[opensuse] Apache SSO AD Windows Domain
Hi, I am trying to get apache working with Single Sign On on our windows domain. We are using Leap 42.1 Server Minimal Text Mode with apache / php5 This server is for OS Ticket which I already have working with LDAP but need to get single sign on working so users authenticate automatically.. I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully. I cannot quite get my head around how this works. Where do I go from here to configure apache to work with active directory? Thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/10/2016 03:59 AM, Paul Groves wrote:
Hi, I am trying to get apache working with Single Sign On on our windows domain.
We are using Leap 42.1 Server Minimal Text Mode with apache / php5
This server is for OS Ticket which I already have working with LDAP but need to get single sign on working so users authenticate automatically..
I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully.
I cannot quite get my head around how this works. Where do I go from here to configure apache to work with active directory?
Thanks
I have a setup similar to what you are trying to achieve. You are on the right path. Now look at apache's mod_authz and the pwauth pacakge - the 2 together with PAM will allow you to use AD authentication from pache. This is one way of doing this, and the way I am using it. Another method is to use LDAP against AD. -- --Moby They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Not getting any further I'm afraid :(I cannot find any good documentation on the subject. But to be fair I have not done this before so may not be searching for the right thing. On 10 March 2016 at 12:29, Moby <moby@mobsternet.com> wrote:
On 03/10/2016 03:59 AM, Paul Groves wrote:
Hi, I am trying to get apache working with Single Sign On on our windows domain.
We are using Leap 42.1 Server Minimal Text Mode with apache / php5
This server is for OS Ticket which I already have working with LDAP but need to get single sign on working so users authenticate automatically..
I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully.
I cannot quite get my head around how this works. Where do I go from here to configure apache to work with active directory?
Thanks
I have a setup similar to what you are trying to achieve. You are on the right path. Now look at apache's mod_authz and the pwauth pacakge - the 2 together with PAM will allow you to use AD authentication from pache. This is one way of doing this, and the way I am using it. Another method is to use LDAP against AD.
-- --Moby
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Does anyone know how to do this? Someone must have more information. I have searched online for hours trying to find some tutorial or documentation. The server is Leap 42.1 64-bit. I have already used YaST > Network Services > Windows domain Membership and I can log into the server using Active Directory Logins. All I need to get working is so that users can authenticate to the website with their active directory accounts (therefore no password entry required internally and we can then make the site available externally). Other than this apache is working perfectly and so is OS ticket. thanks I don't want to have to use IIS for this (yuk!) but I am running out of time. On 17 March 2016 at 10:19, Paul Groves <paul.groves.787@gmail.com> wrote:
Not getting any further I'm afraid :(I cannot find any good documentation on the subject. But to be fair I have not done this before so may not be searching for the right thing.
On 10 March 2016 at 12:29, Moby <moby@mobsternet.com> wrote:
On 03/10/2016 03:59 AM, Paul Groves wrote:
Hi, I am trying to get apache working with Single Sign On on our windows domain.
We are using Leap 42.1 Server Minimal Text Mode with apache / php5
This server is for OS Ticket which I already have working with LDAP but need to get single sign on working so users authenticate automatically..
I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully.
I cannot quite get my head around how this works. Where do I go from here to configure apache to work with active directory?
Thanks
I have a setup similar to what you are trying to achieve. You are on the right path. Now look at apache's mod_authz and the pwauth pacakge - the 2 together with PAM will allow you to use AD authentication from pache. This is one way of doing this, and the way I am using it. Another method is to use LDAP against AD.
-- --Moby
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Mar 22, 2016 at 2:20 PM, Paul Groves <paul.groves.787@gmail.com> wrote:
Does anyone know how to do this? Someone must have more information. I have searched online for hours trying to find some tutorial or documentation.
Does it help? https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Direct...
The server is Leap 42.1 64-bit. I have already used YaST > Network Services > Windows domain Membership and I can log into the server using Active Directory Logins.
All I need to get working is so that users can authenticate to the website with their active directory accounts (therefore no password entry required internally and we can then make the site available externally).
Other than this apache is working perfectly and so is OS ticket.
thanks
I don't want to have to use IIS for this (yuk!) but I am running out of time.
On 17 March 2016 at 10:19, Paul Groves <paul.groves.787@gmail.com> wrote:
Not getting any further I'm afraid :(I cannot find any good documentation on the subject. But to be fair I have not done this before so may not be searching for the right thing.
On 10 March 2016 at 12:29, Moby <moby@mobsternet.com> wrote:
On 03/10/2016 03:59 AM, Paul Groves wrote:
Hi, I am trying to get apache working with Single Sign On on our windows domain.
We are using Leap 42.1 Server Minimal Text Mode with apache / php5
This server is for OS Ticket which I already have working with LDAP but need to get single sign on working so users authenticate automatically..
