Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000069Active Directory IntegrationGeneralpublic2012-10-23 10:332012-11-08 15:40
Reportertilman 
Assigned Tocst 
PrioritynormalSeverityfeatureReproducibilityN/A
StatusassignedResolutionopen 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0000069: Feature Request: Add Single Sign On Capability
DescriptionSSO seems to be the holy grail of AD integration in corporate environments.
There is already a stable solution to authenticate users in a SSO manner via mod_auth_kerb and a keytab in Apache. This results in a REMOTE_USER variable filled with username@REALM . With Daniel Westermann-Clark's HTTP-Authentication plugin you can log in a kerberized user automatically.

What is missing is the link to additional Information to that user provided by AD Integration (group membership, etc.).

So the idea might be to take the user from "REMOTE_USER",look up the needed information and proceed without user interaction to login.

It might be neccessary to do this under a helper account - there's no password from that user available because he authenticated with a kerberos ticket.
TagsNo tags attached.
Attached Filesdiff file icon ad.diff [^] (1,172 bytes) 2012-11-08 15:40 [Show Content]

- Relationships

-  Notes
(0000095)
cst (administrator)
2012-11-08 13:42

This sounds very interesting and I have thought about it already as can see it in the source code.

As you mentioned, we need a special Account, that has the right to read the data of all users from AD. It will be necessary add a new section called "SSO" to the options page. Then we need the following options:

Enable SSO (checkbox)
to enable or disable this feature. If enabled and REMOTE_USER is set, the user will be logged in automatically.

SSO User Name from (text input)
where you can enter "REMOTE_USER" (default) or another parameter which stores the user name.

SSO Global User
Username of an AD account with read permissions for the users in the Active Directory (e.g. "ldapuser@company.local").

SSO Global User Password
... and the password
(0000096)
tilman (reporter)
2012-11-08 15:05

We managed to get it working in some way (no configuration options, hard coded user, etc.) but it basically does what it's supposed to do: User login is enforced by mod_auth_kerb, users are logged in automatically and new user is created on the fly, using data from AD. Pretty promising!

Main problem is realm/domain-suffix handling at the moment but nevertheless I will provide a diff of our work in progress later
(0000097)
cst (administrator)
2012-11-08 15:22

A diff would be great. And some options for domain-suffix handling won't be difficult to implement. You post the diff right here or send it to christoph@steindorff.de.

- Issue History
Date Modified Username Field Change
2012-10-23 10:33 tilman New Issue
2012-10-23 10:33 tilman Status new => assigned
2012-10-23 10:33 tilman Assigned To => cst
2012-11-08 13:42 cst Note Added: 0000095
2012-11-08 15:05 tilman Note Added: 0000096
2012-11-08 15:22 cst Note Added: 0000097
2012-11-08 15:40 tilman File Added: ad.diff


Copyright © 2000 - 2010 MantisBT Group
Powered by Mantis Bugtracker