Single Sign On with Active Directory
This will show how to install Plone on a fresh install of Debian 5 that will authenticate with Active Directory for a single sign on (SSO) using either kerberos or mod_ntlm2 for authentication. This site will be an intranet with apache2 in front of the Plone site over SSL.
Purpose
Create an intranet for employees. This should be a SSO that way I will not hear employees complain about having to enter their passwords more than one time. The authentication is to a Windows 2003 Active Directory.
Scenerio
Windows 2003 Active Directory. DC has an ip address of 192.168.1.1 with a name of dc.domain.com. Plone/Apache server has an ip address of 192.168.1.5 with a name of web.domain.com. I will go over SSO using mod_ntlm2 and kerberos. I am personally using kerberos authentication. Choose the authentication which suites you, but not both.
Web Server
Install Apache2 either with “apt-get” or “Synaptic Manager”.
Open a terminal, type:
sudo a2enmod proxy_http sudo a2enmod rewrite sudo a2enmod headers
Create a A and Pointer record on your DC (DNS server).
Creating Self-sign Certificate (SSL)
Open a terminal and type:
sudo mkdir /etc/apache2/ssl cd /etc/apache2/ssl sudo a2enmod ssl sudo openssl genrsa -out site.key 1024 sudo openssl req -new -key site.key -out site.csr
When prompt, fill in the appropriate information. Remember when you are asked to fill in the “Common Name” use the site name. This one will be “web”.
sudo openssl x509 -req -days 60 -in site.csr -signkey site.key -out site.crt
Plone
Download and install Plone UnifiedInstaller. I installed using the basic install for zeo. Here is a how-to for installing Unified Installer – http://plone.org/documentation/tutorial/installing-plone-3-with-the-unified-installer/tutorial-all-pages. You can also look at the “Readme.txt” after you extract the file. This will list some more libraries/utilies you will need for Plone.
Here is a quick list of what libraries and utilies you need: libssl, libssl-dev, zlib, zlib1g-dev, libjpeg, libjpeg62-dev, readline, libreadline5-dev, readline-common, libxml2, libxml2-dev, wv, xpdf.
Use “sudo apt-get install build-essential” at a terminal. This will install gcc, g++, etc.
Open Natilus as root and navigate to “/usr/local/Plone/zeocluster”. Edit “buildout.cfg” and add these line under “[client1]”:
eggs =
...
Products.PloneLDAP
Products.WebServerAuth
zcml =
...
Products.PloneLDAPTo get LDAP working install the following: libldap2-dev, libdb4.5-dev, libsasl2-dev
Open a terminal and type:
cd /usr/local/Plone/zeocluster sudo ./bin/buildout -n sudo ./bin/plonectl start
To install WebServerAuth, go to your Plone site (http://localhost:8080/Plone). Install WebServerAuth in the “Site Setup”.
After WebServerAuth has been installed, go to http://localhost:8080/manage. Click on the “Plone” link and then click on “acl_user”, go to the drop-down list, select “Plone Active Directory Plugin” select “Add”.
Set your setting according to the image below:
You do not have to use “administrator” for the account. You can use any account that can read your AD.
You will be sent back to the “acl_users” again. Select the AD plugin by the name you gave it ("AD_SSO"). On the functionality page, put a check mark by each (you can uncheck the ones you don't need later). And then click the “Update” button.
Across the top of the page, you should see several tabs. Click the “Properties” tab. Change “groupid_attr” from “objectGUID” to “name” and then save changes.
Across the top. Click the “Contents” tab. There should be only one object there, click the “acl_users”. Change “User Object Class” from “pilotPerson,uidObject” to “top,person”. Then click “Apply Changes”
Across the top, click the “Users” tab and do a quick search. You should see your users.
Kerberos Authentication
Syncronize the time between web server and DC
Install openntpd
sudo apt-get install openntpd
Configure openntpd (using gedit here, you can use any text editor)
sudo gedit /etc/openntpd/ntpd.conf
comment out everything and insert the following:
server dc.domain.com
Restart service
/etc/init.d/openntpd restart
Check log to make sure everything is ok. Location is at “/var/log/syslog”.
Likewise-open
Open a internet browser and navigate to http://www.likewise.com/
Register and download likewise-open
After you have download the installer file for Debian, right-click it and then click the “Permission” tab. Put a checkmark for “Allow executing file as program”. Then close.
Open a terminal and execute the installer as sudo.
When installation is finished, in the terminal type:
sudo /opt/likewise/bin/domainjoin-cli join domain.com Administrator
“SUCCESS” is the right answer. You should be able to log off and log on using a username/password from your Active Directory.
Restart the server if you have problems with logging on with AD credentials.
Apache2 with Likewise-open (kerberos)
With both Apache2 and Likewise-open installed, we will get a quick single-sign on going.
