LDAP SSO module docs - mod rewrite configure documentation [#1947858]

Can someone tell me exactly what happens when a user hits the website and the LDAP SSO module kicks in? Our application is a company intranet - so ideally we want to have all of our users authenticate but not deny them access.

We haven't been able to pass remote_user from Apache to the browser. The value is either null or we get an undefined index error. Our environment is Linux Red Hat, Apache, Active Directory on Windows Server 2008 R2. We are using Kerberos (mod_auth_kerb php) for authentication. We've tried various overrides in the .htac

If we had a better understanding of how the module works, maybe we could determine if our issue is strictly Apache or if there is an issue with the LDAP SSO module. From what I understand, the remote_user value is not passed unless the location is protected by "require valid user" directive. What location do we need protect in order to force Apache to pass the remote_user variable? Is it /user/login/sso?

By the way, the LDAP portion of the module is working beautifully. So, thank you to those how have authored and contributed to this module.

Comments

Comment #1

hdlverde CreditAttribution: hdlverde commented 8 May 2013 at 13:43

Same situation.. Interested in ANY response on this thread!

Comment #2

johnbarclay CreditAttribution: johnbarclay commented 8 May 2013 at 15:00

Which part of the LDAP SSO documentation have you worked through?

Comment #3

hdlverde CreditAttribution: hdlverde commented 10 May 2013 at 10:17

Read through it all and tried several methods also found else where..

First my environment and apache mods:

Installed on Centos 6.3, PHP 5.3.3 and Apache 2.2.15
Trying to authenticate to Win2008 r2 server on 2008 based forest using ntlm1 (obviously I would like ntlm v2 to work, but that to has failed)

Also tried the following:

Using LDAP module with mod_auth_kerb in Linux to connect to Active Directory for Single Sign On

NTLM authentication

PyAuthenNTLM2

Trying these I only get REMOTE_USER variable correct using PyAuthenNTLM2, but i can't get drupal to use this to login.

When I set my apache like this:

<Location /user/login/sso>
   Order allow,deny
   allow from all
   AuthType NTLM
   AuthName "auth"
   require valid-user

   PythonAuthenHandler pyntlm
   PythonOption Domain <FQDN DOMAIN>
   PythonOption PDC <ipaddress>
   PythonOption BDC <ipaddress>
</Location>

I only get "You were not authenticated by the server. You may log in with your credentials below."

Drupal error log: $_SERVER['REMOTE_USER'] not found

httpd error log:
[Fri May 10 09:55:59 2013] [notice] caught SIGTERM, shutting down
[Fri May 10 09:55:59 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri May 10 09:55:59 2013] [notice] Digest: generating secret for digest authentication ...
[Fri May 10 09:55:59 2013] [notice] Digest: done
[Fri May 10 09:55:59 2013] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Fri May 10 09:55:59 2013] [notice] mod_python: using mutex_directory /tmp
[Fri May 10 09:55:59 2013] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 PHP/5.3.3 mod_python/3.3.1 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal opertions

If I change apache conf to:

<Location />
   Order allow,deny
   allow from all
   AuthType NTLM
   AuthName "auth"
   require valid-user

   PythonAuthenHandler pyntlm
   PythonOption Domain <FQDN DOMAIN>
   PythonOption PDC <ipaddress>
   PythonOption BDC <ipaddress>
</Location>

I get error 310 (net::ERR_TOO_MANY_REDIRECTS) when browsing to ?q=user/login/sso
However when browsing to the rest of the site I get "You have been successfully authenticated", but i'm not logged in as drupal user.

Drupal shows no new entry in log

http.log: [Fri May 10 10:06:32 2013] [notice] [client ] PYNTLM: User / has been authenticated to access URI /phpinfo.php

I used phpinfo to test variable REMOTE_USER, which is set correctly

Any idea what I have forgot?

UPDATE:
If i set <Location /sites/default/files> REMOTE_USER is set on phpinfo.php I set in that folder..
Seems I'm not able to set tag on /user/login/sso, or that rewrite is not correct?
As I understood using Location on that path should work?

Comment #4

haydeniv CreditAttribution: haydeniv commented 10 May 2013 at 18:00

/user/login/sso will only work if you have mod rewrite configured and working properly. What happens when you go to http://yoursite.com/admin
Do you get the admin page? If not you need to get mod rewrite workign properly then you should be good to go.

Comment #5

hdlverde CreditAttribution: hdlverde commented 13 May 2013 at 12:21

Yup, you're right...

After fixing the mod_rewrite it actually fixed two issues..
The login now works, AND it fixed another problem i had in case anyone else might have it (proxy related)

Thanks!

Comment #6

haydeniv CreditAttribution: haydeniv commented 13 May 2013 at 15:55

Status:

Active

» Closed (fixed)

That sounds great.

Comment #7

johnbarclay CreditAttribution: johnbarclay commented 13 May 2013 at 18:45

Title:	LDAP SSO module docs - how does the mod work?	» LDAP SSO module docs - mod rewrite configure documentation
Version:	7.x-2.0-beta3	» 7.x-2.x-dev
Component:	Code	» Documentation
Category:	support	» task
Status:	Closed (fixed)	» Needs work

I'm changing this to a task. Can someone integrate this into the documentation for SSO?

Comment #8

haydeniv CreditAttribution: haydeniv commented 13 May 2013 at 21:12

Are we making Clean URLs a requirement for LDAP SSO then? We could almost consider this a bug report because SSO is not working with clean URLs disabled.

If not I could take on updating the documentation making clean URLs a requirement.