Attention

This document was written for an old version of Plone, Plone 3, and was last updated 1160 days ago.

To learn how to upgrade to the current version of Plone, read the upgrade manual.

Single Sign On with Active Directory

by John Fugazi last modified Mar 16, 2010 07:23 PM
This will show how to install Plone on a fresh install of Debian 5 that will authenticate with Active Directory for a single sign on (SSO) using either kerberos or mod_ntlm2 for authentication. This site will be an intranet with apache2 in front of the Plone site over SSL.

Purpose

Create an intranet for employees. This should be a SSO that way I will not hear employees complain about having to enter their passwords more than one time. The authentication is to a Windows 2003 Active Directory.

Scenerio

Windows 2003 Active Directory. DC has an ip address of 192.168.1.1 with a name of dc.domain.com. Plone/Apache server has an ip address of 192.168.1.5 with a name of web.domain.com. I will go over SSO using mod_ntlm2 and kerberos. I am personally using kerberos authentication. Choose the authentication which suites you, but not both.

Web Server

    Install Apache2 either with “apt-get” or “Synaptic Manager”.

  • Open a terminal, type:

sudo a2enmod proxy_http
sudo a2enmod rewrite
sudo a2enmod headers
  • Create a A and Pointer record on your DC (DNS server).

Creating Self-sign Certificate (SSL)

  • Open a terminal and type:

sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
sudo a2enmod ssl
sudo openssl genrsa -out site.key 1024
sudo openssl req -new -key site.key -out site.csr
  • When prompt, fill in the appropriate information. Remember when you are asked to fill in the “Common Name” use the site name. This one will be “web”.

sudo openssl x509 -req -days 60 -in site.csr -signkey site.key -out site.crt

Plone

  • Download and install Plone UnifiedInstaller. I installed using the basic install for standalone. Here is a how-to for installing Unified Installer – http://plone.org/documentation/tutorial/installing-plone-3-with-the-unified-installer/tutorial-all-pages. You can also look at the “Readme.txt” after you extract the file. This will list some more libraries/utilies you will need for Plone.

  • Here is a quick list of what libraries and utilies you need: libssl, libssl-dev, zlib, zlib1g-dev, libjpeg, libjpeg62-dev, readline, libreadline5-dev, readline-common, libxml2, libxml2-dev, wv, xpdf.

  • Use “sudo apt-get install build-essential” at a terminal. This will install gcc, g++, etc.

  • Open Natilus as root and navigate to “/usr/local/Plone/zinstance”. Edit “buildout.cfg” and add these line under “eggs” and "zcml":
     

eggs = 
    ...
    Products.PloneLDAP
    Products.WebServerAuth

zcml =
    ...
    Products.PloneLDAP
  • To get LDAP working install the following: libldap2-dev, libdb-dev, libsasl2-dev

  • Open a terminal and type:

cd /usr/local/Plone/zinstance
sudo ./bin/buildout -n
sudo ./bin/plonectl fg
  • To install WebServerAuth, go to your Plone site (http://localhost:8080/Plone). Install WebServerAuth in the “Site Setup”.

  • Go to your ZMI and navigate to "/Plone/acl_users/web_server_auth".  Uncheck "Email-like domains" and add a checkmark to "Windows domains"
  • In your ZMI, navigate to "/Plone/acl_users"  Select “Plone Active Directory Plugin” on the dropdown list and click “Add”.

  • Set your setting according to the image below:

AD

  • You do not have to use “administrator” for the account. You can use any account that can read your AD.

  • You will be sent back to the “acl_users” again. Select the AD plugin by the name you gave it ("AD_SSO"). On the functionality page, put a check mark by each (you can uncheck the ones you don't need later). And then click the “Update” button.

The rest of the LDAP config and mapping is from http://www.cynapse.com/community/home/cyn.in-users/microsoft-active-directory-services-integration.

Attributes are case-sensitive.
  • Across the top of the page, you should see several tabs. Click the “Properties” tab. Change “groupid_attr” from “objectGUID” to “sAMAccountName” and then save changes.

  • Across the top. Click the “Contents” tab. There should be only one object there, click the “acl_users”. Change “User Object Class” from “pilotPerson,uidObject” to “organizationalPerson”. Then click “Apply Changes”

  • Across the top, click the “Users” tab and do a quick search. You should see your users.

