#The Broker side of the configuration requires the mod_auth_kerb package to be
#installed.

#Apart from that you must also have a kerberos kdc setup.  The service host
#needs to have a service principle added for the OpenShift broker proxy (httpd)
#server.  Once a service principle is created, you'll want to add it to the kdc
#keytab file.  Once added to the kdc keytab file, you'll want to extract the
#keytab file to the OpenShift broker proxy and point to this extracted keytab
#file in the OpenShift broker proxy httpd configuration file.

Steps to perform on the kdc:
1) #install the krb packages
yum install krb5-workstation krb5-server krb5-libs

2) #create the principle db
kdb5_util create -s

3) #add the service principle
kadmin.local -q "addprinc HTTP/www.example.com"

4) #add a user principle
kadmin
kadmin: addprinc user@EXAMPLE.COM

5) #add the service principle to the kdc keytab
kadmin
kadmin: ktadd HTTP/www.example.com

6) #configure the OpenShift broker proxy krb5 client, you can use something similar to the following:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
 allow_weak_crypto = yes
 default_keytab_name = FILE:/var/www/openshift/broker/http/conf.d/http.keytab

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
  default_domain = EXAMPLE.COM
 }

[domain_realm]
 example.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM

7) #make sure you can run kinit HTTP/www.example.com successfully.  If you can, it's time to extract the keytab file for the service principle on the OpenShift broker.
kadmin
kadmin: ktadd -k /var/www/openshift/broker/httpd/conf.d/http.keytab HTTP/www.example.com

8) #change the ownership of the keytab so it's readable by the httpd process
chown apache.apache /var/www/openshift/broker/httpd/conf.d/http.keytab

9) #use the provided openshift-origin-auth-remote-user-kerberos.conf.sample file (change if necessary to reflect your service principle service name), rename the sample file (take off the .sample extension)
mv openshift-origin-auth-remote-user-kerberos.conf.sample openshift-origin-auth-remote-user-kerberos.conf

10) #restart the OpenShift broker service
service openshift-broker restart
