|Anonymous | Login | Signup for a new account||2018-02-20 18:45 CET|
|Main | My View | View Issues | Change Log | Roadmap|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000069||Active Directory Integration||General||public||2012-10-23 10:33||2012-11-08 15:40|
|Target Version||Fixed in Version|
|Summary||0000069: Feature Request: Add Single Sign On Capability|
|Description||SSO seems to be the holy grail of AD integration in corporate environments.|
There is already a stable solution to authenticate users in a SSO manner via mod_auth_kerb and a keytab in Apache. This results in a REMOTE_USER variable filled with username@REALM . With Daniel Westermann-Clark's HTTP-Authentication plugin you can log in a kerberized user automatically.
What is missing is the link to additional Information to that user provided by AD Integration (group membership, etc.).
So the idea might be to take the user from "REMOTE_USER",look up the needed information and proceed without user interaction to login.
It might be neccessary to do this under a helper account - there's no password from that user available because he authenticated with a kerberos ticket.
|Tags||No tags attached.|
|Attached Files||ad.diff [^] (1,172 bytes) 2012-11-08 15:40 [Show Content]|
This sounds very interesting and I have thought about it already as can see it in the source code.
As you mentioned, we need a special Account, that has the right to read the data of all users from AD. It will be necessary add a new section called "SSO" to the options page. Then we need the following options:
Enable SSO (checkbox)
to enable or disable this feature. If enabled and REMOTE_USER is set, the user will be logged in automatically.
SSO User Name from (text input)
where you can enter "REMOTE_USER" (default) or another parameter which stores the user name.
SSO Global User
Username of an AD account with read permissions for the users in the Active Directory (e.g. "firstname.lastname@example.org").
SSO Global User Password
... and the password
We managed to get it working in some way (no configuration options, hard coded user, etc.) but it basically does what it's supposed to do: User login is enforced by mod_auth_kerb, users are logged in automatically and new user is created on the fly, using data from AD. Pretty promising!
Main problem is realm/domain-suffix handling at the moment but nevertheless I will provide a diff of our work in progress later
|A diff would be great. And some options for domain-suffix handling won't be difficult to implement. You post the diff right here or send it to email@example.com.|
|2012-10-23 10:33||tilman||New Issue|
|2012-10-23 10:33||tilman||Status||new => assigned|
|2012-10-23 10:33||tilman||Assigned To||=> cst|
|2012-11-08 13:42||cst||Note Added: 0000095|
|2012-11-08 15:05||tilman||Note Added: 0000096|
|2012-11-08 15:22||cst||Note Added: 0000097|
|2012-11-08 15:40||tilman||File Added: ad.diff|
|Copyright © 2000 - 2010 MantisBT Group|