Single Sign On with Active Directory

Purpose

Create an intranet for employees. This should be a SSO that way I will not hear employees complain about having to enter their passwords more than one time. The authentication is to a Windows 2003 Active Directory.

Scenerio

Windows 2003 Active Directory. DC has an ip address of 192.168.1.1 with a name of dc.domain.com. Plone/Apache server has an ip address of 192.168.1.5 with a name of web.domain.com. I will go over SSO using mod_ntlm2 and kerberos. I am personally using kerberos authentication. Choose the authentication which suites you, but not both.

Web Server

Install Apache2 either with “apt-get” or “Synaptic Manager”.

• Open a terminal, type:

sudo a2enmod proxy_http
sudo a2enmod rewrite
sudo a2enmod headers

• Create a A and Pointer record on your DC (DNS server).

Creating Self-sign Certificate (SSL)

• Open a terminal and type:

sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
sudo a2enmod ssl
sudo openssl genrsa -out site.key 1024
sudo openssl req -new -key site.key -out site.csr

• When prompt, fill in the appropriate information. Remember when you are asked to fill in the “Common Name” use the site name. This one will be “web”.

sudo openssl x509 -req -days 60 -in site.csr -signkey site.key -out site.crt

Plone

• Download and install Plone UnifiedInstaller. I installed using the basic install for standalone. Here is a how-to for installing Unified Installer – http://plone.org/documentation/tutorial/installing-plone-3-with-the-unified-installer/tutorial-all-pages. You can also look at the “Readme.txt” after you extract the file. This will list some more libraries/utilies you will need for Plone.

• Here is a quick list of what libraries and utilies you need: libssl, libssl-dev, zlib, zlib1g-dev, libjpeg, libjpeg62-dev, readline, libreadline5-dev, readline-common, libxml2, libxml2-dev, wv, xpdf.

• Use “sudo apt-get install build-essential” at a terminal. This will install gcc, g++, etc.

• Open Natilus as root and navigate to “/usr/local/Plone/zinstance”. Edit “buildout.cfg” and add these line under “eggs” and "zcml":
   

eggs = 
    ...
    Products.PloneLDAP
    Products.WebServerAuth

zcml =
    ...
    Products.PloneLDAP

• To get LDAP working install the following: libldap2-dev, libdb-dev, libsasl2-dev

• Open a terminal and type:

cd /usr/local/Plone/zinstance
sudo ./bin/buildout -n
sudo ./bin/plonectl fg

• To install WebServerAuth, go to your Plone site (http://localhost:8080/Plone). Install WebServerAuth in the “Site Setup”.

• Go to your ZMI and navigate to "/Plone/acl_users/web_server_auth".  Uncheck "Email-like domains" and add a checkmark to "Windows domains"
  

• In your ZMI, navigate to "/Plone/acl_users"  Select “Plone Active Directory Plugin” on the dropdown list and click “Add”.

• Set your setting according to the image below:

• You do not have to use “administrator” for the account. You can use any account that can read your AD.

• You will be sent back to the “acl_users” again. Select the AD plugin by the name you gave it ("AD_SSO"). On the functionality page, put a check mark by each (you can uncheck the ones you don't need later). And then click the “Update” button.

The rest of the LDAP config and mapping is from http://www.cynapse.com/community/home/cyn.in-users/microsoft-active-directory-services-integration.

Attributes are case-sensitive.

• Across the top of the page, you should see several tabs. Click the “Properties” tab. Change “groupid_attr” from “objectGUID” to “sAMAccountName” and then save changes.

• Across the top. Click the “Contents” tab. There should be only one object there, click the “acl_users”. Change “User Object Class” from “pilotPerson,uidObject” to “organizationalPerson”. Then click “Apply Changes”

• Across the top, click the “Users” tab and do a quick search. You should see your users.

Schema Mapping

• In ZMI, go to "/Plone/acl_users/AD_SSO/acl_users".  Click on "LDAP Schema" tab across the top.  At the bottom of the page, there is a section called "Add LDAP schema item".  Add these two mappings according to the image:

• After adding the two mappings, go to "/Plone/acl_users" in your ZMI.  On this page, click "plugins".  Then click the "Properties Plugins".  Move the "AD_SSO" to the top of the "Active Plugins".