Use Nautilus as root. To do this goto “Applications” → “System Tools”, right-click “File Browser” and select “Add this launcher to panel”. Now right-click the icon of “File Browser” on your panel and select “Properties”. In the textbox for “command” enter this:
gksu “nautilus --no-desktop –browser”
When you open Nautilus as root, navigate to “/etc/apache2”. Edit “http.conf” by double-clicking. This file should be blank, insert the following and save:
LoadModule auth_kerb_module /opt/likewise/apache/2.2/mod_auth_kerb.so
With Nautilus again navigate to “/etc/apache2/sites-available”. Edit “default” (make a backup if you like) and clear all entries and input this:
<VirtualHost *:80> DocumentRoot /var/www LogLevel debug <Directory /var/www> AuthType Kerberos AuthName “Kerberos Login” KrbMethodNegotiate On KrbMethodK5Passwd On KrbVerifyKDC Off KrbAuthRealms DOMAIN.COM Krb5Keytab /etc/apache2/krb5.keytab Require valid-user </Directory> </VirtualHost>
Go to your DC and create a new user with “http” as the username. Enter a password for this user, we will use “krbpassword”. Make sure that the password is set to never expires.
At a command prompt on the DC, type the following:
ktpass -out c:\keytabfile /princ HTTP/web.domain.com@DOMAIN.COM /pass krbpassword -mapOp set /ptype KRB5_NT_PRINCIPAL /mapUser http
Transfer the newly created file, “keytabfile”, to the web.domain.com server (Plone). I transferred this file to the desktop (“/home/username/Desktop”).
Open a terminal and type the following:
sudo /opt/likewise/bin/ktutil rkt /home/username/Desktop/keytabfile rkt /etc/krb5.keytab wkt /etc/apache2/krb5.keytab quit
Change the permissions so only apache2 service (www-data) can read the krb5.keytab
sudo chown www-data:www-data /etc/apache2/krb5.keytab sudo chmod 400 /etc/apache2/krb5.keytab
Restart apache2
sudo /etc/init.d/apache2 restart
Go to a machine on your network and configure your internet browser. Use this link, http://www.likewise.com/resources/user_documentation/Likewise-Apache-SSO-Guide.pdf on page 9.
After the Plone installation. open the internet browser to http://web.domain.com. You should see “It works”. Check your logs on web.domain.com server to make sure your browser passed the login - “/var/logs/apache2/error.log”.
Apache2 and Plone with Kerberos Authentication
Using Nautilus as root, navigate to “/etc/apache2/sites-available” and edit “default” by clearing it out and adding this:
NameVirtualHost 192.168.1.5:443
<VirtualHost 192.168.1.5:443>
<Location />
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbVerifyKDC Off
KrbAuthRealms DOMAIN.COM
Krb5Keytab /etc/apache2/krb5.keytab
Require valid-user
RequestHeader set X_REMOTE_USER %{remoteUser}e
</Location>
<IfModule mod_proxy.c>
<Proxy http://localhost:8080>
Order deny,allow
Deny from all
Allow from all
</Proxy>
</IfModule>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/site.crt
SSLCertificateKeyFile /etc/apache2/ssl/site.key
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteLog /var/log/apache2/rewrite.log
RewriteLogLevel 3
RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/%{SERVER_NAME}:443/Plone/VirtualHostRoot/$1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
</IfModule>
</VirtualHost>Restart apache2 at a terminal
sudo /etc/init.d/apache2 restart
Open nautilus as root and navigate to “/etc” and edit “krb5.conf”. Comment out “reverse_mappings …..”
SSO should be working with Kerberos. On a workstation in your AD, open an internet browser and in the URL type “https://web.domain.com”.
mod_ntlm2 Authentication
- Install mod_ntlm2
Go to this website: http://mywheel.net/blog/index.php/mod_ntlm2-on-apache-22x/ and install per his instructions. But before doing the third part (compiling), edit “mod_ntlm.c”. Find every instance of “r->proxyreq” and replace with “r->proxyreq && 0”. When this is done, proceed with the rest of the installation. (I found this information at http://www.gossamer-threads.com/lists/zope/users/197385 )
Edit “default” file in “/etc/apache2/sites-available/”. Insert the following:
NameVirtualHost 192.168.1.5:443
<VirtualHost 192.168.1.5:443>
ServerSignature On
<Location />
NTLMAuth on
NTLMAuthoritative on
NTLMDomain domain
NTLMServer AD-Server
NTLMBackup AD-Backup
NTLMLockfile /tmp/_mod_ntlm.lck
Require valid-user
AuthType NTLM
Satisfy all
</Location>
<IfModule mod_proxy.c>
<Proxy http://localhost:8080>
Order deny, allow
Deny from all
Allow from all
</Proxy>
</IfModule>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/site.crt
SSLCertificateKeyFile /etc/apache2/ssl/site.key
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteLog /var/log/apache2/rewritelog
RewriteLogLevel 3
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule .* - [E=RU:%1]
RequestHeader set X_REMOTE_USER %{RU}e
RewriteRule ^/(.*) \
http://localhost:8080/VirtualHostBase/https/%{SERVER_NAME}:443/Plone/VirtualHostRoot/$1 [L,P]
</IfModule>
</VirtualHost>Restart apache2 at a terminal
sudo /etc/init.d/apache2 restart
SSO authentication with mod_ntlm2 should be working. On a workstation in your AD, open an internet browser and in the URL type “https://web.domain.com”. If you prefer to use “firefox”, follow these instructions to configure http://sivel.net/2007/05/firefox-ntlm-sso/.
Visit our