Single Sign On with Active Directory

Purpose

Create an intranet for employees. This should be a SSO that way I will not hear employees complain about having to enter their passwords more than one time. The authentication is to a Windows 2003 Active Directory. 

Prerequisities

I will be using LDAPUserFolder, LDAPMultiPlugins, apachepas and mod_ntlm2.  My Debian station will have a static IP address of 192.168.1.5.  The name of the site is "project".

Install the following prior to installing Plone. You can use “Synaptic Package Manager” or “apt-get”

• python-dev

• readline: libreadline5, libreadline5-dev and readline-common

• libssl and libssl-dev

• libxml2 and libxml2-dev

• wv

• xpdf

• PIL (Python Imaging Library)

• libjpeg

• zlib

• libxml2-python

• python-feedparser

Step by step

Installing Plone 3.1.4 with buildout

• There is a more in-depth tutorial on buildouts.  Here is the link:

1. http://plone.org/documentation/tutorial/buildout

• Open a terminal. In the terminal type the following:

 wget http://peak.telecommunity.com/dist/ez_setup.py

 sudo apt-get install build-essential

 sudo python ez_setup.py

 sudo easy_install ZopeSkel

• I am going to have Plone install at “/opt” directory in a folder called “Plone3”. In the terminal, type the following:

 mkdir /opt/Plone3

 cd /opt/Plone3

 sudo paster create -t plone3_buildout project

***Use the default settings when asked.  Basically hit enter.

 cd project

 sudo python bootstrap.py

 sudo /opt/Plone3/project/bin/buildout

• At this point, Plone will be installing. When the installation is complete, we will create a new user called "plone" and couple other things to get it started. At the terminal, type:

 sudo adduser –disabled-login plone

•  Now we need to edit “/opt/Plone3/project/buildout.cfg”. I am using gedit, use whatever you like. At the terminal, type: 

• On "buildout.cfg" file, insert the following on line 52 between "http-address = 8080" and "#debug-mode = on".

 effective-user = plone

• Now we need to change some permissions so we can start Plone. At the terminal, type:

 sudo chown -R plone /opt/Plone3/project/var/*

• Redo the buildout. At the terminal, type:

 sudo /opt/Plone3/project/bin/buildout

• With all that done, we can start Plone. At the terminal, type:

 sudo /opt/Plone3/project/bin/instance start

• Give it about two minutes to kick in, then open your internet browser and type in the url: "http://localhost:8080/manage"

• You should see a login window for Zope. When you have logged in, go to the drop-down menu and add a “Plone Site” and call it “project”. Our “project” site will be created and usable. Using you internet browser, type “http://localhost:8080/project”.

LDAP Authentication

• Install “python-ldap”. You can use “Synaptic Package Manager” or “apt-get”

• Open your internet browser and goto http://www.dataflake.org/software/ and download both “LDAPUserFolder” and “LDAPMultiPlugins”. Extract both archives and then copy both extracted folders to “/opt/Plone3/project/products/” folder.

• Now restart Zope. Go to your terminal and type:

 sudo /opt/Plone3/project/bin/instance restart

• When Zope has restarted goto "http://localhost:8080/manage", log in and navigate to your Plone site “project”. In your “project” site, click on “acl_users”. In the drop-down list, the very first listing should be “ActiveDirectory Multi Plugin” select “Add”.

• “Add Active Directory Multi Plugin to the PluggableAuthService” section will come up. In the properties, insert/change the following:

• For "User Base DN" and "Group Base DN" use a LDAP browser for the information you need.  And for "Manager DN", you can use any user credentials.
• Click the “Add” button

• You will be sent back to the “acl_users” again. Select the AD plugin by the name you gave it ("AD_SSO"). On the functionality page, put a check mark by each (you can uncheck the ones you don't need later).  And then click the “Update” button.

