JMapMyLDAP - HTTP SSO Plugin

Do you have an Open Source Product available for Joomla!? Let everyone know here.
dbosky
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Tue Jan 11, 2011 3:50 pm

JMapMyLDAP - HTTP SSO Plugin

Post by dbosky » Wed Mar 21, 2012 3:10 pm

I've got the JMapMyLDAP mapping AD groups to Joomla groups just fine but I can't get the HTTP SSO login to work. I've verified the REMOTE USER variable is being populated and I've configured the plugin to remove our 'DOMAIN\' from the value.

If I look in Joomla:User Manager it doesn't auto login the user. Users still need to login on the homepage using their AD username and password to access pages that have restricted permissions mapped to AD groups. Not sure if I misunderstood the HTTP plugin seems like I'm most of the way there.

I have the following authentication plugins enabled, do I need to disable the Joomla authentication plugin to get SSO to work? I think I disabled it before and couldn't get back into the site.

Authentication - JMapMyLDAP
Authentication - Joomla
SSO - HTTP
User - JMapMyLDAP

Thanks Guys!
Dave

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - HTTP SSO Plugin

Post by ShMaunder » Fri Mar 23, 2012 12:49 am

I missed this. There is a dedicated thread just above this one for jmmldap :p http://forum.joomla.org/viewtopic.php?f=46&t=657124 - I will ask for it to be merged after it is resolved.

Do you have a "System - JSSOMySite" in your set of plugins? Is this enabled? If not then you can download from http://shmanic.com/media/file.php?proje ... mysite.zip - once you install & enable the plug-in, it will hopefully work.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

dbosky
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Tue Jan 11, 2011 3:50 pm

Re: JMapMyLDAP - HTTP SSO Plugin

Post by dbosky » Fri Mar 23, 2012 12:51 pm

I've got the following plug-ins enabled and configured:
Authentication - JMapMyLDAP
Authentication - Joomla
SSO - HTTP
User - JMapMyLDAP
System - JSSOMySite

Do I need to disable the 'Authentication - Joomla' plug-in in order for the 'Authentication - JMapMyLDAP' plug-in to work correctly? I wasn't sure if they would be conflicting with each other in some way.

I've got the default Joomla Login Module enabled on my homepage and when users enter their AD username/password it successfully authenticates them using Active Directory and the group mapping from AD to Joomla groups works just fine as well.

What I'm trying to accomplish is to remove the Joomla Login Module so users don't have to enter their AD username/password credentials and login. I want our users to be automatically authenticated/logged in when they hit the site. Can 'JMapMyLDAP' accomplish what I'm trying to do?

Thanks!
Dave

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - HTTP SSO Plugin

Post by ShMaunder » Fri Mar 23, 2012 5:37 pm

Yes it can. It should be working correctly.

No, do not disable Joomla's authentication - you may need that in case of a LDAP failure. Can you test changing the replacement on the username from 'DOMAIN\' to 'DOMAIN' (i.e. remove backslash). I assume that all the jmmldap plugins are at version 1.0.4+.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

dbosky
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Tue Jan 11, 2011 3:50 pm

Re: JMapMyLDAP - HTTP SSO Plugin

Post by dbosky » Fri Mar 23, 2012 5:47 pm

Yes. I've downloaded the package from your website titled.

Group Mapping Package (pkg_jmapmyldap)
This includes everything

Is there anything else I need to install?

Thanks,
Dave

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - HTTP SSO Plugin

Post by ShMaunder » Fri Mar 23, 2012 6:00 pm

Yes thats fine. Just making sure that you didn't have a very old alpha build or something.

If you can test the backslash removal. This is currently a known bug.

I also assume that everything is set to 'Allow all' in the System and SSO plugin.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

dbosky
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Tue Jan 11, 2011 3:50 pm

Re: JMapMyLDAP - HTTP SSO Plugin

Post by dbosky » Fri Mar 23, 2012 7:35 pm

I checked my error log and I'm receiving this error
SSO: Failed to authenticate user 'dave'

Anything in particular I could look at to resolve this issue? We're using AD.
I've verified my connecting credentials are correct in jmapmyldap.

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - HTTP SSO Plugin

Post by ShMaunder » Fri Mar 23, 2012 7:44 pm

Aurgh, trying to authenticate the way I did in version 1 is bad news for debugging. Are you using search in the authentication plug-in?