Schema Mapping

  • In ZMI, go to "/Plone/acl_users/AD_SSO/acl_users".  Click on "LDAP Schema" tab across the top.  At the bottom of the page, there is a section called "Add LDAP schema item".  Add these two mappings according to the image:
email

 

 Full Name

  • After adding the two mappings, go to "/Plone/acl_users" in your ZMI.  On this page, click "plugins".  Then click the "Properties Plugins".  Move the "AD_SSO" to the top of the "Active Plugins".
  • Go to your Plone site, click "Site Setup" (upper right-hand corner) and then click "Users and Groups".
  • Click the "Show all" button.  You should see a list of all your AD users with their full name and email address.
  • You can map additional schemas by using a LDAP browser and matching values with the "portal_memberdata" located in your ZMI at "/Plone/portal_memberdata" under the "Properties" tab.
  • Don't forget to clear the cache after adding new mapping.  Located in ZMI "/Plone/acl_users/AD_SSO/acl_users" under "Caches" tab.

Kerberos Authentication

Syncronize the time between web server and DC

  • Install openntpd

sudo apt-get install openntpd
  • Configure openntpd (using gedit here, you can use any text editor)

sudo gedit /etc/openntpd/ntpd.conf
  • comment out everything and insert the following:

 server dc.domain.com 
  • Restart service

sudo /etc/init.d/openntpd restart
  • Check log to make sure everything is ok. Location is at “/var/log/syslog”.

Likewise-open

  • Open a internet browser and navigate to http://www.likewise.com/

  • Register and download likewise-open

  • After you have download the installer file for Debian, right-click it and then click the “Permission” tab. Put a checkmark for “Allow executing file as program”. Then close.

  • Open a terminal and execute the installer as sudo.

  • When installation is finished, in the terminal type:

sudo /opt/likewise/bin/domainjoin-cli join domain.com Administrator
  • “SUCCESS” is the right answer. Restart the computer.  You should be able to log off and log on using a username/password from your Active Directory.  Username should be in the form of "domain\username".

Apache2 with Likewise-open (kerberos)

  • With both Apache2 and Likewise-open installed, we will get a quick single-sign on going.

  • Use Nautilus as root. To do this goto “Applications” ? “System Tools”, right-click “File Browser” and select “Add this launcher to panel”. Now right-click the icon of “File Browser” on your panel and select “Properties”. In the textbox for “command” enter this:

gksu “nautilus --no-desktop –browser”
  • When you open Nautilus as root, navigate to “/etc/apache2”. Edit “http.conf” by double-clicking. This file should be blank, insert the following and save:

LoadModule auth_kerb_module /opt/likewise/apache/2.2/mod_auth_kerb.so
  • With Nautilus again navigate to “/etc/apache2/sites-available”. Edit “default” (make a backup if you like) and clear all entries and input this:

<VirtualHost *:80>

DocumentRoot /var/www
LogLevel debug

<Directory /var/www>
	AuthType Kerberos
	AuthName “Kerberos_Login”
	KrbMethodNegotiate On
	KrbMethodK5Passwd On
	KrbVerifyKDC Off
	KrbAuthRealms DOMAIN.COM
	Krb5Keytab /etc/apache2/krb5.keytab

	Require valid-user
</Directory>

</VirtualHost>
  • Go to your DC and create a new user with “http” as the username. Enter a password for this user, we will use “krbpassword”. Make sure that the password is set to never expires.

  • At a command prompt on the DC, type the following:

ktpass -out c:\keytabfile /princ HTTP/web.domain.com@DOMAIN.COM /pass krbpassword -mapOp set /ptype KRB5_NT_PRINCIPAL /mapUser http
  • Transfer the newly created file, “keytabfile”, to the web.domain.com server (Plone). I transferred this file to the desktop (“/home/username/Desktop”).

