Wednesday 16 May 2012 11:55:51 am - 4 replies
Hi there !
I have to set up an automatic logon system for a eZ Publish Website hosted on a debian server. The pitch is :
"a client is logged on its Windows session (User registered on a Windows Active Directory (so LDAP)) ; when he'll arrive on the intranet eZ publish website, he is detected by the browser (using NTLM...?) and the user is automatically logged on"
Apparently, an LDAP support is built-in eZ Publish, so, there's no issue for this part of the problem. The main issue is how can I retrieve current user login from the Windows session ? I've read different stuff about NTLM, but nothing explicit... I know it's kinda tricky, but tips would be greatly appreciated !
Thanks in advance;
Wednesday 16 May 2012 1:31:04 pm
It is indeed quite tricky.
Main questions are:
1. are you using Apache? On windows or Unix?
2. is your site also available to anon users or only to logged-in users?
The thing goes like this:
. there are apache modules that support kerberos integration (mod_spnego and mod_auth_kerb). Quite tricky to set up, some of them outdated, but you might get them working (iirc main problem I had in the past was passwords/usernames using utf8 characters). Recommendation: try to set them up 1st independently of eZ, using a simple-test-page website
. if you set up in apache config site protection based on kerberos, no user will be able to see a single page of the site unless they sign in first to the windows domain. NTLM/Kerberos auth work just like basic/digest auth in that sense, i.e. it is carried out before eZ even has a chance to run index.php
. when a user who is logged in into the domain gets to eZ, you should be able to find his username in global variables - look at http://svn.projects.ez.no/spnego/trunk/extension/spnego/sso_handler/ezspnegossohandler.php
. a while ago some brave soul did work out a clever way to use Apache Kerberos modules for SSO while still allowing users not-logged-in to the windows domain to get to eZ (of course, you can couple this work with an ldap-login handler to still use AD accounts when logging in via eZ). The site where that code was posted to has gone to neverland - only the wayback machine has it: http://web.archive.org/web/20100212124919/http://www.gxapplications.com/eng_blog/GX-Admin-s-Blog/eZpublish-SSO-login-Handler-Apache-Kerberos-module-bypass
. not only that, but in case Apache kerberos modules are not available, he also did an implementation of ntlm in php (note: ntlm is a different protocol from kerberos, AD servers use kerberos by default but can support ntlm clients). The caveat is that this code is security-sensitive and not widely used, so you should use it with care. http://web.archive.org/web/20100120084619/http://www.gxapplications.com/eng_blog/GX-Admin-s-Blog/Alternate-way-to-Kerberos-NTLM-auth-in-pure-PHP
You might find some similar code in PEAR iirc: http://blog.mayflower.de/archives/125-Accessing-NTLM-secured-resources-with-PHP.html
Famous last words: maybe you can set up a CAS server, tell eZ to do SSO with CAS (there are 2/3 extensions available for that), and tell CAS to do SSO with the MS AD... http://www.jasig.org/cas
Modified on Wednesday 16 May 2012 2:23:12 pm by Gaetano Giunta
Wednesday 16 May 2012 3:26:17 pm
Thanks a lot for your reply, it's a little bit clearer to me
We're hosting the eZ website on a Debian server. This intranet may be reachable for "external users" (ie. users abroad the local network).
Hence -if I understood your argument- , if a user tries to connect to the intranet out of the local network, he'd be kicked (because he won't have the active directory/kerberos authentication) ?
If I decide to use the PHP of ntlm implementation, which which apache module will I have to install ?
All the "infrastructure" (apache extensions & modules) still remains arcane to me
Thanks a lot;
For other which are looking for php implementation of ntlm, look at : http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/
Wednesday 16 May 2012 4:17:12 pm
Let see if we can get it a bit more clear:
1. you want the intranet to be reachable by "external users". Can you confirm what this means exactly?
a) they will not be logged in into AD when they start to browse the intranet (because they get to access the site from internet)
b) they will not have any account at all on the AD but only eZP accounts (accounts managed within eZ)
c) are all users on the intranet network always logged in into the AD (ie. no linux/macos desktops or guest users with no AD account)?
d) is any page of the intranet available to anonymous users at all (regardless of the network where they are coming from)?
2. if you use "only" an Apache Kerberos module to protect the website, there is a high chance that users coming from an external network might not be able to see the site at all, as they will not be able to get a Kerberos ticket from the AD. There is also a small possibility that they get asked for username/password and actually do get logged in to the AD, but I am not 100% sure about this - I think in general it is not considered a good idea to allow people on external networks authenticate directly to the AD server, and the windows networking ports are firewalled off. Of course having external customers use a VPN connection to get on the intranet network and allow them to authenticate to AD would fix this problem.
In case that point 1b or 1d are true, you need to use the sso+not-logged-in-users solution I linked to above (the "complex case" later on). It is the same if point 2 holds true.
The simple case
If you are lucky enough that you can have your intranet both secured and accessible by the outside using only AD user accounts and Kerberos sessions and VPN, and no anonymous-visible pages in it, you need:
- mod_spnego or mod_auth_kerb to force authentication by Apache of anyone trying to browse to the intranet
- possibly the php ldap extension to import into eZ just a little bit of the AD profile of users
- a simple sso-handler in eZ, similar to the one from the spnego extension I mentioned above
- possibly no special login-handler in eZ as in fact users will never log in to eZ Publish by using forms within eZ, but they will only login in to AD via Kerberos and eZ will get their username from $_SERVER['REMOTE_USER']
The complex case
You will need:
- php ldap extension and an eZ login handler that logs in the user to AD via LDAP
- a custom SSO handler that plays tricks redirecting users back and forth to find out if they have a valid Kerberos ticket (the one in the ancient blog post above)
- either a pure-php implementation of the NTLM protocol, or mod_auth_kerb or mod_spnego
For the last point, it's up to you to decide which route to go. I would try to use mod_spnego because it is faster than the corresponding code written in php, looks maintained, it is more widely distributed, and the blog post describing the custom SSO handler uses it, so you have less trial-and-error to do.
More side notes:
- you should use https for users coming from the internet, to protect their AD credentials
- Firefox can do AD SSO if a secret config parameter is enabled
- Chrome apparently can do it too, but I never tried it
Friday 18 May 2012 9:36:49 am
Thanks a lot for all your argument, it's really helpful !
This intranet will have two kind of users :
All users from Intranet use PC, so there's no issue with MacOS/Unix (and so with AD). Actually, there's no page available for "anonymous" users. You must be logged if you want to enter the website.
IT Manager doesn't want to allow remote AD connection (of course!), and I'd like to exclude the use of VPN for other safety reasons. That's why, I think "Simple solution" isn't possible at all. I'll have to use the complex solution which is kinda tricky. I'll try to see if mod_spnego will handle my case, and I'll let you go
You must be logged in to post messages in this topic!