Trace: » Automatic authentication v0.68 - SUSE

Automatic authentication v0.68 - SUSE

Article written by Cuty Translation by jcoleman

Introduction

The goal of this tip is to make it possible to the users of GLPI to be able to be identified in the application without having to repair their name of user like their password IF and ONLY IF waiter GLPI is a Linux waiter.

This easy way functions with Apache 2 and GLPI configured with an external authentication with Active Directory. The user must use Internet Explorer.

The configuration on which this handling was validated is this one:

- GLPI: 0.68.3-2 and AD on W2k3 - Internet Explorer 6sp2/- Waiter Suse_Linux/9.3 Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.7e PHP/4.4.6 mod_perl/2.0.2 Perl/v5.8.6

Consequently if you test on another configuration and that functions do not hesitate to supplement.

Small precision, the modifications as well as the code provided in this article are not ego besides some lines thus large a thank you with those which will be recognized.

Installation

Modification in Glpi

It is necessary to start by copying the files index.php and login.php to safeguard the files of origin of Glpi, to be able to retrogress in the event of problem. Personally I add to them the extension .orig for more clearness. Then it is necessary to insert or modify code in index.php and login.php.

*>: Symbolize code to be added.

*: Symbolize a modification of the code. In our case replace 1st star by 2nd.

index.php
48:    // Using CASE server
 49:    yew (! empty ($cfg_glpi [“cas_host”]) &&! isset ($_GET [“noCAS”])) {
 50:        glpi_header (“login.php”);
 51:    }
 *>    $ip = $_SERVER [“REMOTE_ADDR”];
 *>    $commande = “nmblookup - has”. $ip;
 *>    exec ($commande, $tableau);
 *>    foreach ($tableau ace $colone)
 *>        {
 *>        yew (strpos ($colone, “<03>”))
 *>                {
 *>                $login = strtok ($colone, “T”);
 *>                }
 *>      }
 *>    $ident = strtolower ($login);
 *>    yew ($ident! = '') {
 *>        header (“Hiring: login.php? login_name=”. $ident);
 *>    }       
 52:    // Send UTF8 Headers
 53:    header (“Content-Type: text/HTML; charset=UTF-8”);
 54:    // Start the page
login.php
 54:    yew (isset ($_POST [“login_password”])){ 
 55:    $_POST [“login_password”] =unclean_cross_side_scripting_deep ($_POST [“login_password”]); 
 *>    $http_auth = false;
 *>    } 
 *>    else yew (! isset ($_POST [“login_password”])){ 
 *>    $_POST [“login_password”] =unclean_cross_side_scripting_deep ($_POST [“login_password”]); 
 *>        $http_auth = false;
 *>        $ip = $_SERVER [“REMOTE_ADDR”];
 *>        $commande = “nmblookup - has”. $ip;
 *>        exec ($commande, $tableau);
 *>        foreach ($tableau ace $colone)
 *>                {
 *>                yew (strpos ($colone, “<03>”))
 *>                    {
 *>                    $login = strtok ($colone, “T”);
 *>                    }
 *>               }
 *>        $ident = strtolower ($login);
 *>           
 *>         yew ($ident! = '') {
 *>              $_POST [“login_name”] = $ident;
 *>              $http_auth = true;
 *>         }
 *>    } 
 56:    yew (! isset ($_POST [“noCAS”]) &&! empty ($cfg_glpi [“cas_host”])) {
 72:    yew (! $auth_succeded) // No tests in configuration CASE
 73:    yew (empty ($_POST [“login_name”])||empty ($_POST [“login_password”])){
 73 *:     yew ((empty ($_POST [“login_name”])||empty ($_POST [“login_password”])) &&! $http_auth) {    
 74:        $identificat->err=$lang [“login”] [8];
 75:        } else {
 94:        //if ($auth_succeded) $user_present = $identificat->user->getFromDBbyName (utf8_decode ($_POST [“login_name”]));
 95:    
 96:        }
 *>        // try HTTP authentication
 *>        yew ($http_auth) {
 *>          
 *>          $found_dn=false;
 *>          $auth_succeded=0;
 *>          $found_dn=$identificat->ldap_get_dn_active_directory ($cfg_glpi [“ldap_host”], $cfg_glpi [“ldap_basedn”], $_POST [“login_name”], $cfg_glpi [“ldap_rootdn”], $cfg_glpi [“ldap_pass”], $cfg_glpi [“ldap_port”]);
 *>          yew ($found_dn! =false) {
 *>            $auth_succeded = true;
 *>            $identificat->extauth=1;
 *>            $user_present = $identificat->user->getFromDBbyName ($_POST [“login_name”]);
 *>            $identificat->user->getFromLDAP_active_directory ($cfg_glpi [“ldap_host”], $cfg_glpi [“ldap_port”], $found_dn, $cfg_glpi [“ldap_rootdn”], $cfg_glpi [“ldap_pass”], $cfg_glpi [“ldap_fields”], $_POST [“login_name”], $cfg_glpi [“ldap_condition”]);        }
 *>    
 *>    
 *>        }
 97:
 98:        // Second try IMAP/POP
 99:        yew (! $auth_succeded&&! empty ($cfg_glpi [“imap_auth_server”])) {

Also available on the forum: http://www.glpi-project.org/forum/viewtopic.php?id=1397&p=5

Per Internet Browser

Internet Explorer

It should well be checked that “To activate the integrated authentification of Windows” in the advanced options of Internet Explorer is well notched.

It is necessary to think of adding the URL of GLPI in the list of the sites of the local Intranet under the Security Tab in the options of Internet Explorer.

Mozilla Firefox

I do not have Firefox in the company where I am, so people can go up infos, Ca would be sympathetic! :)

With you to play

Here about all that I could gather on this addition of function but so some among you wants to improve the tip then do not hesitate, I am also taking!!!! ^_^

Addresses post on the forum at the origin of the article: http://www.glpi-project.org/forum/viewtopic.php?id=1397&p=1