(1 votes, average: 5.00 out of 5)
Loading...I recently got a request to add SSO to our IT self-service web portal which is running Joomla 2.5. Sounded like a good idea as we have been doing as much as we can to make things simpler and easier for our users. We already had LDAP integration and I thought if I could find the right plug-in(s), that it would not be too difficult.
What I found was a lot of different approaches and ideas and “things that worked for me” out on the Internet and I wanted to add to that list. What I think makes this different is that I want to be very explicit in explaining the environments that are being used so that there is no confusion about whether or not this may work for you. Hopefully, others will comment here with their experiences with other environments and platforms.
My World
To start with, let me run down exactly what I am running here:
- 64-bit CentOS 5.5 – 2.6-18.194.21.1.el5
- Joomla 2.5.22
- MySQL 5.0.84-2
- PHP 5.3.6
- Apache 2.2.8-1
- Community Builder 1.8
- 64-bit Windows 2008R2 SP1 Active Directory – 2003 Native Forest
Kerberos in Joomla
In order to support SSO, I knew that I needed a plug-in module that could handle obtaining information from Apache mod-auth-kerb and getting that information integrated with Community Builder and the local user database within Joomla. If the user was not already known, then they would be automatically added as a registered user within Joomla.
After a few searches, I came across Shmanic and their tool called JMapMyLDAP. The online documentation on the site is very good and it gave me the information that I needed to get started quickly. This is a very simple and easy to user plug-in for SSO. Of course it has other neat features for LDAP integration, but for now I am only focusing on the SSO aspect. Installation was quick and painless. From the Joomla back-end, install the Shmanic platform package followed by the HTTP SSO package. Remember to activate them both. The former will appear as “Authentication – User Adapter”. From the Components->Shmanic Config:Base Settings, enable the platform and check “SSO”. I did not make any changes to the values on the SSO Settings tab, as they were exactly what I wanted already.
Next, I clicked on Extensions->Plug-in Manager->SSO-HTTP, again set
- Status to enabled
- access to public
- legacy mode to no
- User Key to REMOTE_USER
- Username Replacement to @MYDOMAIN.COM
and saved the configuration. So now I have this ready to integrate with Apache, so on to that step.
Configuration Kerberos in CentOS
Looking around the Internet, I found a number of great resources on hooking CentOS with Kerberos authentication.
-
http://apache-http-server.18135.x6.nabble.com/mod-auth-kerb-and-mod-authnz-ldap-td4759269.html
-
http://www.midwesternmac.com/blogs/jeff-geerling/apache-kerberos-authentication
-
http://funwithlinux.net/2013/05/centos-6-apache-kerberos-ad-sso/
-
http://www.microhowto.info/howto/configure_apache_to_use_kerberos_authentication.html
-
http://acksyn.org/blog/2009/05/24/active-directory-and-apache-kerberos-authentication/
What I learned, is that each site may be different as are versions of commands, so you really need to experiment a bit on your site to find the right mix. Based on my reading, it looked like Samba was mandatory in order to builid the kerberos keytab file, so I installed this with
yum install samba
Using the references above, I creataed the /etc/krb5.conf file as follows:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
default_keytab_name = FILE:/etc/krb5.keytab
[realms]
MYDOMAIN.COM = {
kdc = dc.mydomain.com
master_kdc = dc.mydomain.com
admin_server = dc.mydomain.com
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
} |
You should note the capital letters required above. These appear to be mandatory and will cause confusion when you attempt to login from a non-domain computer, but more about that later. Next, I went to my domain controller and added this Linux machine to Active Directory. Seemed the easiest way to get this step done rather than try to figure out how to do it from the Linux system although I have been told it is possible.
The next step is to get a kerberos ticket for our AD user. This is done with the command
kinit mydomainuser
Then, create the keytab entry with the command. This is why I had to install Samba. First, I had to put the following block into /etc/samba/smb.conf
[global] netbios name = myCentOS-name-in-DNS realm = MYDOMAIN.COM security = ADS encrypt passwords = yes password server = dc.mydomain.com workgroup = AD-SHORT-DOMAIN-NAME log level = 3 |
Then, I entered the command:
net ads keytab add HTTP -U mydomainuser
And finally, I changed the permission on the file so that only the local apache user could access the keytab
chown apache:apache /etc/krb5.keytab;
Configuring Apache
Last, we need to integrate all of this into apache. I modified the file /etc/httpd/conf/httpd.conf with the following text:
Options -Indexes FollowSymLinks
AllowOverride FileInfo Options
AuthType Kerberos
AuthName "E-mail Login using @MYDOMAIN.COM"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealm MYDOMAIN.COM
Krb5Keytab /etc/krb5.keytab
KrbServiceName HTTP/myCentOS.mydomain.com@MYDOMAIN.COM
require valid-user |
Next, I restarted Apache by executing the command
/etc/init.d/httpd restart
and I got a notification that said, “Starting httpd: httpd: Could not reliably determine the server’s fully qualified domain name, using myCentOS.mydomain.com for ServerName”. Not sure where that came from, but it didn’t seem to impact my site, so I ignored it. BTW: If someone wants to provide details about this and perhaps how to update the config to eliminate the warning, please do so.
Test and Done
At this point, I ran my test from a local Active Directory domain computer running IE and I was logged on to our Joomla site without any entry of another password or login prompt. Next, I tried from a non-domain computer and I was prompted for credentials. At this point, you would think that the process would be to enter the username as “domain\username”, however that will not work. This is because the domain information being returned is in the format of username@MYDOMAIN.COM. This is why I set the AuthName in my apache config file to “E-mail login using @MYDOMAIN.COM” to remind users how to enter their credentials.