I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully.
I cannot quite get my head around how this works. Where do I go from here to configure apache to work with active directory?
Thanks
I have a setup similar to what you are trying to achieve. You are on the right path. Now look at apache's mod_authz and the pwauth pacakge - the 2 together with PAM will allow you to use AD authentication from pache. This is one way of doing this, and the way I am using it. Another method is to use LDAP against AD.
-- --Moby
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-03-22 11:20, Paul Groves wrote:
All I need to get working is so that users can authenticate to the website with their active directory accounts (therefore no password entry required internally and we can then make the site available externally).
Run two web servers, one internal and one external? Less attack surface that way. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Still stuck. I have installed osticket with the http passthru and ldap plugins. according to users on their forums. this works on a server running iis with sso authentication turned on. So it looks like it is just apache needs configuring. but how, I have tried LDAP PAM and NTLM which I cannot seem to get working even though my configuration file for the virtualhost does not error. It is as if I haven't put any config in at all. It is just ignored. Any clues? still cant find any proper documentation. On 10 March 2016 at 12:29, Moby <moby@mobsternet.com> wrote:
On 03/10/2016 03:59 AM, Paul Groves wrote:
Hi, I am trying to get apache working with Single Sign On on our windows domain.
We are using Leap 42.1 Server Minimal Text Mode with apache / php5
This server is for OS Ticket which I already have working with LDAP but need to get single sign on working so users authenticate automatically..
I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully.
I cannot quite get my head around how this works. Where do I go from here to configure apache to work with active directory?
Thanks
I have a setup similar to what you are trying to achieve. You are on the right path. Now look at apache's mod_authz and the pwauth pacakge - the 2 together with PAM will allow you to use AD authentication from pache. This is one way of doing this, and the way I am using it. Another method is to use LDAP against AD.
-- --Moby
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I have tried this http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-d... still no luck. It is as if I haven't even done anything, the configuration is ignored. On 18 April 2016 at 10:41, Paul Groves <paul.groves.787@gmail.com> wrote:
Still stuck. I have installed osticket with the http passthru and ldap plugins. according to users on their forums. this works on a server running iis with sso authentication turned on.
So it looks like it is just apache needs configuring. but how, I have tried LDAP PAM and NTLM which I cannot seem to get working even though my configuration file for the virtualhost does not error.
It is as if I haven't put any config in at all. It is just ignored.
Any clues? still cant find any proper documentation.
On 10 March 2016 at 12:29, Moby <moby@mobsternet.com> wrote:
On 03/10/2016 03:59 AM, Paul Groves wrote:
Hi, I am trying to get apache working with Single Sign On on our windows domain.
We are using Leap 42.1 Server Minimal Text Mode with apache / php5
This server is for OS Ticket which I already have working with LDAP but need to get single sign on working so users authenticate automatically..
I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully.
I cannot quite get my head around how this works. Where do I go from here to configure apache to work with active directory?
Thanks
I have a setup similar to what you are trying to achieve. You are on the right path. Now look at apache's mod_authz and the pwauth pacakge - the 2 together with PAM will allow you to use AD authentication from pache. This is one way of doing this, and the way I am using it. Another method is to use LDAP against AD.
-- --Moby
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi All, Still trying to figure this one out. Had no response at all from the apache forum. Just to recap, We have a windows domain and an opensuse 42.1 apache 2.4 web /Lamp server I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully. in the command line. Now we have several websites that need to use active directory authentication. (osticket and some of our own creations). This is where I am stuck. I cannot figure out how to get apache to use this authentication method. We have osticket working with its own ldap plug in but we want it to use the windows authentication and log users in automatically and also our own php sites need to authenticate as the logged in user. (Basically like pass through authentication in IIS, but I do not want to have to use IIS but this is the only thing causing a problem with apache.) Has anyone achieved this or does anyone know how to? Thanks On 18 April 2016 at 11:50, Paul Groves <paul.groves.787@gmail.com> wrote:
I have tried this
http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-d...
still no luck. It is as if I haven't even done anything, the configuration is ignored.
On 18 April 2016 at 10:41, Paul Groves <paul.groves.787@gmail.com> wrote:
Still stuck. I have installed osticket with the http passthru and ldap plugins. according to users on their forums. this works on a server running iis with sso authentication turned on.
So it looks like it is just apache needs configuring. but how, I have tried LDAP PAM and NTLM which I cannot seem to get working even though my configuration file for the virtualhost does not error.
It is as if I haven't put any config in at all. It is just ignored.
Any clues? still cant find any proper documentation.
On 10 March 2016 at 12:29, Moby <moby@mobsternet.com> wrote:
On 03/10/2016 03:59 AM, Paul Groves wrote:
Hi, I am trying to get apache working with Single Sign On on our windows domain.