• Across the top of the page, you should see several tabs. Click the “Properties” tab. Change “groupid_attr” from “objectGUID” to “name” and then save changes.

• Across the top. Click the “Contents” tab. There should be only one object there, click the “acl_users”

• Change “User ID Attribute” to “Windows Login Name (sAMAccountName)” and click the “Apply Changes” button

• Across the top, click the “Users” tab and do a quick search. You should see your users.

• At this point you should be able to log into your Plone site with your AD credentials. Open a Internet browser and goto http://localhost:8080/project and enter your AD credentials.

Installing Apache2

• You can use “Synaptic Package Manager” or “apt-get”.

• After the installation of Apache2, install modules proxy_http, rewrite, and headers with “a2enmod”. Open a terminal and type:

 sudo a2enmod proxy_http

 sudo a2enmod rewrite

 sudo a2enmod headers

 sudo /etc/init.d/apache2 force-reload

• We will edit the “default” file for apache2, but first let make a backup. Open a terminal and type:

 sudo cp /etc/apache2/sites-available/default /etc/apache2/default.original

 sudo gedit /etc/apache2/sites-available/default

• I will be using the following IP address as the Apache2/Plone site: 192.168.1.5

• With "default" still open, delete all the text and then insert the following:

NameVirtualHost 192.168.1.5:80 
<VirtualHost 192.168.1.5:80>
 
ServerSignature On 

   <IfModule mod_proxy.c> 
      <Proxy http://localhost:8080> 
         Order deny, allow 
         Deny from all 
         Allow from all 
      </Proxy> 
   </IfModule> 

   <IfModule mod_rewrite.c> 
      RewriteEngine On 
      RewriteLog /var/log/apache2/rewritelog 
      RewriteLogLevel 3 

      RewriteRule ^/(.*) \ 
         http://localhost:8080/VirtualHostBase/http/%{SERVER_NAME}:80/project/VirtualHostRoot/$1 [P,L] 
   </IfModule> 
</VirtualHost>

• Goto your DNS server and add a new A & PTR record. IP address “192.168.1.5” and Name “project”.  Or locate your "hosts" file and enter the information.  In Windows, it is located in the "C:\Windows\system32\drivers\etc".
• Now restart apache2.  Open a terminal and type:

sudo apache2 -k restart

• Now you can use port 80 for the site on a workstation other than the Plone/Debian you are configuring right now. Open an Internet browser and type in the url your ServerName http://project. The Plone site should come up and you can still use your AD credentials.

 Creating the SSO

• Installing mod_ntlm2

1. Go to this website: http://mywheel.net/blog/index.php/mod_ntlm2-on-apache-22x/ and install per his instructions. But before doing the third part (compiling), edit “mod_ntlm.c”. Find every instance of “r->proxyreq” and replace with “r->proxyreq && 0”. When this is done, proceed with the rest of the installation. (I found this information at http://www.gossamer-threads.com/lists/zope/users/197385 )

• Install apachepas 

1. Download “apachepas” from Plone.org website. The current version is 1.2. In the “readme” file, it mentions “apachepas” does not work well with Plone3. You must use “AutoMemberMakerPasPlugin”. I tried without "AutoMemberMakerPasPlugin" and the Plone site seemed to work alright. 

2. Install “apachepas” into “/opt/Plone3/project/products/” folder. Restart Zope. Go to your terminal and type:

 /opt/Plone3/project/bin/instance restart

• Enter your Plone site as admin and goto “Site Setup” then click on “Add-on Products”. Install “apachepas”.