• Go to your Plone site, click "Site Setup" (upper right-hand corner) and then click "Users and Groups".

• Click the "Show all" button.  You should see a list of all your AD users with their full name and email address.

• You can map additional schemas by using a LDAP browser and matching values with the "portal_memberdata" located in your ZMI at "/Plone/portal_memberdata" under the "Properties" tab.
• Don't forget to clear the cache after adding new mapping.  Located in ZMI "/Plone/acl_users/AD_SSO/acl_users" under "Caches" tab.
  

Kerberos Authentication

Syncronize the time between web server and DC

• Install openntpd

sudo apt-get install openntpd

• Configure openntpd (using gedit here, you can use any text editor)

sudo gedit /etc/openntpd/ntpd.conf

• comment out everything and insert the following:

 server dc.domain.com 

• Restart service

sudo /etc/init.d/openntpd restart

• Check log to make sure everything is ok. Location is at “/var/log/syslog”.

Likewise-open

• Open a internet browser and navigate to http://www.likewise.com/

• Register and download likewise-open

• After you have download the installer file for Debian, right-click it and then click the “Permission” tab. Put a checkmark for “Allow executing file as program”. Then close.

• Open a terminal and execute the installer as sudo.

• When installation is finished, in the terminal type:

sudo /opt/likewise/bin/domainjoin-cli join domain.com Administrator

• “SUCCESS” is the right answer. Restart the computer.  You should be able to log off and log on using a username/password from your Active Directory.  Username should be in the form of "domain\username".

Apache2 with Likewise-open (kerberos)

• With both Apache2 and Likewise-open installed, we will get a quick single-sign on going.

• Use Nautilus as root. To do this goto “Applications” ? “System Tools”, right-click “File Browser” and select “Add this launcher to panel”. Now right-click the icon of “File Browser” on your panel and select “Properties”. In the textbox for “command” enter this:

gksu “nautilus --no-desktop –browser”

• When you open Nautilus as root, navigate to “/etc/apache2”. Edit “http.conf” by double-clicking. This file should be blank, insert the following and save:

LoadModule auth_kerb_module /opt/likewise/apache/2.2/mod_auth_kerb.so

• With Nautilus again navigate to “/etc/apache2/sites-available”. Edit “default” (make a backup if you like) and clear all entries and input this:

<VirtualHost *:80>

DocumentRoot /var/www
LogLevel debug

<Directory /var/www>
	AuthType Kerberos
	AuthName “Kerberos_Login”
	KrbMethodNegotiate On
	KrbMethodK5Passwd On
	KrbVerifyKDC Off
	KrbAuthRealms DOMAIN.COM
	Krb5Keytab /etc/apache2/krb5.keytab

	Require valid-user
</Directory>

</VirtualHost>

• Go to your DC and create a new user with “http” as the username. Enter a password for this user, we will use “krbpassword”. Make sure that the password is set to never expires.

• At a command prompt on the DC, type the following:

ktpass -out c:\keytabfile /princ HTTP/web.domain.com@DOMAIN.COM /pass krbpassword -mapOp set /ptype KRB5_NT_PRINCIPAL /mapUser http

• Transfer the newly created file, “keytabfile”, to the web.domain.com server (Plone). I transferred this file to the desktop (“/home/username/Desktop”).

• Open a terminal and type the following:

sudo /opt/likewise/bin/ktutil
rkt /home/username/Desktop/keytabfile
rkt /etc/krb5.keytab
wkt /etc/apache2/krb5.keytab
quit

• Change the permissions so only apache2 service (www-data) can read the krb5.keytab

sudo chown www-data:www-data /etc/apache2/krb5.keytab
sudo chmod 400 /etc/apache2/krb5.keytab

• Debain uses an older libcom_err.  You will get an error message if you restart apache2.  To fix this, you have to edit apache2 startup script.  Open a terminal and type:

sudo gedit /etc/init.d/apache2

• Insert the following on line 14, "LD_LIBRARY_PATH=/opt/likewise/lib".  The whole line should look like this:

ENV="env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin LD_LIBRARY_PATH=/opt/likewise/lib"

• Restart apache2

sudo /etc/init.d/apache2 restart

• Go to a machine on your network and configure your internet browser. Use this link, http://www.likewise.com/resources/user_documentation/Likewise-Apache-SSO-Guide.pdf on page 9.

