ^/kibana-int/dashboard/(.*)$ http://127.0.0.1:9200/kibana-int/dashboard/$1 [P,L]
	RewriteCond %{LA-U:REMOTE_USER} !^$
	RewriteRule ^/kibana-int/temp(.*)$ http://127.0.0.1:9200/kibana-int/temp$1 [P,L]
	RewriteLog "/var/log/httpd/rewrite.log"
	RewriteLogLevel 1
	</VirtualHost>

	As stated above, the Elasticsearch <Location> should be secured the same way as the Kibana <Directory>. LDAPSSL should be prefered too.

	Hope this helps...