Trace: » Integrated Authentication
Disclaimer by dj: this is not meant to be a translation of the original french article since I neither understand a word of French nor do run GLPI on a Windows machine. However, I mainly kept the code patches and the structure of the original document and filled in the configuration instructions as I know them to work for a GLPI/Mandriva setup.
You surely have seen SSO scenarios where users accessing ASP content do not need to authenticate but seem to be authenticated magically through their Windows logon context. You can use the same type of Single SignOn integrated authentication for your GLPI Windows clients in a domain.
This Howto uses Apache 2 and GLPI configured for external LDAP authentication with Active Directory. The user should use Internet Explorer for testing, however, recent Firefox versions also do support integrated authentication using NTLM.
The configuration where the described changes have been confirmed functioning is as follows:
- GLPI : 0.68.3 with AD authentication against a Windows Server 2003 directory - Internet Explorer 6 SP2 or Internet Explorer 7 - Apache 2.2.3 / MySql : 5.0.24a / PHP 5.1.6
You have to install and activate the mod_ntlm module. It will probably be included with your distribution. Configure it according to your distributions documentation or check out the modntlm home page for further information.
The basic approach:
- check the mod_ntlm module gets loaded by apache on startup
- add the NTLM directives
The NTLM directives for your GLPI host might look like this:
#glpi configuration <Directory "/var/www/vhosts.d/glpi"> Options None Order allow,deny Allow from all NTLMAuth on NTLMAuthoritative off NTLMDomain DOMAIN NTLMServer SRV1 NTLMBackup SRV2 NTLMLockfile /tmp/ntlmauth.lck AuthName NTAuth AuthType NTLM require valid-user Satisfy all </Directory> # Turn off authentication for all subdirectories # as a workaround to the Firefox/NTLM problem <Directory "/var/www/html/glpi/*"> Satisfy Any Allow from all </Directory>
Please note that due to limitations in mod_ntlm code NTLMServer and NTLMBackup have to be names and not IP addresses. The basic issue here is that mod_ntlm strips everything after the first dot and passes the single-label part as the “Called Name” within the Session Request packet. So if you for example use “192.168.1.1”, mod_ntlm would request the resource “192” which will be refused by the server unless it is named “192” by coincidence or has StrictNameChecking disabled.
Here is an example of how to install the ntlm module on Ubuntu Server 9.10:
# mkdir ntlmauth # cd ntlmauth/ # wget http://mywheel.net/blog/wp-content/uploads/2007/04/ntlm.tar.gz # tar zxvf ntlm.tar.gz # apt-get update # apt-get -y install apache2-prefork-dev # apxs2 -i -a -c mod_ntlm.c You'll get a couple of errors which you can ignore: apxs:Error: Activation failed for custom /etc/apache2/httpd.conf file.. apxs:Error: At least one `LoadModule' directive already has to exist.. # make clean # echo "LoadModule ntlm_module /usr/lib/apache2/modules/mod_ntlm.so"> /etc/apache2/mods-available/ntlm.load # a2enmod ntlm you should see: Enabling module ntlm. Run '/etc/init.d/apache2 restart' to activate new configuration! # /etc/init.d/apache2 reload Apache should restart without errors.
To activate NTLM for the GLPI site, rather than add to the existing default site config files, I created a glpi.conf file under /etc/apache2/conf.d
# nano /etc/apache2/conf.d/glpi.conf Paste in the following: <Directory "/var/www/glpi"> AuthName NTAuth AuthType NTLM NTLMAuth on NTLMAuthoritative on NTLMDomain DOMAINNAME NTLMServer PRIMARYDCNAME NTLMBackup SECONDARYDCNAME require valid-user Satisfy all </Directory> Change the path to your glpi install if required, and fill in the domain name and DC names to suit your environment. Save and exit Restart apache to activate: # /etc/init.d/apache2 reload
No idea about IIS, but given that integrated NTLM authentication has been part of IIS for ages, I just refer to the IIS documentation for details.
Go to: Setup → Authentication. In “External authentications” click “Others” and in “Field holding the login in the _SERVER array” select “REMOTE_USER”
You will need to modify the GLPI code within the files index.php, login.php and logout.php. It is recommended that you back up the three affected files first, in order to be able to revert to original code when things go wrong. Something like
[root@glpi glpi]# cp index.php index.php.orig [root@glpi glpi]# cp login.php login.php.orig [root@glpi glpi]# cp logout.php logout.php.orig
Take care of the modifications with this diff here. Simply change your current working directory to the GLPI directory and issue a
[root@glpi glpi]# patch < patch-httpauth-0.68.3.txt
(sorry for the .txt extension, there are some wiki limitations concerning the files which may be uploaded) You should get
patching file index.php patching file login.php patching file logout.php
as the only response. If you did not, you probably used copy+paste to get the diff to your target system. This might introduce additional whitespace characters instead of tabs and break the diff - download the file directly (e.g. using wget or ftpget) instead or feed the --ignore-whitespace parameter to “patch”.
Now, you're nearly done.
When using IE6 or IE7, add the site running GLPI to the “Local Intranet Sites” security zone. This will let the browser use integrated NTLM authentication when prompted by the web server.
Firefox does implement NTLM auth since v1.0, however, it is disabled by default. To enable it use the network.automatic-ntlm-auth.trusted-uris configuration parameter - you just need to enter a list of sites which are allowed for NTLM authentication. For details, see this mozillaZine KB article.
The preference may be set using GPO and the FirefoxADM template if Firefox was compiled with ADM support.
Unfortunately, in recent versions of Firefox (starting with 1.0.7) the NTLM authentication |seems to be broken a bit, the problem being that whenever Ajax stuff is used in GLPI many subsequent connections and thus a lot of authentications (HTTP authentication authenticates every request, all the time) have to be done. This leads to some obscure breakup with the NTLM auth and Firefox might present you an authentication request box. To mitigate this issue, the Apache config above contains the “Satisfy Any” directive for all subdirectories of the GLPI structure.
If you ever need to authenticate as a different user than the one currently logged on, just use the “Log off” button in GLPI, this will bring up the conventional login prompt.
NTLM authentication might break with certain HTTP proxy server configurations. Consider proxyless use if possible.
by dj: I had to remove calls to stripos() and substr() from the original SSPI-using code in order to make NTLM auth work. I suspect these to be some kind of obscure PHP safeguard against unsafe user input. If the code security has suffered through my modifications, please drop a note here and contribute a fix, if possible.
by dj: I believe that using CAS together with the current patch-httpauth-0.68.3.txt will break the “Logout to get a logon screen” functionality. I was too lazy to introduce the conditionals needed to correctly generate the URI string.