Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000078Active Directory IntegrationGeneralpublic2013-09-17 06:052013-09-18 07:16
Reportermarshalld 
Assigned Tocst 
PrioritynormalSeverityfeatureReproducibilityalways
StatusassignedResolutionopen 
PlatformApache / WordpressOSLinuxOS VersionRHEL 6
Product Version1.1.4 
Target VersionFixed in Version 
Summary0000078: Allow SSO if REMOTE_USER environment variable is set
DescriptionI have seen other discussions about this, but I'd like to add what I think is a simpler alternative to the ones I have seen before.

The option I have developed is an update to the authenticate() function in ad-integration.php

The output of a diff is in the additional information section.

It uses the syncback user to connect to AD on SSO.

Please consider incorporating something like this.
Steps To ReproduceSetup single signon in apache using, e.g. mod_auth_kerberos.

Perform sso login.

I use apache rewrite rules to handle SSO. The idea is to redirect /wp-login.php to /sso-login when it an SSO login is expected. /manual-login can be used to bypass SSO. The error document tells a device that doesn't support sso to redirect to /manual-login.

The rules are:

  <Location /sso-login>
  # SSo directives go here
    require valid-user
  </Location>
  RewriteCond %{REQUEST_METHOD} "POST"
  RewriteRule ^/wp-login.php$ - [L]
  RewriteCond %{QUERY_STRING} "action=logout"
  RewriteRule ^/wp-login.php$ - [L]
  RewriteCond %{QUERY_STRING} "loggedout=true"
  RewriteRule ^/wp-login.php$ / [R,L]
  RewriteRule ^/wp-login.php$ /sso-login [R,L]
  RewriteRule ^/(sso|manual)-login$ /wp-login.php [L]
  ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/manual-login\"></html>"
Additional Information[active-directory-integration]$ diff ad-integration.php.orig ad-integration.php
672a673,675
>
>
> if (empty($_SERVER['REMOTE_USER'])) {
788a792,828
> }
> else {
> $username=strtolower($_SERVER['REMOTE_USER']);
> if (strpos($username, '@') !== FALSE) {
> $username = substr($username, 0, strpos($username, '@'));
> }
> $password = wp_generate_password();
>
> // Log informations
> $this->_log(ADI_LOG_NOTICE,'SSO username: '.$username);
> $this->_log(ADI_LOG_INFO,"Options for adLDAP connection:\n".
> "- account_suffix: $this->_account_suffix\n".
> "- base_dn: $this->_base_dn\n".
> "- domain_controllers: $this->_domain_controllers\n".
> "- ad_port: $this->_port\n".
> "- use_tls: ".(int) $this->_use_tls."\n".
> "- network timeout: ". $this->_network_timeout."\n".
> "- AD user: ". $this->_syncback_global_user);
>
> // Connect to Active Directory
> try {
> $this->_adldap = @new adLDAP(array(
> "base_dn" => $this->_base_dn,
> "domain_controllers" => explode(';', $this->_domain_controllers),
> "ad_port" => $this->_port, // AD port
> "use_tls" => $this->_use_tls, // secure?
> "network_timeout" => $this->_network_timeout, // network timeout
> "ad_username" => $this->_syncback_global_user, // Use syncback user
> "ad_password" => $this->_decrypt($this->_syncback_global_pwd) // Use syncback user
> ));
> } catch (Exception $e) {
> $this->_log(ADI_LOG_ERROR,'adLDAP exception: ' . $e->getMessage());
> return false;
> }
>
> $this->_authenticated = true;
> }
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0000118)
marshalld (reporter)
2013-09-18 07:16

I expect you may also want to set $account_suffix in here:

        if (strpos($username, '@') !== FALSE) {
                $username = substr($username, 0, strpos($username, '@'));
        }

- Issue History
Date Modified Username Field Change
2013-09-17 06:05 marshalld New Issue
2013-09-17 06:05 marshalld Status new => assigned
2013-09-17 06:05 marshalld Assigned To => cst
2013-09-18 07:16 marshalld Note Added: 0000118


Copyright © 2000 - 2010 MantisBT Group
Powered by Mantis Bugtracker