NameVirtualHost 192.168.1.5:80 
<VirtualHost 192.168.1.5:80>
 
ServerSignature On 

   <Location />
	   NTLMAuth on
	   NTLMAuthoritative on
	   NTLMDomain domain
	   NTLMServer AD-Server
	   NTLMBackup AD-Backup
	   NTLMLockfile /tmp/_mod_ntlm.lck
	   Require valid-user
	   AuthType NTLM
	   Satisfy all
	</Location>

   <IfModule mod_proxy.c> 
      <Proxy http://localhost:8080> 
         Order deny, allow 
         Deny from all 
         Allow from all 
      </Proxy> 
   </IfModule> 
   
   <IfModule mod_rewrite.c> 
      RewriteEngine On 
      RewriteLog /var/log/apache2/rewritelog 
      RewriteLogLevel 3 

	   RewriteCond %{LA-U:REMOTE_USER} (.+)
	   RewriteRule .* - [E=RU:%1]
	   
	   RequestHeader set X_REMOTE_USER %{RU}e

      RewriteRule ^/(.*) \ 
         http://localhost:8080/VirtualHostBase/http/%{SERVER_NAME}:80/project/VirtualHostRoot/$1 [L,P] 
   </IfModule> 
</VirtualHost>

sudo apache2 -k restart

Installing SSL to the Plone site 

• Make sure “openSSL” is installed. We will be creating a “ssl” directory and creating a certificate. Goto these site to configure openssl properly: http://www.vanemery.com/Linux/Apache/apache-SSL.html and/or http://www.eclectica.ca/howto/ssl-cert-howto.php. Open a terminal, type the following:

cd /etc/apache2

sudo mkdir ssl

cd ssl

sudo a2enmod ssl

sudo /etc/init.d/apache2 force-reload

sudo openssl genrsa -out site.key 1024

sudo openssl req -new -key site.key -out site.csr 

• When prompt, fill in the appropriate information. Remember when you are asked to fill in the “Common Name” use “project”.

 sudo openssl x509 -req -days 60 -in site.csr -signkey site.key -out site.crt

• Edit “ports.conf” file in “/etc/apache2/”. Insert the following at the bottom:

 Listen 443

• Edit “default” file in “/etc/apache2/sites-available/”. Insert the following after the first VirtualHost:

NameVirtualHost 192.168.1.5:443 
<VirtualHost 192.168.1.5:443>
 
ServerSignature On 

   <Location />
	   NTLMAuth on
	   NTLMAuthoritative on
	   NTLMDomain domain
	   NTLMServer AD-Server
	   NTLMBackup AD-Backup
	   NTLMLockfile /tmp/_mod_ntlm.lck
	   Require valid-user
	   AuthType NTLM
	   Satisfy all
	</Location>

   <IfModule mod_proxy.c> 
      <Proxy http://localhost:8080> 
         Order deny, allow 
         Deny from all 
         Allow from all 
      </Proxy> 
   </IfModule> 

   SSLEngine On 
   SSLCertificateFile /etc/apache2/ssl/site.crt 
   SSLCertificateKeyFile /etc/apache2/ssl/site.key


   <IfModule mod_rewrite.c> 
      RewriteEngine On 
      RewriteLog /var/log/apache2/rewritelog 
      RewriteLogLevel 3 

	   RewriteCond %{LA-U:REMOTE_USER} (.+)
	   RewriteRule .* - [E=RU:%1]
	   
	   RequestHeader set X_REMOTE_USER %{RU}e

      RewriteRule ^/(.*) \ 
         http://localhost:8080/VirtualHostBase/https/%{SERVER_NAME}:443/project/VirtualHostRoot/$1 [L,P] 
   </IfModule> 
</VirtualHost>

• Restart Apache2. Open a terminal and type:

  sudo apache2 -k restart

• Now you should be able to do a SSO from a workstation on your network (not this Debian station) using ssl. On a workstation located on the network (Windows XP with a user in the acl_user), open “Internet Explorer” and navigate to your Plone site https://project. You should be sign on using the certificate.

Now that SSO against Active Directory is working, you should be able to create an extranet by creating another VirtualHost.

Further information

Here is a link to a document that shows other configurations for virtual hosting.  http://www.cps-project.org/static/doc/howto-virtual_hosts.html.