Does it looks like http://shmanic.com/tools/jmapmyldap/doc ... gin-ad.htm ?
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

dbosky
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Tue Jan 11, 2011 3:50 pm

Re: JMapMyLDAP - HTTP SSO Plugin

Post by dbosky » Fri Mar 23, 2012 7:49 pm

Yes the AD settings are identical. Yes, Use Search is Yes.

Where are the connection parameters connect username/password stored at?

dbosky
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Tue Jan 11, 2011 3:50 pm

Re: JMapMyLDAP - HTTP SSO Plugin

Post by dbosky » Mon Mar 26, 2012 1:41 pm

I used the PHP LDAP Debug script and successfully authenticated an account that is failing using the jmapmyldap plugin. I've verified the AD configuration parameters in the LDAP debug script are identical to the jmapmylap settings. Any other things I could check? It must be something simple.

: PHP LDAP Debug V1.05 Script Started ::
Attempting to bind to LDAP server using connect username and password...
LDAP bind successful.
Attempting to use search to find user...
Successfully found user
Attempting to logon with user CN=Last/,First,CN=Users,DC=domain,DC=com ...
Successfully logged on with user
Attempting to retrieve all user attributes then process the results request...
User ID: USERNAME
Full Name: last,first
Email: [email protected]
>>>>>group stuff>>>>>
: PHP LDAP Debug V1.05 Script Finished ::

NickC4555
Joomla! Explorer
Joomla! Explorer
Posts: 457
Joined: Sun Jan 30, 2011 10:09 am
Location: Leicester, UK

Re: JMapMyLDAP - HTTP SSO Plugin

Post by NickC4555 » Mon Apr 02, 2012 10:46 am

I have the same problem. Joomla on Win Server 2008, IIS. AD authentication is working fine, but not SSO.

Site authentication set to Windows, "REMOTE USER" is being populated, tried DOMAIN and DOMAIN\, System - JSSOMySite is enabled, Allow All set in both plugins. All jmmldap plugins v1.0.5.

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - HTTP SSO Plugin

Post by ShMaunder » Mon Apr 02, 2012 12:00 pm

Sorry for the delay, my final project at uni has taken over my life.

I will test version 1 SSO on my end with latest Joomla and will report back any findings. It sounds like the hack I implemented for SSO (method onSSOAuthenticate() in /plugins/authentication/jmapmyldap/jmapmyldap.php) has broke.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

NickC4555
Joomla! Explorer
Joomla! Explorer
Posts: 457
Joined: Sun Jan 30, 2011 10:09 am
Location: Leicester, UK

Re: JMapMyLDAP - HTTP SSO Plugin

Post by NickC4555 » Mon Apr 02, 2012 12:05 pm

Fixed it. It was the backslash. When you enter domain\, an extra backslash is appended to escape it which is visible in the admin screen. That doesn't work, but when I entered domain\\ directly into the database it works, but only domain\ is visible in the admin screen.

Thanks for all these great plugins, Shaun.

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - HTTP SSO Plugin

Post by ShMaunder » Mon Apr 02, 2012 12:20 pm

NickC4555 wrote:Fixed it. It was the backslash. When you enter domain\, an extra backslash is appended to escape it which is visible in the admin screen. That doesn't work, but when I entered domain\\ directly into the database it works, but only domain\ is visible in the admin screen.
:eek: - wow, this seriously needs a fix. The backslash issue has been going on for too long now.

Thanks for the solution.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

NickC4555
Joomla! Explorer
Joomla! Explorer
Posts: 457
Joined: Sun Jan 30, 2011 10:09 am
Location: Leicester, UK

Re: JMapMyLDAP - HTTP SSO Plugin

Post by NickC4555 » Mon Apr 02, 2012 8:09 pm

Update: I just installed it on another machine with MySQL and it worked fine without having to edit the database. The double backslash only appears with SQL Server.

azelter
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Feb 05, 2009 6:09 am

Re: JMapMyLDAP - HTTP SSO Plugin

Post by azelter » Fri Jun 01, 2012 8:51 pm

ShMaunder wrote:
NickC4555 wrote:Fixed it. It was the backslash. When you enter domain\, an extra backslash is appended to escape it which is visible in the admin screen. That doesn't work, but when I entered domain\\ directly into the database it works, but only domain\ is visible in the admin screen.
Perhaps someone can help. I'm having exactly the same issue. I am not interested in LDAP, but am trying to get the SSO to work. I am getting the same "SSO: Failed to authenticate user 'username'." error as described above. In J1.5 I used Sam's JAuthTools SSO-HTTP with no issues. I never had to enter anything in the 'Username Replacement' box then and all worked fine.

