Recent Changes - Search:
Cookbook /

SingleSign-On

Summary: Use Windows-Logon for Authentication on pmwiki
Version: 1
Prerequisites: apache, mod_ntlm, samba/winbind
Status: Stable
Maintainer: Falk Hamann
Categories: Administration, Security

Questions answered by this recipe

Note: For other single sign-on issues for sharing database logins you may want to see AuthUserDbase.

This section is optional; use it to indicate the types of questions (if any) this recipe is intended to answer.

  1. How can Windows-Logon be used for Authentication on pmwiki ?
  2. How can Single Sign-On be realized ?
  3. Why do DOMAIN-user have to authenticate second time on pmwiki ?
  4. Would Authentication against Primary-Domain-Controller be possible ?

Description

This Cookbook describes a solution to realize Single Sign-On with Windows-Clients against Primary-Domain-Controller (Samba). This Cookbook describes a solution to implement Single Sign-On with Windows-Clients against Primary-Domain-Controller (Samba).

A long, but good description of NTLM could be found here.

What's needed ?

  1. Server
    1. Webserver which understands NTLM and validate hashes via PDC
      • Windows, IIS or apache2+mod_auth_sspi
      • *nix, apache+mod_ntlm and samba/winbindd
    2. some small adjustments on pmwiki
  2. Client
    1. OS which authenticate users against Primary-Domain-Controller
    2. Browser which sends NTLM (I prefer Firefox.)

Server - Windows

  • IIS should be play with NTLM out of the box (but is NOT free)!?
  • apache(v2.2.3)+mod-auth-sspi
    • extra\mod_auth_sspi.conf: 
      <IfModule !mod_auth_sspi.c>
 LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>

#
# Configuration for mod_auth_sspi
<IfModule mod_auth_sspi.c>
 <Location /protected/>
  AuthName "A Protected Place"
  AuthType SSPI
  SSPIAuth On
  SSPIAuthoritative On
  SSPIOfferBasic On
  #SSPIBasicPreferred On
  #SSPIDomain MYDOMAIN
  SSPIOmitDomain On
  #SSPIUsernameCase On
  require valid-user
 </Location>
</IfModule>

Server - *nix

  • download, configure, compile apache+mod_ntlm
    • httpd.conf: 
      LoadModule auth_ntlm_winbind_module lib/apache/mod_auth_ntlm_winbind.so

User nobody
Group winbindd # is needed to access /var/run/samba/winbindd_privileged

<Directory "/var/www/htdocs/pmwiki">
 AuthName "NTLM Authentication thingy"
 NTLMAuth on
 NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
 NTLMBasicAuthoritative on
 AuthType NTLM
 require valid-user
</Directory>
    • think about ssl
  • prepare winbindd for apache+mod_ntml
    • install, configure samba
    • let the server join the domain
      • net rpc join
    • grant apache to access /var/run/samba/winbindd_privileged
      1. groupadd winbindd
      2. chgrp winbindd /var/run/samba/winbindd_privileged
      3. /etc/rc.d/apache restart

pmwiki-config

  • local/farmconfig.php or local/config.php 
    include_once ("$FarmD/scripts/httpauth.php");//NTLM-Auth, Basic-Auth
include_once ("$FarmD/scripts/authuser.php");
if(@$_SERVER['REMOTE_USER']) {
  #remove domainname
  $temp = preg_replace("/^[^\\\]+\\\/", "", @$_SERVER['REMOTE_USER']);
  $_SERVER['REMOTE_USER'] = $temp;
  $Author = $temp; #set Author to REMOTE_USER
  AuthUserId($pagename, stripmagic(@$_SERVER['REMOTE_USER']));#authuser
  #fix-author for editform
  SDVA($InputTags['e_author'], array(
    ':html' => "$Author<input type='hidden' \$InputFormArgs />",
    'name' => 'author', 'value' => $Author));
}

Client Preferences

  • Firefox Preferences
    1. about:config
    2. network.automatic-ntlm-auth.trusted-uris=yourserver.domain
  • Opera Preferences
    1. opera:config
    2. Network->Enable NTLM
  • IE Preferences
    1. not used, unknown

Notes

What happens, if browser not support NTLM ?
Fallback Authentication-method is "Basic-Auth", which pop-up the ugly browserwindow, which asks for login and password.
username: DOMAIN\user

Which browsers/plattforms support NTLM ?

  • WinXP/Firefox >1.0: works
  • WinXP/Opera 9.02: only Basic-Auth (see forum)
  • WinXP/IE 6: should work (not tested)
  • linux/Firefox 2.0: only Basic-Auth
  • linux/Firefox 2.0+NTLM-Proxy: should work (not tested)
  • linux/Opera 9.02: FAILED !!" (NTLM featre for Opera seems to be windows-only)

Could Groups defined in AuthUser be used ?

  • Yes ! Nothing have to be changed. You can define also global passwords in config.php. See PasswordsAdmin and Passwords.

Release Notes

If the recipe has multiple releases, then release notes can be placed here. Note that it's often easier for people to work with "release dates" instead of "version numbers".

Version 1(20061130)

See Also

Contributors

Comments

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.