• After the Plone installation. open the internet browser to http://web.domain.com. You should see “It works”. Check your logs on web.domain.com server to make sure your browser passed the login - “/var/logs/apache2/error.log”.

Apache2 and Plone with Kerberos Authentication

• Using Nautilus as root, navigate to “/etc/apache2/sites-available” and edit “default” by clearing it out and adding this:

NameVirtualHost 192.168.1.5:443

<VirtualHost 192.168.1.5:443>

<Location />
	AuthType Kerberos
	AuthName "Kerberos_Login"
	KrbMethodNegotiate On
	KrbMethodK5Passwd On
	KrbVerifyKDC Off
	KrbAuthRealms DOMAIN.COM
	Krb5Keytab /etc/apache2/krb5.keytab
	Require valid-user

	RequestHeader set X_REMOTE_USER %{remoteUser}e
</Location>

<IfModule mod_proxy.c>
	<Proxy http://localhost:8080>
		Order deny,allow
		Deny from all
		Allow from all
	</Proxy>
</IfModule>

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/site.crt
SSLCertificateKeyFile /etc/apache2/ssl/site.key

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteLog /var/log/apache2/rewrite.log
	RewriteLogLevel 3

	RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/%{SERVER_NAME}:443/Plone/VirtualHostRoot/$1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
</IfModule>

</VirtualHost>

• Restart apache2 at a terminal

sudo /etc/init.d/apache2 restart

• Open nautilus as root and navigate to “/etc” and edit “krb5.conf”. Comment out “reverse_mappings …..”

SSO should be working with Kerberos. On a workstation in your AD, open an internet browser and in the URL type “https://web.domain.com”.

mod_ntlm2 Authentication

Once again I use the kerberos to authenticate.  Also, I believe no one is updating this module.  If you plan to use this authentication, don't worry about any of the kerberos stuff.

• Install mod_ntlm2

1. Go to this website: http://mywheel.net/blog/index.php/mod_ntlm2-on-apache-22x/ and install per his instructions. But before doing the third part (compiling), edit “mod_ntlm.c”. Find every instance of “r->proxyreq” and replace with “r->proxyreq && 0”. When this is done, proceed with the rest of the installation. (I found this information at http://www.gossamer-threads.com/lists/zope/users/197385 )

• Edit “default” file in “/etc/apache2/sites-available/”. Insert the following:

NameVirtualHost 192.168.1.5:443 
<VirtualHost 192.168.1.5:443>
 
ServerSignature On 

   <Location />
           NTLMAuth on
           NTLMAuthoritative on
           NTLMDomain domain
           NTLMServer AD-Server
           NTLMBackup AD-Backup
           NTLMLockfile /tmp/_mod_ntlm.lck
           Require valid-user
           AuthType NTLM
           Satisfy all
   </Location>

   <IfModule mod_proxy.c> 
      <Proxy http://localhost:8080> 
         Order deny, allow 
         Deny from all 
         Allow from all 
      </Proxy> 
   </IfModule> 

   SSLEngine On 
   SSLCertificateFile /etc/apache2/ssl/site.crt 
   SSLCertificateKeyFile /etc/apache2/ssl/site.key

   <IfModule mod_rewrite.c> 
      RewriteEngine On 
      RewriteLog /var/log/apache2/rewritelog 
      RewriteLogLevel 3 
           RewriteCond %{LA-U:REMOTE_USER} (.+)
           RewriteRule .* - [E=RU:%1]
           
           RequestHeader set X_REMOTE_USER %{RU}e
      RewriteRule ^/(.*) \ 
         http://localhost:8080/VirtualHostBase/https/%{SERVER_NAME}:443/Plone/VirtualHostRoot/$1 [L,P] 
   </IfModule> 

</VirtualHost>

• Restart apache2 at a terminal

sudo /etc/init.d/apache2 restart

SSO authentication with mod_ntlm2 should be working. On a workstation in your AD, open an internet browser and in the URL type “https://web.domain.com”. If you prefer to use “firefox”, follow these instructions to configure http://sivel.net/2007/05/firefox-ntlm-sso/.