Is the conclusion from this thread one must enter DOMAIN\ and then go into the extensions table and change the resulting entry from DOMAIN\\ to DOMAIN\?

I'm not sure I understand the reason for having DOMAIN in the first place.
Apologies if I am being slow.

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - HTTP SSO Plugin

Post by ShMaunder » Sun Jun 03, 2012 2:33 pm

azelter wrote: Perhaps someone can help. I'm having exactly the same issue. I am not interested in LDAP, but am trying to get the SSO to work. I am getting the same "SSO: Failed to authenticate user 'username'." error as described above. In J1.5 I used Sam's JAuthTools SSO-HTTP with no issues. I never had to enter anything in the 'Username Replacement' box then and all worked fine.

Is the conclusion from this thread one must enter DOMAIN\ and then go into the extensions table and change the resulting entry from DOMAIN\\ to DOMAIN\?

I'm not sure I understand the reason for having DOMAIN in the first place.
Apologies if I am being slow.
What is the value of REMOTE_USER or AUTH_USER in your phpinfo() ?

Normally, the value is DOMAIN\user or user@DOMAIN so for example, I have shaun@HOME. So if I put in @HOME in my username replacement, it is left with 'shaun' so it can authenticate.

However, my feeling is that you aren't using LDAP at all? In which case this tool won't work as it verifies the user against an LDAP server after it has discovered the HTTP username (Sam's JAuthTools directly set the session cookies instead, so it didn't need an LDAP server to login). In this case, something like this extension should work better http://extensions.joomla.org/extensions ... ment/18214
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

azelter
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Feb 05, 2009 6:09 am

Re: JMapMyLDAP - HTTP SSO Plugin

Post by azelter » Sun Jun 03, 2012 4:36 pm

Thanks very much for your reply. The value for REMOTE_USER is correct and has no extra DOMAIN or @DOMAIN parts. If the username is 'bob' REMOTE_USER reports 'bob' and the error says:
SSO: Failed to authenticate user 'bob'.
I did not relize this tool did not work without LDAP. I had assumed it would do the same as Sam Moffatt's JAuthTools (http://sammoffatt.com.au/jauthtools/SSO) which is what I was using before. It seemslike his tool is not available for any version of Joomla after j1.5 and I am now trying to upgrade to j2.5, hence my search for something that will do SSO for me.
Thanks for the suggestion of the HTTP authentication plugin. It will not work for me as it would require every visitor to log in. I need a plugin that will automatically log in anyone if REMOTE_USER is already set (I am using pubcookie http://www.pubcookie.org/ to have people login to our institution) but not do anything if the person is not logged in with pubcookie (i.e. REMOTE_USER is not set).
That is what the jauthtools SSO-HTTP plugin did very well and I had assumed that the JMapMyLDAP - HTTP SSO did the same.
I will search for a different plugin if this is not the case.
Thanks for your help.

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - HTTP SSO Plugin

Post by ShMaunder » Tue Jun 05, 2012 6:12 pm

Are your users already registered in Joomla? I would hit trouble trying to auto create users as I cannot get a valid email from anywhere.

If all you want is auto logging in registered users then I will upload the modified file now.


Edit:
I will upload anyway. You will need to ensure that both JSSOMySite and HTTP SSO is installed.

Get the whole thing from http://shmanic.com/media/file.php?proje ... lugins.zip

Replace the file at /libraries/shmanic/jssomysite.php with the one attached.
You do not have the required permissions to view the files attached to this post.
Last edited by ShMaunder on Tue Jun 05, 2012 6:16 pm, edited 1 time in total.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

azelter
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Feb 05, 2009 6:09 am

Re: JMapMyLDAP - HTTP SSO Plugin

Post by azelter » Tue Jun 05, 2012 6:15 pm

ShMaunder wrote:Are your users already registered in Joomla? I would hit trouble trying to auto create users as I cannot get a valid email from anywhere.

If all you want is auto logging in registered users then I will upload the modified file now.
Yes - all my users are already registered and their usernames are identical to the value of REMOTE_USER once they have logged in with the pubcookie system.

Thanks so much!!!

