Trace: » Automatic authentication

Automatic authentication

The automatic authentication makes it possible for users of GLPI to be identified automatically in the application without having to enter their username and password.

Two procedures:

For the versions of GLPI higher or equal to 0.71

Modification Web server

* Apache2

The module mod_auth_sspi.so functions only under Windows - download it from
http://sourceforge.net/projeccts/mod-auth-sspi/

First either

  • download the file from the above referenced source and extract the enclosed files to your preferred folder. Then copy from the extracted bin folder the mod_auth_sspi.so file and paste the file to
    [your apache install folder]/modules -OR-
  • make sure mod_auth_sspi.so exists in your apache install folder's modules folder

Second

  • activate the module mod_auth_sspi.so by either
    • Uncommenting the line:
      LoadModule sspi_auth_module modules/mod_auth_sspi.so in your Apache server's configuration file ( apacheconfhttpd.conf or conf/httpd.conf ) -OR-
    • In your Apache server's configuration file ( apacheconfhttpd.conf or conf/httpd.conf ) add to the bottom of the list of loaded modules this line:
      LoadModule sspi_auth_module modules/mod_auth_sspi.so

Third

  • Modify your Apache server's configuration file or virtual hosts file to include a Directory definition section for your glpi installation folder. The following code should be adapted to your install in the Directory section by only specifying the folder where glpi resides. All other parameters should be entered as they appear below.
 #glpi configuration
 <Directory “[glpi website folder]”>
    AllowOverride None
    Options None
    Order allow, deny
    Allow from all
 
    AuthName “restricted Access”
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIOfferBasic On
    require valid-user
  </Directory>

:!:DO NOT to forget to restart the Apache service after saving all config file modifications

It is also necessary to add (at the end of the same file for example): <code> #glpi configuration <Directory “C: /OCSinventoryNG/xampp/htdocs/glpi> Options None Order allow, deny Allow from all AuthName “restricted Access” AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic On require valid-user </Directory> </code> by adapting the way of your repository GLPI according to your configuration.

  • Apache
    • If you use Apache below v1.3, use the mod_auth_ntlm.
      • follow the same procedure detailed above except use mod_auth_ntlm as the module file name. It is enough to to comment on the line which contains mod_auth_ntlm in the file of configuration of Apache apacheconfhttpd.conf. It may be also that it is necessary to add code at the end of the file of conf of Apache as
    • for Apache 2 but not having what to test, I cannot confirm it. the above changes are sufficient but there are two more steps.

Fourth

  • Open Windows Explorer to modify the security tab on the properties of the folder where glpi is installed. Make the security everything except full control for a user account or group. Replicate the permissions to subdirectories and files.

Fifth

  • Change the account the apache service runs under - change it to the account you set in step 4 above. This allows basic authentication according to the documentation that comes in the file referenced above.

Once again with you to test… ;-)

* IIS

IIS communicates with the file system already and receives from the file system a message about whether the user is authorized to view the folder or not. IIS should work without modification. If somebody could confirm it that would be appreciated :)


Now proceed with configuration within glpi itself.

Configuration GLPI

All the configuration of the automatic authentication is done in the Setup / Authentication / Others Tab” Others”

Set the option in the Field holding the login in the _SERVER array dropdown to REMOTE_USER or PHP_AUTH_USER.

If you want to verify which value to enter, you can create a file called “test.php” with contents that look like this code:

<? php
echo "REMOTE_USER = " . $_SERVER ["REMOTE_USER"] . "<BR />";
echo "HTTP_AUTH_USER = " . $_SERVER ["HTTP_AUTH_USER"] . "<BR />";
echo "PHP_AUTH_USER = " . $_SERVER ["PHP_AUTH_USER"] . "<BR />";
echo "USERNAME = " . $_SERVER ["USERNAME"] . "<BR />";
echo "REDIRECT_REMOTE_USER" . $_SERVER ["REDIRECT_REMOTE_USER"];
? >

Now open “test.php” in your browser and review the output. The line that contains something like REMOTE_USER = [yourdomain][your username] reveals the answer you will select in the Field holding the login in the _SERVER array . Make your choice and Update the form.

Per Web Browser
  • Internet Explorer

It should well be checked that “To activate the integrated authentication of Windows” in the advanced options of Internet Explorer is well notched.

It is necessary to think of adding the URL of GLPI in the list of the sites of the local Intranet under the Security tab in the options of Internet Explorer.

Good namely: https + auth car + xampp + ie7 = Pb of connections

solution: in xampp/apache/conf/extra/httpd-ssl.conf, to remove the nokeepalive one in

<IfModule setenvif_module>

 BrowserMatch “. *MSIE.*” 
               SSL-unclean-shutdown 
               downgrade-1.0 force-response-1.0
  </IfModule>
  • FireFox

Under Firefox that does not function, unless changing values in the configuration.

In butt: config it is necessary to modify value network.negotiate-auth.delegation.uris and to add the domain name to him for which one wants to activate sends it car of information. Ex: .glpi-project.org

Note: if that does not function, it is necessary to modify the value network.automatic-ntlm-auth.trusted-urls and to add the https://,http:// chain.

