Trace: » Automatic Authentication (SSO) v0.72 - Fedora Core 10

Automatic Authentication (SSO) v0.72 - Fedora Core 10

Introduction

This tip will show how to enable Automatic Authentication (also known as Single-Sign-On, or SSO) for GLPI against a Windows Active Directory server. Such configuration allows for a Windows user runing Internet Explorer to access GLPI without the need to enter his/her username and password. Instead, the user's Windows login username/password will be automatically used to validate access to GLPI. Many users like this since they do not need to enter their username/password twice (when they login to windows, and when they login to GLPI).

This tip uses the NTLM options that come with Samba's WinBind package to achieve SSO. It requires that you join your GLPI server to Active Directory.

Requirements (i.e. this was tested with the following)

  • Fedora Core 10
  • Apache 2.2.14 (rpm: httpd-2.2.14-1.fc10)
  • Winbind 3.2.15 (rpm: samba-winbind-3.2.15-0.36.fc10)
  • mod_auth_ntlm_winbind Module for Apache (rpm: mod_auth_ntlm_winbind)
  • Windows Server 2003 R2.

Setup

We assume you already have a working GLPI enviroment with Apache 2.x and you have root access to the GLPI server. The following steps assume you are root.

1. Install and configure winbind

To install winbind:

yum install samba-winbind

To configure winbind:

Yo need to modify the /etc/samba/smb.conf file. Make sure you set up the following parameters:

workgroup = DOMAINNAME
password server = *
security = domain
encrypt passwords = true
idmap uid = 10000-20000
idmap gid = 10000-20000

Where DOMAINNAME is your Windows Domain name.

Note: You can specify your Domain Controller FQDN or IP on the password server option instead of *.

2. Join GLPI server to your domain

You will need an Active Directory account with permission to join a computer to your domain. Execute the following command as root:

net join DOMAINNAME -U DomainAdmin

Where DOMAINNAME is your Windows Domain name and DomainAdmin is the username of and Active Directory account with permission to join a computer to your domain.

You will get a “Joined domain DOMAINNAME.” if the join was successful.

Make sure iptables is not blocking your GLPI server from getting to your Domain Controllers over Netbios (TCP 137,138,139) or you will get a “Unable to find a suitable server” message when you try to join.

3. Start winbind and check it is working

Start winbind daemon with the command:

/etc/init.d/winbind start

Verify that winbind is working correctly by executing:

wbinfo -u

You should get a list of your Windows domain users. Alternatively test wbinfo -g and you will get a list of Windows groups in Active Directory.

4. Install mod_auth_ntlm_winbind Module

The mod_auth_ntlm_winbind module is the module the Squid proxy uses for NTLM authentication and it works with Apache. This module can also be used to achieve NTLM SSO in other Web Application running over apache (e.g. Moodle).

To install the module:

yum install mod_auth_ntlm_winbind
5. Update your Apache configuration

We are going to assume glpi is installed in /var/www/html/glpi/ .

On the Apache config file (usually /etc/httpd/conf/httpd.conf ) add the following:

<Directory "/var/www/html/glpi" >
  NTLMAuth on
  NTLMBasicAuth on
  NTLMBasicRealm DOMAINNAME
  AuthType NTLM
  AuthName "paipartners"
  NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
  NTLMBasicAuthoritative off
  require valid-user
</Directory>

What does the above do?

We are applying authentication settings to the /var/www/html/glpi directory.

  • NTLMAuth on: turns on NTLM authentication.
  • NTLMBasicAuth on: turns basic authentication for non-NTLM browsers.
  • NTLMBasicRealm DOMAINNAME: set the real name for NTLMBasicAuth.
  • AuthType NTLM: Enables NTLM Authentication.
  • AuthName “name”: Gives a name to this authentication setup.
  • NTLMAuthHelper: invokes ntlm_auth utility that performs the actual NTLM authentication.
  • NTLMBasicAuthoritative off: allow access control to be passed along to lower modules if the UserID is not known to this module.

Also, on the Apache config file make sure KeepAlive is on. On Fedora it is off by default.

KeepAlive on
6. Check Permissions of the winbindd_privileged folder

For the ntlm_auth method to work, the user running the Apache daemon must have access to the winbindd_privileged folder. In Fedora core, Apache is usually run by the username “apache”. And the winbindd_privileged folder location is ”/var/lib/samba/winbindd_privileged”. If you do:

ls -lh /var/lib/samba/

You should see something like:

drwxr-x--- 2 root wbpriv 4.0K 2010-01-28 11:22 winbindd_privileged

What we are going to do is make the user “apache” a member of the group “wbpriv”. You can do that by executing the following command:

useradd -G wbpriv apache

You might get a message saying the user “apache” already exist. That is ok. You can verify is the user “apache” is a member of the “wbpriv” group with the following command:

id apache

You should get something like this:

uid=48(apache) gid=48(apache) groups=48(apache),88(wbpriv)

Alternatively you can manually modify the /etc/group file if you do not want to use useradd.

7. Configure GLPI

Go to the “Setup” Menu and click on “Authentication”. Then “others”.

For the “Field holding the login in the _SERVER array” option select “REMOTE_USER”.

Click Update.

8. Configure Internet Explorer

The steps above have actually already enabled NTLM authentication agains Active Directory. At this point if you restart Apache and access GLPI you should get prompted with an NTLM authentication box. But we want SSO, so we need to tell Internet Explorer to automatically use Windows logon credentials for NTLM authentication. This option is set by default for the “Intranet” security zone. So, you have the following options:

  • Add your GLPI site to the list of Intranet Sites (Tools → Internet Options → Security → Local Intranet → Sites…)
  • Modify the Internet zone settings to allow automatic NTLM logons (Tools → Internet Options → Security → Internet → Custom Level… → User Authentication → Logon → Automatic Logon with current username and password – Note this option is at the very end when you access the Custom Level settings)

And of course, for the above to work we need to make sure the option “Enable Integrated Windows Authentication” is checked in Internet Explorer. This is enabled by default. Verify if it is enabled by going to Tools → Internet Options → Advance → Security → Enable Integrated Windows Authentication.

9. Restart Apache and Test

Everything should be set now. Restart Apache so your changes take effect (ntlm module, directory changes, KeepAlive setting):

/etc/init.d/httpd restart

Test and verify that you can SSO to GLPI.

Notes

This works for HTTP. It will not work with HTTPS.:?: