The Joomla! Forum ™



Forum rules


Global Rules
Additional Rules for this forum <------- Please read before posting



Post new topic Reply to topic  [ 37 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Wed Mar 21, 2012 3:10 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jan 11, 2011 3:50 pm
Posts: 9
I've got the JMapMyLDAP mapping AD groups to Joomla groups just fine but I can't get the HTTP SSO login to work. I've verified the REMOTE USER variable is being populated and I've configured the plugin to remove our 'DOMAIN\' from the value.

If I look in Joomla:User Manager it doesn't auto login the user. Users still need to login on the homepage using their AD username and password to access pages that have restricted permissions mapped to AD groups. Not sure if I misunderstood the HTTP plugin seems like I'm most of the way there.

I have the following authentication plugins enabled, do I need to disable the Joomla authentication plugin to get SSO to work? I think I disabled it before and couldn't get back into the site.

Authentication - JMapMyLDAP
Authentication - Joomla
SSO - HTTP
User - JMapMyLDAP

Thanks Guys!
Dave


Top
 Profile  
 
PostPosted: Fri Mar 23, 2012 12:49 am 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Jul 05, 2010 7:22 pm
Posts: 483
Location: UK
I missed this. There is a dedicated thread just above this one for jmmldap :p viewtopic.php?f=46&t=657124 - I will ask for it to be merged after it is resolved.

Do you have a "System - JSSOMySite" in your set of plugins? Is this enabled? If not then you can download from http://shmanic.com/media/file.php?proje ... mysite.zip - once you install & enable the plug-in, it will hopefully work.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Top
 Profile  
 
PostPosted: Fri Mar 23, 2012 12:51 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jan 11, 2011 3:50 pm
Posts: 9
I've got the following plug-ins enabled and configured:
Authentication - JMapMyLDAP
Authentication - Joomla
SSO - HTTP
User - JMapMyLDAP
System - JSSOMySite

Do I need to disable the 'Authentication - Joomla' plug-in in order for the 'Authentication - JMapMyLDAP' plug-in to work correctly? I wasn't sure if they would be conflicting with each other in some way.

I've got the default Joomla Login Module enabled on my homepage and when users enter their AD username/password it successfully authenticates them using Active Directory and the group mapping from AD to Joomla groups works just fine as well.

What I'm trying to accomplish is to remove the Joomla Login Module so users don't have to enter their AD username/password credentials and login. I want our users to be automatically authenticated/logged in when they hit the site. Can 'JMapMyLDAP' accomplish what I'm trying to do?

Thanks!
Dave


Top
 Profile  
 
PostPosted: Fri Mar 23, 2012 5:37 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Jul 05, 2010 7:22 pm
Posts: 483
Location: UK
Yes it can. It should be working correctly.

No, do not disable Joomla's authentication - you may need that in case of a LDAP failure. Can you test changing the replacement on the username from 'DOMAIN\' to 'DOMAIN' (i.e. remove backslash). I assume that all the jmmldap plugins are at version 1.0.4+.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Top
 Profile  
 
PostPosted: Fri Mar 23, 2012 5:47 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jan 11, 2011 3:50 pm
Posts: 9
Yes. I've downloaded the package from your website titled.

Group Mapping Package (pkg_jmapmyldap)
This includes everything

Is there anything else I need to install?

Thanks,
Dave


Top
 Profile  
 
PostPosted: Fri Mar 23, 2012 6:00 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Jul 05, 2010 7:22 pm
Posts: 483
Location: UK
Yes thats fine. Just making sure that you didn't have a very old alpha build or something.

If you can test the backslash removal. This is currently a known bug.

I also assume that everything is set to 'Allow all' in the System and SSO plugin.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Top
 Profile  
 
PostPosted: Fri Mar 23, 2012 7:35 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jan 11, 2011 3:50 pm
Posts: 9
I checked my error log and I'm receiving this error
SSO: Failed to authenticate user 'dave'

Anything in particular I could look at to resolve this issue? We're using AD.
I've verified my connecting credentials are correct in jmapmyldap.


Top
 Profile  
 
PostPosted: Fri Mar 23, 2012 7:44 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Jul 05, 2010 7:22 pm
Posts: 483
Location: UK
Aurgh, trying to authenticate the way I did in version 1 is bad news for debugging. Are you using search in the authentication plug-in?