We are using Leap 42.1 Server Minimal Text Mode with apache / php5
This server is for OS Ticket which I already have working with LDAP but need to get single sign on working so users authenticate automatically..
I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully.
I cannot quite get my head around how this works. Where do I go from here to configure apache to work with active directory?
Thanks
I have a setup similar to what you are trying to achieve. You are on the right path. Now look at apache's mod_authz and the pwauth pacakge - the 2 together with PAM will allow you to use AD authentication from pache. This is one way of doing this, and the way I am using it. Another method is to use LDAP against AD.
-- --Moby
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Paul Groves [29.06.2016 11:32]:
Hi All,
Still trying to figure this one out. Had no response at all from the apache forum.
Just to recap, We have a windows domain and an opensuse 42.1 apache 2.4 web /Lamp server
I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully. in the command line.
Now we have several websites that need to use active directory authentication. (osticket and some of our own creations). This is where I am stuck. I cannot figure out how to get apache to use this authentication method.
What do you mean by "SSO" and "active directory authentication"? Do you want the users to log in via username and password, and have apache verfify this agains LDAP, or do you want to login passwordless via Kerberos ticket? If you want to use AD as LDAP, it is quite simple. But you need a user in AD that is allowed to check the user/password combination. Howtos are easily found using a search engine of your choice, as I did ... and found <http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication.html>, for example. Maybe you prefer <https://support.microsoft.com/en-us/kb/555092>, which shows another way to do it (as can be expected by M$ :D) HTH, Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/06/16 11:03, Werner Flamme wrote:
Paul Groves [29.06.2016 11:32]:
Hi All,
Still trying to figure this one out. Had no response at all from the apache forum.
Just to recap, We have a windows domain and an opensuse 42.1 apache 2.4 web /Lamp server
I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully. in the command line.
Now we have several websites that need to use active directory authentication. (osticket and some of our own creations). This is where I am stuck. I cannot figure out how to get apache to use this authentication method. What do you mean by "SSO" and "active directory authentication"? Do you want the users to log in via username and password, and have apache verfify this agains LDAP, or do you want to login passwordless via Kerberos ticket?
If you want to use AD as LDAP, it is quite simple. But you need a user in AD that is allowed to check the user/password combination. Howtos are easily found using a search engine of your choice, as I did ... and found <http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication.html>, for example. Maybe you prefer <https://support.microsoft.com/en-us/kb/555092>, which shows another way to do it (as can be expected by M$ :D)
HTH, Werner
by sso I mean single sign on (like in IIS) so that when a domain user logged in opens Internet explorer it logs in automatically (firefox and chrome prompt for login). Exactly like on our IIS server. Which way would you reccomend? Worst case scenario, I would at least like to be able to authenticate against AD with apache even if it is not automatic. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi All, Back looking at this problem again. using the information provided here https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Direct... I have installed mod-auth_kerb and enabled it and apache starts without error The server is already added to the domain in yast > Windows Domain Membership and I can successfully log in locally as a domain user i have managed to add the following to my apache configuration and the service starts just fine. Alias /private /srv/www/htdocs/private <Directory /srv/www/htdocs/private> AuthType Kerberos AuthName "Network Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms HARVEY.SCHOOL require valid-user Krb5KeyTab /etc/apache2/conf.d/krb5.keytab KrbLocalUserMapping On </Directory> When I browse to the http://server/private I am greeted with a login prompt. If I cancel, it correctly denies access. Here is the problem: If I type in any domain username I get continuous login boxes. I have tried username username@domain domain\username but it does not log in or error. I suspect the keytab but might be wrong..? But honestly I am guessing at this. I have used the keytab created when I added the computer to the domain from /etc/krb5.keytab and copied it to /etc/apache2/conf.d I also set the group to www using chown and added 640 permissions so apache can read the file. On 29 June 2016 at 18:52, Paul Groves <paul.groves.787@gmail.com> wrote:
On 29/06/16 11:03, Werner Flamme wrote:
Paul Groves [29.06.2016 11:32]:
Hi All,
Still trying to figure this one out. Had no response at all from the apache forum.
Just to recap, We have a windows domain and an opensuse 42.1 apache 2.4 web /Lamp server
I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully. in the command line.
Now we have several websites that need to use active directory authentication. (osticket and some of our own creations). This is where I am stuck. I cannot figure out how to get apache to use this authentication method.
What do you mean by "SSO" and "active directory authentication"? Do you want the users to log in via username and password, and have apache verfify this agains LDAP, or do you want to login passwordless via Kerberos ticket?
