Joomla! Discussion Forums

Well I revert to this forum after loosing much sleep trying to understand all this. Before anything I would like to position my understanding of SSO/Kerberos/AD which is close to nill. I am and have been a Linux user for the past 4 years and have never required SSO capabilities, however, times change and apparently the need for a Joomla SSO has arised.

Let me first explain the requirements and platform.

Platform
----------------------------
- Joomla v1.0.13
- JAuthTools v1.0.8
- CentOS Linux (but will probably be migrated over to SUSE Linux)
- MySQL DBMS
- Apache with mob_auth_krb
- PHP with ldap support
- Kerberos
- Windows 2003 R2 Active Directory

Requirements
----------------------------
- If user doesn't exist in AD (or not authenticated via Kerberos) then
login page is presented
- If user authenticated via Kerberos do not display login page

Now my questions/doubts:

1. Is SSO using Kerberos possible using JAuthTools when Joomla is
hosted on a Linux system?
2. If SSO is possible, would any code editing be necessary or does
JAuthTools provide everything necessary for the requirements above?
3. Anyone know of a step-by-step HOW-TO to accomplish what I need?

Ok, those are a few of my questions, but truth be told, I am a little lost, so much so that I am not even sure what I want to ask. If my requirements are in fact possible what I really need is a kind of check-list to what I should do. For example:

1. Set-up you linux host with Joomla, MySQL etc and make sure it's running
2. Install JAuthTools
3. Set-up Joomla LDAP and test
4. Create user's in AD
5. Create keytab files and move over to Linux host
6. Test kerberos ?

(If the above steps are completely wrong please correct me)

Now I would just like to list what I have been able to accomplish.

I have successfully set-up Active Directory integration, so that a user login-in through the Joomla login page gets checked against the AD, if the user exists and the password is correct he/she gets authenticated and copied over to the Joomla database.

Now my next step is SSO. I have followed various instruction that tell me how to get Kerberos working. I have created the users in AD (username=hostname) for principals host & HTTP and have imported keytab files to Linux host, I have configured Apache to use Kerberos authentication, but... nothing happens. In a dev system which is not associated to any NT domain a login box appears (apache auth), if I enter username/password login is accepted however the Joomla login page is shown right after.

Where I think my bigest doubt is, is concerning Kerberos and how it should be used/integrated.
From what I understand no password is ever required but if this is the case how do I get past the login page? Does a component of JAuthTools take care of this for me? Also, is it possible to test SSO when on a Linux machine?

Well sorry for the long post, but I would really appreciate any help. I don't exactly require step-by-step instructions but more of a procedure/check-list to follow, which plug-ins are essential and how configurations should be set (may-be not). Well something (or anything) in these lines would be great.

Sincerely,
Istvan Cebrian

Ok I think I need to simplfy my question.

First thou let me assure everyone that AD Integration (SSI) is working just fine and Kerberos is correctly configured.

Now, should the LDAP SSO mambot take care os everything considering I am authenticated? Do I need to change any code? The thing is, I am quite sure all configurations are correct, I am also sure I am authenticated via kerberos since PHP variables REMOTE_USER and AUTH_TYPE are set correctly. But when I access the login page, nothing happens, the login screen just sits there requiring me to enter username/password.

I just need confirmation that I dont need to do any code editing and that the mambot LDAP SSO should take care of everything automatically if a user is in fact kerberos authenticated?

Thanks,

Well it seems I have managed. Apparently I was using the wrong SSO
plugin. I wanted HTTP authentication and I thought LDAP SSO would work
for this, which does not. I got everything working by installing HTTP
SSO from http://joomlacode.org/gf/project/jauthtools/frs/.

Would you mind sharing what you had to do to get this working. Maybe a step by step.

Joomla LDAP Plugin


LDAP SSI


HTTP Single Signon


LDAP Sync


You will also need to configure Kerberos on the linux host, to do so create a keytab file for the admin user in the AD with a line such as:


Import said keytab file into your linux host with something like:


Test authentication with "kinit -k host/hostname.domain.com" and then just "kinit".

In Joomla root directory (webserver) you will need to create a .htaccess file such as:

If you don't have kerberos authentication on the system your using to test with, change the directive KrbMethodK5Passwd to ON. It will then bring up a password dialog to request for your username and password.

As you can see this .htaccess file only applies to .PHP files, so you will also need to create a index.html file that redirects to index.php file such as:

This is needed to prevent the automatic detection of replay attacks.

This is everything I remember I did. The SSI module wont be necessary if all you want is SSO. I however with the use of "ErrorDocument 401" managed to get both SSO and SSI/Normal login working.

Hope this helps.

One other important note. It is very important that the keytab file you generate for a specific host/HTTP request matches the FQDN (hostname.domain.com) of where you are hosting Joomla. If they do not match then authentication will not work.

while testing always view your KDC & apache logs for error messages. These can be very helpfull.

Oh and one more thing. A large time drift between your AD and your linux host will also cause authentication not to work. Keep that in mind.

thanks for the precious help

Hi icebrian,
I've got LDAP auth working with AD, but not the seamless single sign on without typing the name & password.
I run Apache on Windows. Do I need this kerberos thing in that case? I cannot get remote_user from apache, which seems to be needed for http sso.
What for ist the usersource session modul? Everytime I activate the system is dead and I cannot login anymore...

Any ideas/comments?

Best regards
Claudius


---> solution <----
I've got seamless sso working on windows + apache + joomla
follow instructions from following post
viewtopic.php?f=473&t=264644&p=1646507&hilit=indexsso#p1646507

My problem now is, first time users have to login in manually and get failure message

Any ideas to get rid of that?

I changed in usersource.php

$plugin = new $className ($this);
to
$plugin = new $className ($this, (array)$plugin);

all warnings disappeared now. I dont know if really fixed, but users dont get that failure messages

Last thing to be solved is that first time visitors has to log in manually.
I think I set everything I found related to autocreate users to "on".
Any ideas to get that work?