  • Open a terminal and type the following:

sudo /opt/likewise/bin/ktutil
rkt /home/username/Desktop/keytabfile
rkt /etc/krb5.keytab
wkt /etc/apache2/krb5.keytab
quit
  • Change the permissions so only apache2 service (www-data) can read the krb5.keytab

sudo chown www-data:www-data /etc/apache2/krb5.keytab
sudo chmod 400 /etc/apache2/krb5.keytab
  • Debain uses an older libcom_err.  You will get an error message if you restart apache2.  To fix this, you have to edit apache2 startup script.  Open a terminal and type:
sudo gedit /etc/init.d/apache2
  • Insert the following on line 14, "LD_LIBRARY_PATH=/opt/likewise/lib".  The whole line should look like this:
ENV="env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin LD_LIBRARY_PATH=/opt/likewise/lib"
  • Restart apache2

sudo /etc/init.d/apache2 restart

Apache2 and Plone with Kerberos Authentication

  • Using Nautilus as root, navigate to “/etc/apache2/sites-available” and edit “default” by clearing it out and adding this:

NameVirtualHost 192.168.1.5:443

<VirtualHost 192.168.1.5:443>

<Location />
	AuthType Kerberos
	AuthName "Kerberos_Login"
	KrbMethodNegotiate On
	KrbMethodK5Passwd On
	KrbVerifyKDC Off
	KrbAuthRealms DOMAIN.COM
	Krb5Keytab /etc/apache2/krb5.keytab
	Require valid-user

	RequestHeader set X_REMOTE_USER %{remoteUser}e
</Location>

<IfModule mod_proxy.c>
	<Proxy http://localhost:8080>
		Order deny,allow
		Deny from all
		Allow from all
	</Proxy>
</IfModule>

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/site.crt
SSLCertificateKeyFile /etc/apache2/ssl/site.key

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteLog /var/log/apache2/rewrite.log
	RewriteLogLevel 3

	RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/%{SERVER_NAME}:443/Plone/VirtualHostRoot/$1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
</IfModule>

</VirtualHost>
  • Restart apache2 at a terminal

sudo /etc/init.d/apache2 restart
  • Open nautilus as root and navigate to “/etc” and edit “krb5.conf”. Comment out “reverse_mappings …..”

SSO should be working with Kerberos. On a workstation in your AD, open an internet browser and in the URL type “https://web.domain.com”.

mod_ntlm2 Authentication

Once again I use the kerberos to authenticate.  Also, I believe no one is updating this module.  If you plan to use this authentication, don't worry about any of the kerberos stuff.
  • Install mod_ntlm2
  1. Go to this website: http://mywheel.net/blog/index.php/mod_ntlm2-on-apache-22x/ and install per his instructions. But before doing the third part (compiling), edit “mod_ntlm.c”. Find every instance of “r->proxyreq” and replace with “r->proxyreq && 0”. When this is done, proceed with the rest of the installation. (I found this information at http://www.gossamer-threads.com/lists/zope/users/197385 )

  • Edit “default” file in “/etc/apache2/sites-available/”. Insert the following:

NameVirtualHost 192.168.1.5:443 
<VirtualHost 192.168.1.5:443>
 
ServerSignature On 

   <Location />
           NTLMAuth on
           NTLMAuthoritative on
           NTLMDomain domain
           NTLMServer AD-Server
           NTLMBackup AD-Backup
           NTLMLockfile /tmp/_mod_ntlm.lck
           Require valid-user
           AuthType NTLM
           Satisfy all
   </Location>

   <IfModule mod_proxy.c> 
      <Proxy http://localhost:8080> 
         Order deny, allow 
         Deny from all 
         Allow from all 
      </Proxy> 
   </IfModule> 

   SSLEngine On 
   SSLCertificateFile /etc/apache2/ssl/site.crt 
   SSLCertificateKeyFile /etc/apache2/ssl/site.key

   <IfModule mod_rewrite.c> 
      RewriteEngine On 
      RewriteLog /var/log/apache2/rewritelog 
      RewriteLogLevel 3 
           RewriteCond %{LA-U:REMOTE_USER} (.+)
           RewriteRule .* - [E=RU:%1]
           
           RequestHeader set X_REMOTE_USER %{RU}e
      RewriteRule ^/(.*) \ 
         http://localhost:8080/VirtualHostBase/https/%{SERVER_NAME}:443/Plone/VirtualHostRoot/$1 [L,P] 
   </IfModule> 

</VirtualHost>
  • Restart apache2 at a terminal

sudo /etc/init.d/apache2 restart

SSO authentication with mod_ntlm2 should be working. On a workstation in your AD, open an internet browser and in the URL type “https://web.domain.com”. If you prefer to use “firefox”, follow these instructions to configure http://sivel.net/2007/05/firefox-ntlm-sso/.

 


Contribute

Something wrong or out of date? Anybody can edit or create a new article in the knowledge base. Simply create an account on this site, log in, and click the Edit button to contribute.