If you want to use AD as LDAP, it is quite simple. But you need a user in AD that is allowed to check the user/password combination. Howtos are easily found using a search engine of your choice, as I did ... and found
<http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication.html>, for example. Maybe you prefer <https://support.microsoft.com/en-us/kb/555092>, which shows another way to do it (as can be expected by M$ :D)
HTH, Werner
by sso I mean single sign on (like in IIS) so that when a domain user logged in opens Internet explorer it logs in automatically (firefox and chrome prompt for login). Exactly like on our IIS server.
Which way would you reccomend? Worst case scenario, I would at least like to be able to authenticate against AD with apache even if it is not automatic. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
12.09.2016 13:31, Paul Groves пишет:
Hi All, Back looking at this problem again.
using the information provided here
https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Direct...
This link describes how to configure SAMBA domain, not Windows domain.
I have installed mod-auth_kerb and enabled it and apache starts without error The server is already added to the domain in yast > Windows Domain Membership and I can successfully log in locally as a domain user
i have managed to add the following to my apache configuration and the service starts just fine.
Alias /private /srv/www/htdocs/private <Directory /srv/www/htdocs/private> AuthType Kerberos AuthName "Network Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms HARVEY.SCHOOL require valid-user Krb5KeyTab /etc/apache2/conf.d/krb5.keytab KrbLocalUserMapping On </Directory>
When I browse to the http://server/private I am greeted with a login prompt. If I cancel, it correctly denies access.
If you get login prompt, something is already wrong.
Here is the problem: If I type in any domain username I get continuous login boxes. I have tried username username@domain domain\username but it does not log in or error.
You may misunderstand how it should work. The goal is not to let Apache to log you into AD - you should not get any login prompt at all. Your exiting Kerberos credentials (or MS AD if you are working from Windows client) must be sufficient to transparently grant you access to resources.
I suspect the keytab but might be wrong..? But honestly I am guessing at this. I have used the keytab created when I added the computer to the domain from /etc/krb5.keytab and copied it to /etc/apache2/conf.d I also set the group to www using chown and added 640 permissions so apache can read the file.
Your Kerberos libraries on Apache host must be properly configured; you need to add HTTP principal to account used for Apache and of course export keytab with this principal for use on http server. There are some reports that adding HTTP principal to machine account in AD does not work and recommendation to create normal user account for it (BTW link you mention does the same - it creates separate user account). Your client (web browser) must support Kerberos authentication and be configured to actually use it. And of courses you must obtain valid ticket before attempting to contact server.
On 29 June 2016 at 18:52, Paul Groves <paul.groves.787@gmail.com> wrote:
On 29/06/16 11:03, Werner Flamme wrote:
Paul Groves [29.06.2016 11:32]:
Hi All,
Still trying to figure this one out. Had no response at all from the apache forum.
Just to recap, We have a windows domain and an opensuse 42.1 apache 2.4 web /Lamp server
I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully. in the command line.
Now we have several websites that need to use active directory authentication. (osticket and some of our own creations). This is where I am stuck. I cannot figure out how to get apache to use this authentication method.
What do you mean by "SSO" and "active directory authentication"? Do you want the users to log in via username and password, and have apache verfify this agains LDAP, or do you want to login passwordless via Kerberos ticket?
If you want to use AD as LDAP, it is quite simple. But you need a user in AD that is allowed to check the user/password combination. Howtos are easily found using a search engine of your choice, as I did ... and found
<http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication.html>, for example. Maybe you prefer <https://support.microsoft.com/en-us/kb/555092>, which shows another way to do it (as can be expected by M$ :D)
HTH, Werner
by sso I mean single sign on (like in IIS) so that when a domain user logged in opens Internet explorer it logs in automatically (firefox and chrome prompt for login). Exactly like on our IIS server.
Which way would you reccomend? Worst case scenario, I would at least like to be able to authenticate against AD with apache even if it is not automatic.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Paul Groves wrote:
Hi All,
Still trying to figure this one out. Had no response at all from the apache forum.
Just to recap, We have a windows domain and an opensuse 42.1 apache 2.4 web /Lamp server
I have set up Yast > Windows Domain Membership and I can log in as a domain user successfully. in the command line.
Now we have several websites that need to use active directory authentication. (osticket and some of our own creations). This is where I am stuck. I cannot figure out how to get apache to use this authentication method.
We have osticket working with its own ldap plug in but we want it to use the windows authentication and log users in automatically and also our own php sites need to authenticate as the logged in user. (Basically like pass through authentication in IIS, but I do not want to have to use IIS but this is the only thing causing a problem with apache.)
Has anyone achieved this or does anyone know how to?
We use mysql as authentication backend, via pam as well as mod_auth_dbd. I imagine you've got the pam setup working, but your apache apps are not using it. I think that's what you need to look at. -- Per Jessen, Zürich (24.0°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Andrei Borzenkov -
Dave Howorth -
Moby -
Paul Groves -
Per Jessen -
Werner Flamme