Does it looks like http://shmanic.com/tools/jmapmyldap/doc ... gin-ad.htm ?

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Top
 Profile  
 
PostPosted: Fri Mar 23, 2012 7:49 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jan 11, 2011 3:50 pm
Posts: 9
Yes the AD settings are identical. Yes, Use Search is Yes.

Where are the connection parameters connect username/password stored at?


Top
 Profile  
 
PostPosted: Mon Mar 26, 2012 1:41 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jan 11, 2011 3:50 pm
Posts: 9
I used the PHP LDAP Debug script and successfully authenticated an account that is failing using the jmapmyldap plugin. I've verified the AD configuration parameters in the LDAP debug script are identical to the jmapmylap settings. Any other things I could check? It must be something simple.

: PHP LDAP Debug V1.05 Script Started ::
Attempting to bind to LDAP server using connect username and password...
LDAP bind successful.
Attempting to use search to find user...
Successfully found user
Attempting to logon with user CN=Last/,First,CN=Users,DC=domain,DC=com ...
Successfully logged on with user
Attempting to retrieve all user attributes then process the results request...
User ID: USERNAME
Full Name: last,first
Email: email@email.com
>>>>>group stuff>>>>>
: PHP LDAP Debug V1.05 Script Finished ::


Top
 Profile  
 
PostPosted: Mon Apr 02, 2012 10:46 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sun Jan 30, 2011 10:09 am
Posts: 205
Location: Leicester, UK
I have the same problem. Joomla on Win Server 2008, IIS. AD authentication is working fine, but not SSO.

Site authentication set to Windows, "REMOTE USER" is being populated, tried DOMAIN and DOMAIN\, System - JSSOMySite is enabled, Allow All set in both plugins. All jmmldap plugins v1.0.5.


Top
 Profile  
 
PostPosted: Mon Apr 02, 2012 12:00 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Jul 05, 2010 7:22 pm
Posts: 483
Location: UK
Sorry for the delay, my final project at uni has taken over my life.

I will test version 1 SSO on my end with latest Joomla and will report back any findings. It sounds like the hack I implemented for SSO (method onSSOAuthenticate() in /plugins/authentication/jmapmyldap/jmapmyldap.php) has broke.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Top
 Profile  
 
PostPosted: Mon Apr 02, 2012 12:05 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sun Jan 30, 2011 10:09 am
Posts: 205
Location: Leicester, UK
Fixed it. It was the backslash. When you enter domain\, an extra backslash is appended to escape it which is visible in the admin screen. That doesn't work, but when I entered domain\\ directly into the database it works, but only domain\ is visible in the admin screen.

Thanks for all these great plugins, Shaun.


Top
 Profile  
 
PostPosted: Mon Apr 02, 2012 12:20 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Jul 05, 2010 7:22 pm
Posts: 483
Location: UK
NickC4555 wrote:
Fixed it. It was the backslash. When you enter domain\, an extra backslash is appended to escape it which is visible in the admin screen. That doesn't work, but when I entered domain\\ directly into the database it works, but only domain\ is visible in the admin screen.

:eek: - wow, this seriously needs a fix. The backslash issue has been going on for too long now.

Thanks for the solution.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Top
 Profile  
 
PostPosted: Mon Apr 02, 2012 8:09 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sun Jan 30, 2011 10:09 am
Posts: 205
Location: Leicester, UK
Update: I just installed it on another machine with MySQL and it worked fine without having to edit the database. The double backslash only appears with SQL Server.


Top
 Profile  
 
PostPosted: Fri Jun 01, 2012 8:51 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Feb 05, 2009 6:09 am
Posts: 13
ShMaunder wrote:
NickC4555 wrote:
Fixed it. It was the backslash. When you enter domain\, an extra backslash is appended to escape it which is visible in the admin screen. That doesn't work, but when I entered domain\\ directly into the database it works, but only domain\ is visible in the admin screen.


Perhaps someone can help. I'm having exactly the same issue. I am not interested in LDAP, but am trying to get the SSO to work. I am getting the same "SSO: Failed to authenticate user 'username'." error as described above. In J1.5 I used Sam's JAuthTools SSO-HTTP with no issues. I never had to enter anything in the 'Username Replacement' box then and all worked fine.

Is the conclusion from this thread one must enter DOMAIN\ and then go into the extensions table and change the resulting entry from DOMAIN\\ to DOMAIN\?

