[JAuthTools] Kerberos SSO on Linux host

Discuss the development and implementation of Joomla! bots/Plugins here.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
icebrian
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Feb 26, 2009 10:11 pm

[JAuthTools] Kerberos SSO on Linux host

Post by icebrian » Fri Feb 27, 2009 11:36 am

Well I revert to this forum after loosing much sleep trying to understand all this. Before anything I would like to position my understanding of SSO/Kerberos/AD which is close to nill. I am and have been a Linux user for the past 4 years and have never required SSO capabilities, however, times change and apparently the need for a Joomla SSO has arised.

Let me first explain the requirements and platform.

Platform
----------------------------
- Joomla v1.0.13
- JAuthTools v1.0.8
- CentOS Linux (but will probably be migrated over to SUSE Linux)
- MySQL DBMS
- Apache with mob_auth_krb
- PHP with ldap support
- Kerberos
- Windows 2003 R2 Active Directory

Requirements
----------------------------
- If user doesn't exist in AD (or not authenticated via Kerberos) then
login page is presented
- If user authenticated via Kerberos do not display login page

Now my questions/doubts:

1. Is SSO using Kerberos possible using JAuthTools when Joomla is
hosted on a Linux system?
2. If SSO is possible, would any code editing be necessary or does
JAuthTools provide everything necessary for the requirements above?
3. Anyone know of a step-by-step HOW-TO to accomplish what I need?

Ok, those are a few of my questions, but truth be told, I am a little lost, so much so that I am not even sure what I want to ask. If my requirements are in fact possible what I really need is a kind of check-list to what I should do. For example:

1. Set-up you linux host with Joomla, MySQL etc and make sure it's running
2. Install JAuthTools
3. Set-up Joomla LDAP and test
4. Create user's in AD
5. Create keytab files and move over to Linux host
6. Test kerberos ?

(If the above steps are completely wrong please correct me)

Now I would just like to list what I have been able to accomplish.

I have successfully set-up Active Directory integration, so that a user login-in through the Joomla login page gets checked against the AD, if the user exists and the password is correct he/she gets authenticated and copied over to the Joomla database.

Now my next step is SSO. I have followed various instruction that tell me how to get Kerberos working. I have created the users in AD (username=hostname) for principals host & HTTP and have imported keytab files to Linux host, I have configured Apache to use Kerberos authentication, but... nothing happens. In a dev system which is not associated to any NT domain a login box appears (apache auth), if I enter username/password login is accepted however the Joomla login page is shown right after.

Where I think my bigest doubt is, is concerning Kerberos and how it should be used/integrated.
From what I understand no password is ever required but if this is the case how do I get past the login page? Does a component of JAuthTools take care of this for me? Also, is it possible to test SSO when on a Linux machine?

Well sorry for the long post, but I would really appreciate any help. I don't exactly require step-by-step instructions but more of a procedure/check-list to follow, which plug-ins are essential and how configurations should be set (may-be not). Well something (or anything) in these lines would be great.

Sincerely,
Istvan Cebrian

icebrian
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Feb 26, 2009 10:11 pm

Re: [JAuthTools] Kerberos SSO on Linux host

Post by icebrian » Fri Feb 27, 2009 5:15 pm

Ok I think I need to simplfy my question.

First thou let me assure everyone that AD Integration (SSI) is working just fine and Kerberos is correctly configured.

Now, should the LDAP SSO mambot take care os everything considering I am authenticated? Do I need to change any code? The thing is, I am quite sure all configurations are correct, I am also sure I am authenticated via kerberos since PHP variables REMOTE_USER and AUTH_TYPE are set correctly. But when I access the login page, nothing happens, the login screen just sits there requiring me to enter username/password.

I just need confirmation that I dont need to do any code editing and that the mambot LDAP SSO should take care of everything automatically if a user is in fact kerberos authenticated?

Thanks,

icebrian
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Feb 26, 2009 10:11 pm

Re: [JAuthTools] Kerberos SSO on Linux host

Post by icebrian » Tue Mar 03, 2009 3:18 pm

Well it seems I have managed. Apparently I was using the wrong SSO
plugin. I wanted HTTP authentication and I thought LDAP SSO would work
for this, which does not. I got everything working by installing HTTP
SSO from http://joomlacode.org/gf/project/jauthtools/frs/.

YelleN
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri Jan 20, 2006 8:28 pm

Re: [JAuthTools] Kerberos SSO on Linux host

Post by YelleN » Wed Apr 08, 2009 8:21 am

Would you mind sharing what you had to do to get this working. Maybe a step by step.

icebrian
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Feb 26, 2009 10:11 pm

Re: [JAuthTools] Kerberos SSO on Linux host

Post by icebrian » Wed Apr 08, 2009 9:49 am

Joomla LDAP Plugin

Code: Select all

Host: w2003ad.domain.com
Port: 389 

LDAP v3: Yes 
Negotiate TLS: No 
Don't follow referrals: No 
LDAP directory is AD: Yes 

Base DN: DC=domain,DC=pt 
Users DN: [username]@domain.com
Search string: sAMAccountName=[search] 
Connect username: admin-username@domain.com 
Connect password: password 
Authorization Method: Bind As User 