It should be noted that this option functions for all the navigators based on modzilla in their recent version: Mozilla, Netscape or Epiphany

  • Opera

No solution of authentication car found for the moment

  • Safari

No solution of authentication car found for the moment

Here are you now have all the charts for carried out the automatic authentication on the 0.71.

For the versions of GLPI lower than 0.71

Article written by Garga and updated by Ro9eR Translation by jcoleman

This page addresses to the using versions 0.68 and 0.70 of GLPI (lower than 0.71).

The goal of this tip is to make it possible to the users of GLPI to be able to be identified in the application without having to repair their name of user like their password.

This easy way functions with Apache 2 and GLPI configured with an external authentication with Active Directory . The user must use Internet Explorer.

The configuration on which this handling was validated is this one:

- GLPI: 0.68.2 and AD on W2k3 - Internet Explorer 6sp2/ - XAMPP version 1.5.1/Apache 2.2.0/MySql: 5.0.18/PHP 5.1.1

Consequently if you test on another configuration and that functions do not hesitate to supplement. It will seem that this patch also functions with Apache and IIS but there still I could not thus test free with you to do it and to supplement this article.

Finally last precision, the modifications as well as the code provided in this article are not ego separately the adaptation of this one for version 0.68.2 of GLPI thus large a thank you to OUKIBILL, tsmr, blink38, VANB etc… :-P

Installation

Modification in the Web server

Apache 2:

First of all we should activate the module mod_auth_sspi.so which is included in the distribution. It is enough to comment on the line: LoadModule sspi_auth_module modules/mod_auth_sspi.so in the file of configuration of Apache ( apacheconfhttpd.conf )

It is also necessary to add (at the end of the same file for example):

#glpi configuration
 <Directory “C: /OCSinventoryNG/xampp/htdocs/glpi>
  Options Nun
  Order allow, deny
  Allow from all
 
  AuthName “restricted Access”
  AuthType SSPI
  SSPIAuth One
  SSPIAuthoritative One
  SSPIOfferBasic One
  require valid-to use
  </Directory>

by adapting the way of your repertory GLPI according to your configuration.

:!:Not to forget not to start again the Apache service with all modifications

Apache

If you use Apache, use the mod_auth_ntlm. It is enough to comment on the line which contains mod_auth_ntlm in the file of configuration of Apache apacheconfhttpd.conf.

It may be also that it is necessary to add code at the end of the file of conf of Apache as for Apache 2 but not having what to test, I cannot confirm it. Once again with you to test… ;-)

:!:Not to forget not to start again the Apache service with all modifications

IIS

If you use IIS, it will go all alone. If somebody can test it and confirm it here, that would be signal.

Modification in Glpi

It is necessary to start by copying the files index.php and login.php to safeguard the files of origin of Glpi, to be able to retrogress in the event of problem. Personally I add to them the extension .orig for more clearness. Then it is necessary to insert or modify code in index.php and login.php.

0.68
index.php

To seek:

// Using CASE server
	  yew (! empty ($cfg_glpi [“cas_host”]) &&! isset ($_GET [“noCAS”])) {
	    glpi_header (“login.php”);
	  }

To add afterwards:

yew (isset ($_SERVER [“REMOTE_USER”])){          
      $pos = stripos ($_SERVER [“REMOTE_USER”], "");
            yew (! $pos === false) {
        $login = substr ($_SERVER [“REMOTE_USER”], $pos + 1);
        yew ($login! = '') {
          header (“Hiring: login.php? login_name=”. $login);
           }
        }
    }

login.php

To seek:

$_POST [“login_password”] =unclean_cross_side_scripting_deep ($_POST [“login_password”]);
To add afterwards:

$http_auth = false;
yew (isset ($_SERVER [“REMOTE_USER”])){
  $pos = stripos ($_SERVER [“REMOTE_USER”], "");
  yew (! $pos === false) {
    $login = substr ($_SERVER [“REMOTE_USER”], $pos + 1);
    yew ($login! = '') {
      $_POST [“login_name”] = $login;
      $http_auth = true;
    }
  }
}

To seek:

yew (empty ($_POST [“login_name”])||empty ($_POST [“login_password”])){

To replace by:

yew ((empty ($_POST [“login_name”])||empty ($_POST [“login_password”])) &&! $http_auth) {

To seek

  // With UTF8 decoding
	      //if (! $auth_succeded) $auth_succeded = $identificat->connection_db (utf8_decode ($_POST [“login_name”]), utf8_decode ($_POST [“login_password”]));
	      //if ($auth_succeded) $user_present = $identificat->user->getFromDBbyName (utf8_decode ($_POST [“login_name”]));

To add afterwards:

 }
    // try HTTP authentication
    yew ($http_auth) {
      
      $found_dn=false;
      $auth_succeded=0;
      $found_dn=$identificat->ldap_get_dn_active_directory ($cfg_glpi [“ldap_host”], $cfg_glpi [“ldap_basedn”], $_POST [“login_name”], $cfg_glpi [“ldap_rootdn”], $cfg_glpi [“ldap_pass”], $cfg_glpi [“ldap_port”]);
      
      yew ($found_dn! =false) {
        $auth_succeded = true;
        $identificat->extauth=1;
        $user_present = $identificat->user->getFromDBbyName ($_POST [“login_name”]);
        $identificat->user->getFromLDAP_active_directory ($cfg_glpi [“ldap_host”], $cfg_glpi [“ldap_port”], $found_dn, $cfg_glpi [“ldap_rootdn”], $cfg_glpi [“ldap_pass”], $cfg_glpi [“ldap_fields”], $_POST [“login_name”], $cfg_glpi [“ldap_condition”]);        }
0.70
index.php

To seek:

yew (! empty (CFG_GLPI [“cas_host”]) &&! isset ($_GET [“noCAS”])) {
      glpi_header (“login.php”);
  }

To add afterwards:

  Automatic // Authentification HTTP
  yew (isset ($_SERVER [“REMOTE_USER”])) {          
      $pos = stripos ($_SERVER [“REMOTE_USER”], "");
      yew (! $pos === false) {
          $login = substr ($_SERVER [“REMOTE_USER”], $pos + 1);
          yew ($login! = '') {
              header (“Hiring: login.php? login_name=”. $login);
          }
      }
  }
login.php

To seek:

yew (isset ($_POST [“login_password”])) {
    $_POST [“login_password”] = unclean_cross_side_scripting_deep ($_POST [“login_password”]);
}

To replace by:

yew (isset ($_POST [“login_password”])) {
    $http_auth = false;
    $_POST [“login_password”] = unclean_cross_side_scripting_deep ($_POST [“login_password”]);
}
elseif (! isset ($_POST [“login_password”]) &&  isset ($_SERVER [“REMOTE_USER”])) { 
    $http_auth = false;
    $pos = stripos ($_SERVER [“REMOTE_USER”], "");
    yew (! $pos === false) {
        $login = substr ($_SERVER [“REMOTE_USER”], $pos + 1);
        yew ($login! = '') {
            $_POST [“login_name”] = $login;
            $http_auth = true;
        }
    }

To seek:

yew (empty ($_POST [“login_name”]) || empty ($_POST [“login_password”])) {
      $identificat->addToError ($LANG [“login”] [8]);

To replace by:

yew ((empty ($_POST [“login_name”]) || empty ($_POST [“login_password”])) &&! $http_auth) {
      $identificat->addToError ($LANG [“login”] [8]);

To seek:

  // exists=0 - > No exist
      // exists=1 - > exist with password
      // exists=2 - > exist without password
      $exists = $identificat->userExists ($_POST [“login_name”]);
      // Not in first because if not one does not make the blankpassword
      // First try to connect via the DATABASE
      yew ($exists == 1) {

To replace by:

  // exists=0 - > No exist
      // exists=1 - > exist with password
      // exists=2 - > exist without password
      $exists = $identificat->userExists ($_POST [“login_name”]);
      Automatic // Authentification HTTP
      yew ($http_auth && $exists == 2) {
          $identificat->user->getFromDBbyName (addslashes ($_POST [“login_name”]));
          $config_ldap = $identificat->auth_methods [“ldap”] [$identificat->user->fields [“id_auth”]];
          //Connect to the directory
          $ds = connect_ldap ($config_ldap [“ldap_host”], $config_ldap [“ldap_port”], $config_ldap [“ldap_rootdn”], $config_ldap [“ldap_pass”], $config_ldap [“ldap_use_tls”]);
          $user_dn = ldap_search_user_dn ($ds, $config_ldap [“ldap_basedn”], $config_ldap [“ldap_login”], stripslashes ($_POST [“login_name”]), $config_ldap [“ldap_condition”]);
          yew ($user_dn! = false) {
              $identificat->auth_succeded = true;
          }
       }
      // Not in first because if not one does not make the blankpassword

Per Internet Browser

Internet Explorer

It should well be checked that “To activate the integrated authentification of Windows” in the advanced options of Internet Explorer is well notched.

It is necessary to think of adding the URL of GLPI in the list of the sites of the local Intranet under the Security Tab in the options of Internet Explorer.

Mozilla Firefox

One will say that for Firefox that does not function.

Opinion with the amateurs to find a solution ….. ;-)

Tsmr: If Ca functions. I would detail it as soon as I would have a little time. but is necessary to modify a value in butt: config

network.negociate-auth.delegation-uris: (name of waiter AD/LDAP) network.negociate-auth.trusted-uris: name of the Web sites with integrated authentification.

possible via gpo with an end of this script:

http://sourceforge.net/projects/firefoxadm/

Met@lnono: In my company, so that functions, I had to modify another value in butt: config

network.automatic-ntlm-auth.trusted-uris: https://,http://

Attention, this last configuration makes that you will automatically send your identifiers to all the sites which will require it of you!

With you to play

Here about all that I could gather on this addition of function but so some among you wants to improve the tip then do not hesitate, I am also taking!!!! ^_^

Addresses post on the forum at the origin of the article: http://www.glpi-project.org/forum/viewtopic.php?id=1397&p=1