I'm not sure I understand the reason for having DOMAIN in the first place.
Apologies if I am being slow.


Top
 Profile  
 
PostPosted: Sun Jun 03, 2012 2:33 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Jul 05, 2010 7:22 pm
Posts: 483
Location: UK
azelter wrote:
Perhaps someone can help. I'm having exactly the same issue. I am not interested in LDAP, but am trying to get the SSO to work. I am getting the same "SSO: Failed to authenticate user 'username'." error as described above. In J1.5 I used Sam's JAuthTools SSO-HTTP with no issues. I never had to enter anything in the 'Username Replacement' box then and all worked fine.

Is the conclusion from this thread one must enter DOMAIN\ and then go into the extensions table and change the resulting entry from DOMAIN\\ to DOMAIN\?

I'm not sure I understand the reason for having DOMAIN in the first place.
Apologies if I am being slow.


What is the value of REMOTE_USER or AUTH_USER in your phpinfo() ?

Normally, the value is DOMAIN\user or user@DOMAIN so for example, I have shaun@HOME. So if I put in @HOME in my username replacement, it is left with 'shaun' so it can authenticate.

However, my feeling is that you aren't using LDAP at all? In which case this tool won't work as it verifies the user against an LDAP server after it has discovered the HTTP username (Sam's JAuthTools directly set the session cookies instead, so it didn't need an LDAP server to login). In this case, something like this extension should work better http://extensions.joomla.org/extensions ... ment/18214

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Top
 Profile  
 
PostPosted: Sun Jun 03, 2012 4:36 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Feb 05, 2009 6:09 am
Posts: 13
Thanks very much for your reply. The value for REMOTE_USER is correct and has no extra DOMAIN or @DOMAIN parts. If the username is 'bob' REMOTE_USER reports 'bob' and the error says:
SSO: Failed to authenticate user 'bob'.
I did not relize this tool did not work without LDAP. I had assumed it would do the same as Sam Moffatt's JAuthTools (http://sammoffatt.com.au/jauthtools/SSO) which is what I was using before. It seemslike his tool is not available for any version of Joomla after j1.5 and I am now trying to upgrade to j2.5, hence my search for something that will do SSO for me.
Thanks for the suggestion of the HTTP authentication plugin. It will not work for me as it would require every visitor to log in. I need a plugin that will automatically log in anyone if REMOTE_USER is already set (I am using pubcookie http://www.pubcookie.org/ to have people login to our institution) but not do anything if the person is not logged in with pubcookie (i.e. REMOTE_USER is not set).
That is what the jauthtools SSO-HTTP plugin did very well and I had assumed that the JMapMyLDAP - HTTP SSO did the same.
I will search for a different plugin if this is not the case.
Thanks for your help.


Top
 Profile  
 
PostPosted: Tue Jun 05, 2012 6:12 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Jul 05, 2010 7:22 pm
Posts: 483
Location: UK
Are your users already registered in Joomla? I would hit trouble trying to auto create users as I cannot get a valid email from anywhere.

If all you want is auto logging in registered users then I will upload the modified file now.


Edit:
I will upload anyway. You will need to ensure that both JSSOMySite and HTTP SSO is installed.

Get the whole thing from http://shmanic.com/media/file.php?proje ... lugins.zip

Replace the file at /libraries/shmanic/jssomysite.php with the one attached.


You do not have the required permissions to view the files attached to this post.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Last edited by ShMaunder on Tue Jun 05, 2012 6:16 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Tue Jun 05, 2012 6:15 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Feb 05, 2009 6:09 am
Posts: 13
ShMaunder wrote:
Are your users already registered in Joomla? I would hit trouble trying to auto create users as I cannot get a valid email from anywhere.

If all you want is auto logging in registered users then I will upload the modified file now.


Yes - all my users are already registered and their usernames are identical to the value of REMOTE_USER once they have logged in with the pubcookie system.

Thanks so much!!!


Top
 Profile  
 
PostPosted: Tue Jun 05, 2012 6:17 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Jul 05, 2010 7:22 pm
Posts: 483
Location: UK
You reply very fast :p

Try what I attached on the previous post.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Top
 Profile  
 
PostPosted: Tue Jun 05, 2012 6:35 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Feb 05, 2009 6:09 am
Posts: 13
ShMaunder wrote:
You reply very fast :p

Try what I attached on the previous post.

