Trace: » Integrated Authentication

Table of Contents

Integrated Authentication

Disclaimer by dj: this is not meant to be a translation of the original french article since I neither understand a word of French nor do run GLPI on a Windows machine. However, I mainly kept the code patches and the structure of the original document and filled in the configuration instructions as I know them to work for a GLPI/Mandriva setup.

Introduction

You surely have seen SSO scenarios where users accessing ASP content do not need to authenticate but seem to be authenticated magically through their Windows logon context. You can use the same type of Single SignOn integrated authentication for your GLPI Windows clients in a domain.

This Howto uses Apache 2 and GLPI configured for external LDAP authentication with Active Directory. The user should use Internet Explorer for testing, however, recent Firefox versions also do support integrated authentication using NTLM.

The configuration where the described changes have been confirmed functioning is as follows:

- GLPI : 0.68.3 with AD authentication against a Windows Server 2003 directory - Internet Explorer 6 SP2 or Internet Explorer 7 - Apache 2.2.3 / MySql : 5.0.24a / PHP 5.1.6

Setup

Web server modifications

Apache 2:

You have to install and activate the mod_ntlm module. It will probably be included with your distribution. Configure it according to your distributions documentation or check out the modntlm home page for further information.

The basic approach:

  • check the mod_ntlm module gets loaded by apache on startup
  • add the NTLM directives

The NTLM directives for your GLPI host might look like this:

   #glpi configuration
   <Directory "/var/www/vhosts.d/glpi">
    Options None
    Order allow,deny
    Allow from all
 
    NTLMAuth on
    NTLMAuthoritative off
    NTLMDomain DOMAIN
    NTLMServer SRV1
    NTLMBackup SRV2
    NTLMLockfile /tmp/ntlmauth.lck
 
    AuthName NTAuth
    AuthType NTLM
    require valid-user
    Satisfy all
   </Directory>
 
   # Turn off authentication for all subdirectories
   # as a workaround to the Firefox/NTLM problem
   <Directory "/var/www/html/glpi/*">
    Satisfy Any
    Allow from all
   </Directory>

Please note that due to limitations in mod_ntlm code NTLMServer and NTLMBackup have to be names and not IP addresses. The basic issue here is that mod_ntlm strips everything after the first dot and passes the single-label part as the “Called Name” within the Session Request packet. So if you for example use “192.168.1.1”, mod_ntlm would request the resource “192” which will be refused by the server unless it is named “192” by coincidence or has StrictNameChecking disabled.

Here is an example of how to install the ntlm module on Ubuntu Server 9.10:

 
# mkdir ntlmauth
# cd ntlmauth/
# wget http://mywheel.net/blog/wp-content/uploads/2007/04/ntlm.tar.gz
# tar zxvf ntlm.tar.gz
# apt-get update
# apt-get -y install apache2-prefork-dev
# apxs2 -i -a -c mod_ntlm.c
 
You'll get a couple of errors which you can ignore:
	apxs:Error: Activation failed for custom /etc/apache2/httpd.conf file..
	apxs:Error: At least one `LoadModule' directive already has to exist..
 
# make clean
# echo "LoadModule ntlm_module /usr/lib/apache2/modules/mod_ntlm.so"> /etc/apache2/mods-available/ntlm.load
# a2enmod ntlm
 
you should see:
	Enabling module ntlm.
	Run '/etc/init.d/apache2 restart' to activate new configuration!
 
# /etc/init.d/apache2 reload
 
Apache should restart without errors.

To activate NTLM for the GLPI site, rather than add to the existing default site config files, I created a glpi.conf file under /etc/apache2/conf.d

# nano /etc/apache2/conf.d/glpi.conf
 
Paste in the following:
 
<Directory "/var/www/glpi">
        AuthName NTAuth
        AuthType NTLM
        NTLMAuth on
        NTLMAuthoritative on
        NTLMDomain DOMAINNAME
        NTLMServer PRIMARYDCNAME
        NTLMBackup SECONDARYDCNAME
        require valid-user
        Satisfy all
</Directory>
 
Change the path to your glpi install if required, and fill in the domain name
and DC names to suit your environment.
Save and exit
Restart apache to activate:
 
# /etc/init.d/apache2 reload

IIS

No idea about IIS, but given that integrated NTLM authentication has been part of IIS for ages, I just refer to the IIS documentation for details.

GLPI modifications

Go to: Setup → Authentication. In “External authentications” click “Others” and in “Field holding the login in the _SERVER array” select “REMOTE_USER”

GLPI version < 0.71

You will need to modify the GLPI code within the files index.php, login.php and logout.php. It is recommended that you back up the three affected files first, in order to be able to revert to original code when things go wrong. Something like

[root@glpi glpi]# cp index.php index.php.orig
[root@glpi glpi]# cp login.php login.php.orig
[root@glpi glpi]# cp logout.php logout.php.orig

should do.

Take care of the modifications with this diff here. Simply change your current working directory to the GLPI directory and issue a

[root@glpi glpi]# patch < patch-httpauth-0.68.3.txt

(sorry for the .txt extension, there are some wiki limitations concerning the files which may be uploaded) You should get

patching file index.php
patching file login.php
patching file logout.php

as the only response. If you did not, you probably used copy+paste to get the diff to your target system. This might introduce additional whitespace characters instead of tabs and break the diff - download the file directly (e.g. using wget or ftpget) instead or feed the --ignore-whitespace parameter to “patch”.

Now, you're nearly done.

Web Browser config

Internet Explorer

When using IE6 or IE7, add the site running GLPI to the “Local Intranet Sites” security zone. This will let the browser use integrated NTLM authentication when prompted by the web server.

Mozilla Firefox

Firefox does implement NTLM auth since v1.0, however, it is disabled by default. To enable it use the network.automatic-ntlm-auth.trusted-uris configuration parameter - you just need to enter a list of sites which are allowed for NTLM authentication. For details, see this mozillaZine KB article.

The preference may be set using GPO and the FirefoxADM template if Firefox was compiled with ADM support.

Unfortunately, in recent versions of Firefox (starting with 1.0.7) the NTLM authentication |seems to be broken a bit, the problem being that whenever Ajax stuff is used in GLPI many subsequent connections and thus a lot of authentications (HTTP authentication authenticates every request, all the time) have to be done. This leads to some obscure breakup with the NTLM auth and Firefox might present you an authentication request box. To mitigate this issue, the Apache config above contains the “Satisfy Any” directive for all subdirectories of the GLPI structure.

If you ever need to authenticate as a different user than the one currently logged on, just use the “Log off” button in GLPI, this will bring up the conventional login prompt.

Limitations

NTLM authentication might break with certain HTTP proxy server configurations. Consider proxyless use if possible.

FIXME by dj: I had to remove calls to stripos() and substr() from the original SSPI-using code in order to make NTLM auth work. I suspect these to be some kind of obscure PHP safeguard against unsafe user input. If the code security has suffered through my modifications, please drop a note here and contribute a fix, if possible.

FIXME by dj: I believe that using CAS together with the current patch-httpauth-0.68.3.txt will break the “Logout to get a logon screen” functionality. I was too lazy to introduce the conditionals needed to correctly generate the URI string.