Active Directory SSO login in Linux



To Enable Active Directory SSO login in Linux server, configure mod_auth_ntlm_winbind module with apache and PHP. It is possible in Linux: http://adldap.sourceforge.net/faq.php


Setup:

RHEL, CentOS 6 and 7 server
Active Directory admin user logins and authenticated browser

Step 1. Install ntp and synchronize clocks


service ntpd start #and keep in sync
chkconfig ntpd on #after reboot as well

Step 2. Update system and install required software


# yum update
# yum install mc vim httpd php svn httpd-devel make autoconf gcc ntp krb5-workstation samba-common authconfig samba-winbind
- In centos install additional package required : samba-winbind-clients

Step 3. Connect to active directory


# authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=DC.domain.com --krb5realm=domain.com --smbservers=DC.domain.com --smbworkgroup=domain --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=domain.com --smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" --winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline --winbindjoin=admin.user --disablewins --disablecache --enablelocauthorize --updateall

# service winbind start ; chkconfig winbind on
# setsebool -P allow_httpd_mod_auth_ntlm_winbind on

Now check your winbind connection using the following commands:
# wbinfo -u
# wbinfo -g

- The socket /var/lib/samba/winbindd_privileged/pipe should be writable by the webserver. To allow that access, I add user apache to the group wbpriv: usermod -G wbpriv apache

- create file, permissions and ownerships. All files should be under apace ownership and apace user in wbpriv group :
# usermod -aG wbpriv apache
# chown root:wbpriv winbindd_privileged
# ln -s /var/lib/samba/winbindd_privileged/pipe /var/run/samba/winbindd_privileged/pipe

Step 4. Download and compile mod_auth_ntlm_winbind


svn co svn://svnanon.samba.org/lorikeet/trunk/mod_auth_ntlm_winbind mod_auth_ntlm_winbind
or download from https://github.com/rodpaddock/mod_auth_ntlm_winbind-

# unzip mod_auth_ntlm_winbind.zip
# cd mod_auth_ntlm_winbind/

- Copy configure.in file from https://www.samba.org/ftp/unpacked/lorikeet/mod_auth_ntlm_winbind/configure.in
- Makefile.in from https://www.samba.org/ftp/unpacked/lorikeet/mod_auth_ntlm_winbind/Makefile.in
# autoconf
# ./configure
# apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c

Step 5. Configure it


In /etc/httpd/conf.d/mod_auth_ntlm_winbind.conf I put the following configuration

LoadModule auth_ntlm_winbind_module /usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so
<Directory "/var/www/html">
Options ExecCGI FollowSymLinks SymLinksIfOwnerMatch
AllowOverride None
Order allow,deny
Allow from all
AuthName "NTLM Authentication"
AuthType NTLM
Require valid-user
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
</Directory>
In /etc/httpd/conf/httpd.conf, change KeepAlive Off to KeepAlive On. 
Preferably, also set MaxKeepAliveRequests and KeepAliveTimeout to a high value. 
On my intranet server, they're set to 1000 requests and 600 seconds.

Step 6. Change your firewall to enable incoming HTTP

# iptables -I INPUT -p tcp --dport 80 -j ACCEPT

# service iptables save

Step 7. Go!


Run # service httpd restart, make httpd start on reboot using chkconfig httpd on and test your configuration.


Additional debugging:
Let’s try to authenticate with NTLM, Type the following line
# ntlm_auth –-request-nt-key –-domain=<your domain> –-username=<your username>

Check apache loaded modules: # httpd -M

To debug logs: add "LogLevel debug" in /etc/httpd/conf/httpd.conf

To test:
To test the settings are returning remote user parameter, add code below in /var/www/html/user.php file:
<?php
$user = $_SERVER['REMOTE_USER'];
?>
<html>
<body>
<?php echo $user;?>
</body>
</html>

If the SSO is configured correctly and you are logged in to a browser where the AD key is already authenticated (I have a laptop authenticated with AD user and IE browser already having the AD ticket), your logged in user name will be displayed in the web page accessed from server.

Comments

Post a Comment

Popular posts from this blog

Squid Proxy Server with Clustering using Corosync, Pacemaker and PCS

Aim:  Set up a squid proxy server in clustered environment using pacemaker, corosync and PCS. You can use this for other cluster setups like Httpd also. Requirements: Get two servers with similar OS and configs. My setup is on CentOS 7.4 minimal install Squid on node1 - xx.xx.xx.80 Squid on node2 - xx.xx.xx.137 Cluster IP1 : xx.xx.xx.89 Cluster IP2 : xx.xx.xx.142 Steps 1 to 9 to be run on all cluster servers - node1, node2 1) Install the corosync, pacemaker and pcs # yum install -y corosync pcs pacemaker 2) Disable selinux nano /etc/sysconfig/selinux and change it to disabledas below SELINUX=disabled 3) Add required firewall rules to permit all required connections. firewall-cmd --permanent --zone=internal --change-interface=ifcfg-ens160 //change the nic in to public to internal zone firewall-cmd --zone=internal --add-service=ssh --permanent firewall-cmd --zone=internal --add-service=http --permanent firewall-cmd --zone=internal --add-service=https --pe
Read more

Complete Oracle VM Upgrade from 3.3.3 to 3.4.2

Image
Oracle VM Upgrade This document covers the steps to upgrade OVM environment from 3.3.3 to 3.4.2 (upgrade in one step without any incremental upgrades). This includes OVM manager server OS upgrade as well. Before proceeding to follow this document, check the compatibility of upgrade from current version to latest in Oracle documentation since it keeps on changing for each new version. Upgrade Overview: From a high level, the steps to upgrade Oracle VM are as follows: 1. Download required ISO from Oracle Edelivery 2. Backup OVM manager (OVMM)  and Oracle VM servers (OVS) 3. Upgrade OVMM to latest with runinstaller script 4. Reinstall OS on OVMM to latest version from ISO 5. Reinstall OVM manager with UUID and runinstaller script 6. Upgrade OVS via OVMM GUI one by one. 1. Download all necessary ISO from Edelivery Download following ISO from Edelivery at https://edelivery.oracle.com/ a) Oracle VM Server 3.4.2 for x86 ISO b) O
Read more