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - HTTP SSO Plugin

Post by ShMaunder » Tue Jun 05, 2012 6:17 pm

You reply very fast :p

Try what I attached on the previous post.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

azelter
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Feb 05, 2009 6:09 am

Re: JMapMyLDAP - HTTP SSO Plugin

Post by azelter » Tue Jun 05, 2012 6:35 pm

ShMaunder wrote:You reply very fast :p

Try what I attached on the previous post.
Perhaps I am replying too fast again.
The plugin seems to work great!
I am not getting an edit button on the front end, but I can see this is not an issue with your plugin as the user is logged in.
So thanks so much - I really appreciate your help.

afrugone
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Sun Jan 01, 2006 11:32 pm

Re: JMapMyLDAP - HTTP SSO Plugin

Post by afrugone » Thu Jun 21, 2012 10:38 pm

Hi, I'm trying to get SSO working with AD on Windows 2003. I've installed Joomla in a Linux running Debian. The firs part is working very well when a new user login to joomla, as the user exist in the AD it's created on Joomla and is associated with it's group. But nothing happend with SSO, for your ref this is my configuration:

Open the site with internet explorer 8 and Google Chrome

System - JSSOMySite Plugin (enabled)
------------------------------
Auto Create Users: Yes
IP Rule= Allow All
IP Exception List= (blank)
URL Bypass=nosso
Allow Backend SSO=No

SSO - HTTP Plugin (Enabled)
------------------------
User Key=REMOTE_USER
Username Replacement=DOMAIN
IP Rule= Allow All
IP Exception List= blank

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - HTTP SSO Plugin

Post by ShMaunder » Fri Jun 22, 2012 8:03 pm

Does your username replacement have a backslash ?

Any errors in /logs/error.php ?
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

afrugone
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Sun Jan 01, 2006 11:32 pm

Re: JMapMyLDAP - HTTP SSO Plugin

Post by afrugone » Mon Jun 25, 2012 4:44 pm

Thanks for your soon answer, I've tested with and without the backslash (domain\ and domain), perhaps I'm not understanding how SSO must work.

If I have a user that is logged is his computer with the domain account, how must he login to the joomla site using SSO? he must simply open the page? has to press login?

Thanks again for your nice work

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - HTTP SSO Plugin

Post by ShMaunder » Mon Jun 25, 2012 5:26 pm

Have you setup Kerberos on your Linux server? Do you have a REMOTE_USER variable in your PHP information? Setup info: http://acksyn.org/diary/?p=460

If you do, then go into your PHP info (found within Joomla System Information) and look at the REMOTE_USER - if it has a value of [email protected] then you want @MYDOMAIN.COM in the username replacement.

Make sure that both "System - JSSOMySite" and "SSO - HTTP" are enabled, then when Joomla has no user logged on, it will automatically log on with the user of the computer.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

afrugone
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Sun Jan 01, 2006 11:32 pm

Re: JMapMyLDAP - HTTP SSO Plugin

Post by afrugone » Mon Jun 25, 2012 8:09 pm

OK, I've setup Kerberos as described at http://acksyn.org/diary/?p=460. But can not find REMOTE_USER at System Information, is necessary to modify the php.ini with this value?, how?

Both "System - JSSOMySite" and "SSO - HTTP" are enabled

Regards

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - HTTP SSO Plugin

Post by ShMaunder » Mon Jun 25, 2012 9:31 pm

OK, sounds like Joomla is good.

Sounds like Apache needs a little tweaking. Have you setup either httpd.conf or .htaccess (I prefer .htaccess) with something similar to:

AuthType Kerberos
AuthName "Joomla Secure Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms YOURDOMAIN.LOCAL
Krb5KeyTab /etc/krb5.keytab
require valid-user

(if at httpd.conf, then you need to restart Apache for changes to apply).

On a non-logged domain computer, do you get a browser (non-joomla) login box?
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

afrugone
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Sun Jan 01, 2006 11:32 pm

Re: JMapMyLDAP - HTTP SSO Plugin

Post by afrugone » Tue Jun 26, 2012 7:30 pm

Hi Shaun,

I've modify .htaccess with these parameters, restart apache, but still can not see REMOTE_USER.

Regards
Alfredo

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - HTTP SSO Plugin

Post by ShMaunder » Thu Jun 28, 2012 8:32 am

This is strange. Do you see any browser login boxes when trying to access the site (on a non-logged on domain user)?

If not then you still haven't got the server setup correctly. I can't offer that much advise on this as I only know as much as the guide I posted. Though it does sound like an Apache issue as I normally get HTTP 401 errors when the authentication fails (e.g. incorrect credentials; incorrectly setup).
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Locked

Return to “Open Source Products for Joomla!”