Building SSO on Joomla 2.5 with Active Directory

July 27, 2014 · 0 comments

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

I recently got a request to add SSO to our IT self-service web portal which is running Joomla 2.5.  Sounded like a good idea as we have been doing as much as we can to make things simpler and easier for our users.  We already had LDAP integration and I thought if I could find the right plug-in(s), that it would not be too difficult.

What I found was a lot of different approaches and ideas and “things that worked for me” out on the Internet and I wanted to add to that list.  What I think makes this different is that I want to be very explicit in explaining the environments that are being used so that there is no confusion about whether or not this may work for you.  Hopefully, others will comment here with their experiences with other environments and platforms.

My World

To start with, let me run down exactly what I am running here:

  • 64-bit CentOS 5.5 – 2.6-
    • Joomla 2.5.22
    • MySQL 5.0.84-2
    • PHP 5.3.6
    • Apache 2.2.8-1
    • Community Builder 1.8
  • 64-bit Windows 2008R2 SP1 Active Directory – 2003 Native Forest

Kerberos in Joomla

In order to support SSO, I knew that I needed a plug-in module that could handle obtaining information from Apache mod-auth-kerb and getting that information integrated with Community Builder and the local user database within Joomla. If the user was not already known, then they would be automatically added as a registered user within Joomla.

After a few searches, I came across Shmanic and their tool called JMapMyLDAP.  The online documentation on the site is very good and it gave me the information that I needed to get started quickly.  This is a very simple and easy to user plug-in for SSO.  Of course it has other neat features for LDAP integration, but for now I am only focusing on the SSO aspect.  Installation was quick and painless.  From the Joomla back-end, install the Shmanic platform package followed by the HTTP SSO package.  Remember to activate them both.  The former will appear as “Authentication – User Adapter”.  From the Components->Shmanic Config:Base Settings, enable the platform and check “SSO”.  I did not make any changes to the values on the SSO Settings tab, as they were exactly what I wanted already.

Next, I clicked on Extensions->Plug-in Manager->SSO-HTTP, again set

  • Status to enabled
  • access to public
  • legacy mode to no
  • User Key to REMOTE_USER
  • Username Replacement to @MYDOMAIN.COM

and saved the configuration.  So now I have this ready to integrate with Apache, so on to that step.

Configuration  Kerberos in  CentOS

Looking around the Internet, I found a number of great resources on hooking CentOS with Kerberos authentication.

What I learned, is that each site may be different as are versions of commands, so you really need to experiment a bit on your site to find the right mix.  Based on my reading, it looked like Samba was mandatory in order to builid the kerberos keytab file, so I installed this with

yum install samba

Using the references above, I creataed the /etc/krb5.conf file as follows:

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 default_realm = MYDOMAIN.COM
 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
 fcc-mit-ticketflags = true
 default_keytab_name = FILE:/etc/krb5.keytab
  kdc =
  master_kdc =
  admin_server =
  default_domain =
[domain_realm] = MYDOMAIN.COM = MYDOMAIN.COM
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

You should note the capital letters required above. These appear to be mandatory and will cause confusion when you attempt to login from a non-domain computer, but more about that later.  Next, I went to my domain controller and added this Linux machine to Active Directory.  Seemed the easiest way to get this step done rather than try to figure out how to do it from the Linux system although I have been told it is possible.

The next step is to get a kerberos ticket for our AD user.  This is done with the command

kinit mydomainuser

Then, create the keytab entry with the command.  This is why I had to install Samba.  First, I had to put the following block into /etc/samba/smb.conf

 netbios name = myCentOS-name-in-DNS
 security = ADS
 encrypt passwords = yes
 password server =
 log level = 3

Then, I entered the command:

net ads keytab add HTTP -U mydomainuser

And finally, I changed the permission on the file so that only the local apache user could access the keytab

chown apache:apache /etc/krb5.keytab;

Configuring Apache

Last, we need to integrate all of this into apache.  I modified the file /etc/httpd/conf/httpd.conf with the following text:

                Options -Indexes FollowSymLinks
                AllowOverride FileInfo Options
         AuthType Kerberos
         AuthName "E-mail Login using @MYDOMAIN.COM"
         KrbMethodNegotiate on
         KrbMethodK5Passwd on
         KrbAuthRealm MYDOMAIN.COM
         Krb5Keytab /etc/krb5.keytab
         KrbServiceName HTTP/
         require valid-user

Next, I restarted Apache by executing the command

/etc/init.d/httpd restart

and I got a notification that said, “Starting httpd: httpd: Could not reliably determine the server’s fully qualified domain name, using for ServerName”.  Not sure where that came from, but it didn’t seem to impact my site, so I ignored it.  BTW:  If someone wants to provide details about this and perhaps how to update the config to eliminate the warning, please do so.

Test and Done

At this point, I ran my test from a local Active Directory domain computer running IE and I was logged on to our Joomla site without any entry of another password or login prompt.  Next, I tried from a non-domain computer and I was prompted for credentials.  At this point, you would think that the process would be to enter the username as “domain\username”, however that will not work.  This is because the domain information being returned is in the format of username@MYDOMAIN.COM.  This is why I set the AuthName in my apache config file to “E-mail login using @MYDOMAIN.COM” to remind users how to enter their credentials.

Article by Steve Van Domelen

Steve has written 47 awesome articles.

Previous post:

Next post: