Automatic Authentication (SSO) v0.72 - Fedora Core 10
This tip will show how to enable Automatic Authentication (also known as Single-Sign-On, or SSO) for GLPI against a Windows Active Directory server. Such configuration allows for a Windows user runing Internet Explorer to access GLPI without the need to enter his/her username and password. Instead, the user's Windows login username/password will be automatically used to validate access to GLPI. Many users like this since they do not need to enter their username/password twice (when they login to windows, and when they login to GLPI).
This tip uses the NTLM options that come with Samba's WinBind package to achieve SSO. It requires that you join your GLPI server to Active Directory.
Requirements (i.e. this was tested with the following)
- Fedora Core 10
- Apache 2.2.14 (rpm: httpd-2.2.14-1.fc10)
- Winbind 3.2.15 (rpm: samba-winbind-3.2.15-0.36.fc10)
- mod_auth_ntlm_winbind Module for Apache (rpm: mod_auth_ntlm_winbind)
- Windows Server 2003 R2.
We assume you already have a working GLPI enviroment with Apache 2.x and you have root access to the GLPI server. The following steps assume you are root.
1. Install and configure winbind
To install winbind:
yum install samba-winbind
To configure winbind:
Yo need to modify the /etc/samba/smb.conf file. Make sure you set up the following parameters:
workgroup = DOMAINNAME password server = * security = domain encrypt passwords = true idmap uid = 10000-20000 idmap gid = 10000-20000
Where DOMAINNAME is your Windows Domain name.
Note: You can specify your Domain Controller FQDN or IP on the password server option instead of *.
2. Join GLPI server to your domain
You will need an Active Directory account with permission to join a computer to your domain. Execute the following command as root:
net join DOMAINNAME -U DomainAdmin
Where DOMAINNAME is your Windows Domain name and DomainAdmin is the username of and Active Directory account with permission to join a computer to your domain.
You will get a “Joined domain DOMAINNAME.” if the join was successful.
Make sure iptables is not blocking your GLPI server from getting to your Domain Controllers over Netbios (TCP 137,138,139) or you will get a “Unable to find a suitable server” message when you try to join.
3. Start winbind and check it is working
Start winbind daemon with the command:
Verify that winbind is working correctly by executing:
You should get a list of your Windows domain users. Alternatively test wbinfo -g and you will get a list of Windows groups in Active Directory.
4. Install mod_auth_ntlm_winbind Module
The mod_auth_ntlm_winbind module is the module the Squid proxy uses for NTLM authentication and it works with Apache. This module can also be used to achieve NTLM SSO in other Web Application running over apache (e.g. Moodle).
To install the module:
yum install mod_auth_ntlm_winbind
5. Update your Apache configuration
We are going to assume glpi is installed in /var/www/html/glpi/ .
On the Apache config file (usually /etc/httpd/conf/httpd.conf ) add the following:
<Directory "/var/www/html/glpi" > NTLMAuth on NTLMBasicAuth on NTLMBasicRealm DOMAINNAME AuthType NTLM AuthName "paipartners" NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative off require valid-user </Directory>
What does the above do?
We are applying authentication settings to the /var/www/html/glpi directory.
- NTLMAuth on: turns on NTLM authentication.
- NTLMBasicAuth on: turns basic authentication for non-NTLM browsers.
- NTLMBasicRealm DOMAINNAME: set the real name for NTLMBasicAuth.
- AuthType NTLM: Enables NTLM Authentication.
- AuthName “name”: Gives a name to this authentication setup.
- NTLMAuthHelper: invokes ntlm_auth utility that performs the actual NTLM authentication.
- NTLMBasicAuthoritative off: allow access control to be passed along to lower modules if the UserID is not known to this module.
Also, on the Apache config file make sure KeepAlive is on. On Fedora it is off by default.
6. Check Permissions of the winbindd_privileged folder
For the ntlm_auth method to work, the user running the Apache daemon must have access to the winbindd_privileged folder. In Fedora core, Apache is usually run by the username “apache”. And the winbindd_privileged folder location is “/var/lib/samba/winbindd_privileged”. If you do:
ls -lh /var/lib/samba/
You should see something like:
drwxr-x--- 2 root wbpriv 4.0K 2010-01-28 11:22 winbindd_privileged
What we are going to do is make the user “apache” a member of the group “wbpriv”. You can do that by executing the following command:
useradd -G wbpriv apache
You might get a message saying the user “apache” already exist. That is ok. You can verify is the user “apache” is a member of the “wbpriv” group with the following command:
You should get something like this:
uid=48(apache) gid=48(apache) groups=48(apache),88(wbpriv)
Alternatively you can manually modify the /etc/group file if you do not want to use useradd.
7. Configure GLPI
Go to the “Setup” Menu and click on “Authentication”. Then “others”.
For the “Field holding the login in the _SERVER array” option select “REMOTE_USER”.
8. Configure Internet Explorer
The steps above have actually already enabled NTLM authentication agains Active Directory. At this point if you restart Apache and access GLPI you should get prompted with an NTLM authentication box. But we want SSO, so we need to tell Internet Explorer to automatically use Windows logon credentials for NTLM authentication. This option is set by default for the “Intranet” security zone. So, you have the following options:
- Add your GLPI site to the list of Intranet Sites (Tools → Internet Options → Security → Local Intranet → Sites…)
- Modify the Internet zone settings to allow automatic NTLM logons (Tools → Internet Options → Security → Internet → Custom Level… → User Authentication → Logon → Automatic Logon with current username and password – Note this option is at the very end when you access the Custom Level settings)
And of course, for the above to work we need to make sure the option “Enable Integrated Windows Authentication” is checked in Internet Explorer. This is enabled by default. Verify if it is enabled by going to Tools → Internet Options → Advance → Security → Enable Integrated Windows Authentication.
9. Restart Apache and Test
Everything should be set now. Restart Apache so your changes take effect (ntlm module, directory changes, KeepAlive setting):
Test and verify that you can SSO to GLPI.
This works for HTTP. It will not work with HTTPS.