Skip to content

Single Sign On (with Active Directory)

Jump to bottom Edit New page
wintermeyer edited this page Mar 12, 2013 · 16 revisions

You need a GS 5.1 installation! Version 5.0 and earlier doesn't support this functionality!

  1. Set variable SingleSignOnEnvUserNameKey to type string and value REMOTE_USER. (REMOTE_USER is the environment variable which is set by apache on successfull authentication)

  2. Install libapache2-mod-auth-ntlm-winbind, krb5-user and samba-common-bin:

     #aptitude install libapache2-mod-auth-ntlm-winbind krb5-user samba-common-bin

  3. Stop firewall if you experience problems with step 5 or 6

     #service shorewall stop
 #update-rc.d -f remove shorewall

  4. Configure krb5 and samba to fit into your environment

/etc/samba/smb.conf:

    workgroup = yourwindowsdomain
    realm = YOUR.REALM
    null passwords = yes
    password server = *
    security = ads
    encrypt passwords = yes
    winbind separator = +
    client use spnego = yes
    client ntlmv2 auth = yes
    winbind refresh tickets = yes

  1. Check kerberos

      #kinit Administrator

  #klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: Administrator@YOUR.REALM
 
  Valid starting    Expires           Service principal
  08/02/2013 09:15  08/02/2013 19:16  krbtgt/YOUR.REALM@YOUR.REALM
           renew until 09/02/2013 09:15

    If your see an output like above your kerberos setup is working.

  2. Join to the Windows domain

      #net ads join -U Administrator

  #service winbind restart

  #wbinfo -u
  YOURWINDOWSDOMAIN+user1
  YOURWINDOWSDOMAIN+user2
  YOURWINDOWSDOMAIN+user3

    If you see an output like above your winbind (samba) setup is working.

  3. Create a domain user for GS5 Set User-Name to YOURDOMAIN+yourwindowsusername. Add this user to the Admins group.

  4. Add apache user to winbind group

       #adduser www-data winbindd_priv

  5. Configure apache to do the authentication

    Apache needs to know when to do ntlm_auth and when not. Phones cannot do ntlm_auth. Workstations can. In most environments phones and workstations are in different networks, e.g. phones 10.0.0.0/8 and workstations 172.16.0.0/16.

      #a2enmod auth_ntlm_winbind

/etc/apache2/sites-enabled/gemeinschaft:

     <Directory /opt/gemeinschaft/public>
            AllowOverride all
            Options -MultiViews
            Options FollowSymLinks

            ### AD auth ###
            AuthName "NTLM Authentication"
            NTLMAuth on
            NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
            NTLMBasicAuthoritative on
            AuthType NTLM
            require valid-user

            Order Allow,Deny
            Allow from 10.0.0.0/8    #phones do not do ntlm auth
            Deny from 172.16.0.0/16   #workstations do ntlm auth
            Allow from All
            Satisfy any
            ### AD auth ###
    </Directory>

Other ways to separate phones from workstations work, too. Be creative!

  1. Restart apache and make sure your browser does NTLM authentication

    Hint for Mozilla Firefox: network.automatic-ntlm-auth.trusted-uris

  2. Open GS5 in your browser. You are logged in automatically. :-)

  3. Finally you'll have to setup winbind to be started automatically:

     update-rc.d winbind defaults

Important: The Tables of Content are generated. Any change will be overridden on the next update.
For more information: GitHub Wikifier

Proxysetting not working at all ... we could not change the Proxy by itself

Add a custom sidebar
Clone this wiki locally