Perhaps I am replying too fast again.
The plugin seems to work great!
I am not getting an edit button on the front end, but I can see this is not an issue with your plugin as the user is logged in.
So thanks so much - I really appreciate your help.


Top
 Profile  
 
PostPosted: Thu Jun 21, 2012 10:38 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jan 01, 2006 11:32 pm
Posts: 15
Hi, I'm trying to get SSO working with AD on Windows 2003. I've installed Joomla in a Linux running Debian. The firs part is working very well when a new user login to joomla, as the user exist in the AD it's created on Joomla and is associated with it's group. But nothing happend with SSO, for your ref this is my configuration:

Open the site with internet explorer 8 and Google Chrome

System - JSSOMySite Plugin (enabled)
------------------------------
Auto Create Users: Yes
IP Rule= Allow All
IP Exception List= (blank)
URL Bypass=nosso
Allow Backend SSO=No

SSO - HTTP Plugin (Enabled)
------------------------
User Key=REMOTE_USER
Username Replacement=DOMAIN
IP Rule= Allow All
IP Exception List= blank


Top
 Profile  
 
PostPosted: Fri Jun 22, 2012 8:03 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Jul 05, 2010 7:22 pm
Posts: 483
Location: UK
Does your username replacement have a backslash ?

Any errors in /logs/error.php ?

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Top
 Profile  
 
PostPosted: Mon Jun 25, 2012 4:44 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jan 01, 2006 11:32 pm
Posts: 15
Thanks for your soon answer, I've tested with and without the backslash (domain\ and domain), perhaps I'm not understanding how SSO must work.

If I have a user that is logged is his computer with the domain account, how must he login to the joomla site using SSO? he must simply open the page? has to press login?

Thanks again for your nice work


Top
 Profile  
 
PostPosted: Mon Jun 25, 2012 5:26 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Jul 05, 2010 7:22 pm
Posts: 483
Location: UK
Have you setup Kerberos on your Linux server? Do you have a REMOTE_USER variable in your PHP information? Setup info: http://acksyn.org/diary/?p=460

If you do, then go into your PHP info (found within Joomla System Information) and look at the REMOTE_USER - if it has a value of user@MYDOMAIN.COM then you want @MYDOMAIN.COM in the username replacement.

Make sure that both "System - JSSOMySite" and "SSO - HTTP" are enabled, then when Joomla has no user logged on, it will automatically log on with the user of the computer.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Top
 Profile  
 
PostPosted: Mon Jun 25, 2012 8:09 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jan 01, 2006 11:32 pm
Posts: 15
OK, I've setup Kerberos as described at http://acksyn.org/diary/?p=460. But can not find REMOTE_USER at System Information, is necessary to modify the php.ini with this value?, how?

Both "System - JSSOMySite" and "SSO - HTTP" are enabled

Regards


Top
 Profile  
 
PostPosted: Mon Jun 25, 2012 9:31 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Jul 05, 2010 7:22 pm
Posts: 483
Location: UK
OK, sounds like Joomla is good.

Sounds like Apache needs a little tweaking. Have you setup either httpd.conf or .htaccess (I prefer .htaccess) with something similar to:

AuthType Kerberos
AuthName "Joomla Secure Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms YOURDOMAIN.LOCAL
Krb5KeyTab /etc/krb5.keytab
require valid-user

(if at httpd.conf, then you need to restart Apache for changes to apply).

On a non-logged domain computer, do you get a browser (non-joomla) login box?

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Top
 Profile  
 
PostPosted: Tue Jun 26, 2012 7:30 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jan 01, 2006 11:32 pm
Posts: 15
Hi Shaun,

I've modify .htaccess with these parameters, restart apache, but still can not see REMOTE_USER.

Regards
Alfredo


Top
 Profile  
 
PostPosted: Thu Jun 28, 2012 8:32 am 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Jul 05, 2010 7:22 pm
Posts: 483
Location: UK
This is strange. Do you see any browser login boxes when trying to access the site (on a non-logged on domain user)?

If not then you still haven't got the server setup correctly. I can't offer that much advise on this as I only know as much as the guide I posted. Though it does sound like an Apache issue as I normally get HTTP 401 errors when the authentication fails (e.g. incorrect credentials; incorrectly setup).

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 37 posts ]  Go to page 1, 2  Next



Who is online

Users browsing this forum: No registered users and 15 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group