Map FullName: displayName 
Map Email: mail 
Map User ID: sAMAccountName 
Map Password: userPassword 
Map User Blocked: loginDisabled 
Map Group Name: groupMembership 
Map Group Members: member 
 
Auto Create Users: Yes 
Auto Create Public Frontend: Yes 
Demore Users: No 
Force LDAP Auth. Yes 
CB: Confirm Users: Autoconfirm 
Syncronization Event: On Login 

Default Group: Frontend User 
Use iconv: Yes
LDAP SSI

Code: Select all

Use Global Settings: Yes
HTTP Single Signon

Code: Select all

User Key: REMOTE_USER 
Username Replacement: @DOMAIN.COM
Use Global Settings: Yes
LDAP Sync

Code: Select all

Use Global Settings: Yes
You will also need to configure Kerberos on the linux host, to do so create a keytab file for the admin user in the AD with a line such as:

Code: Select all

ktpass -princ host/hostname.domain.com@REALM.COM -mapuser joomla -pass joomla -out joomla.keytab
ktpass -princ HTTP/hostname.domain.com@REALM.COM -mapuser joomla-http -pass joomla -out joomla-http.keytab
Import said keytab file into your linux host with something like:

Code: Select all

ktutil
> rkt /path/to/joomla.keytab
> rkt /path/to/joomla-http.keytab
> wkt /etc/krb5.keytab
> q
Test authentication with "kinit -k host/hostname.domain.com" and then just "kinit".

In Joomla root directory (webserver) you will need to create a .htaccess file such as:

Code: Select all

Options FollowSymLinks Indexes MultiViews 
IndexOptions FancyIndexing 

<FilesMatch "\.php$"> 
	AuthType Kerberos 
	KrbAuthRealm DOMAIN.COM
	KrbServiceName HTTP 
	Krb5Keytab /etc/krb5.keytab 
	KrbMethodNegotiate on 
	KrbMethodK5Passwd off
	require valid-user 
</FilesMatch> 
If you don't have kerberos authentication on the system your using to test with, change the directive KrbMethodK5Passwd to ON. It will then bring up a password dialog to request for your username and password.

As you can see this .htaccess file only applies to .PHP files, so you will also need to create a index.html file that redirects to index.php file such as:

Code: Select all

<html> 
<head> 
        <title></title> 
        <meta http-equiv="refresh" content="0;url=index.php"> 
</head> 
<body></body> 
</html>
This is needed to prevent the automatic detection of replay attacks.

This is everything I remember I did. The SSI module wont be necessary if all you want is SSO. I however with the use of "ErrorDocument 401" managed to get both SSO and SSI/Normal login working.

Hope this helps.

icebrian
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Feb 26, 2009 10:11 pm

Re: [JAuthTools] Kerberos SSO on Linux host

Post by icebrian » Wed Apr 08, 2009 9:56 am

One other important note. It is very important that the keytab file you generate for a specific host/HTTP request matches the FQDN (hostname.domain.com) of where you are hosting Joomla. If they do not match then authentication will not work.

while testing always view your KDC & apache logs for error messages. These can be very helpfull.

Oh and one more thing. A large time drift between your AD and your linux host will also cause authentication not to work. Keep that in mind.

YelleN
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri Jan 20, 2006 8:28 pm

Re: [JAuthTools] Kerberos SSO on Linux host

Post by YelleN » Wed Apr 08, 2009 11:42 am

thanks for the precious help

micatvie
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Wed May 06, 2009 4:32 pm

Re: [JAuthTools] Kerberos SSO on Linux host

Post by micatvie » Thu May 07, 2009 7:50 am

Hi icebrian,
I've got LDAP auth working with AD, but not the seamless single sign on without typing the name & password.
I run Apache on Windows. Do I need this kerberos thing in that case? I cannot get remote_user from apache, which seems to be needed for http sso.
What for ist the usersource session modul? Everytime I activate the system is dead and I cannot login anymore...

Any ideas/comments?

Best regards
Claudius


---> solution <----
I've got seamless sso working on windows + apache + joomla
follow instructions from following post
http://forum.joomla.org/viewtopic.php?f ... o#p1646507

My problem now is, first time users have to login in manually and get failure message
Plugin plgusersourceldap failed to find user
Any ideas to get rid of that?

micatvie
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Wed May 06, 2009 4:32 pm

Re: [JAuthTools] Kerberos SSO on Linux host

Post by micatvie » Thu May 07, 2009 12:02 pm

I changed in usersource.php

$plugin = new $className ($this);
to
$plugin = new $className ($this, (array)$plugin);

all warnings disappeared now. I dont know if really fixed, but users dont get that failure messages

micatvie
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Wed May 06, 2009 4:32 pm

Re: [JAuthTools] Kerberos SSO on Linux host

Post by micatvie » Thu May 07, 2009 12:06 pm

Last thing to be solved is that first time visitors has to log in manually.
I think I set everything I found related to autocreate users to "on".
Any ideas to get that work?


Locked

Return to “Plugins/Mambots”