Can someone tell me exactly what happens when a user hits the website and the LDAP SSO module kicks in? Our application is a company intranet - so ideally we want to have all of our users authenticate but not deny them access.
We haven't been able to pass remote_user from Apache to the browser. The value is either null or we get an undefined index error. Our environment is Linux Red Hat, Apache, Active Directory on Windows Server 2008 R2. We are using Kerberos (mod_auth_kerb php) for authentication. We've tried various overrides in the .htac
If we had a better understanding of how the module works, maybe we could determine if our issue is strictly Apache or if there is an issue with the LDAP SSO module. From what I understand, the remote_user value is not passed unless the location is protected by "require valid user" directive. What location do we need protect in order to force Apache to pass the remote_user variable? Is it /user/login/sso?
By the way, the LDAP portion of the module is working beautifully. So, thank you to those how have authored and contributed to this module.
Comments
Comment #1
hdlverde CreditAttribution: hdlverde commentedSame situation.. Interested in ANY response on this thread!
Comment #2
johnbarclay CreditAttribution: johnbarclay commentedWhich part of the LDAP SSO documentation have you worked through?
Comment #3
hdlverde CreditAttribution: hdlverde commentedRead through it all and tried several methods also found else where..
First my environment and apache mods:
Installed on Centos 6.3, PHP 5.3.3 and Apache 2.2.15
Trying to authenticate to Win2008 r2 server on 2008 based forest using ntlm1 (obviously I would like ntlm v2 to work, but that to has failed)
Also tried the following:
Using LDAP module with mod_auth_kerb in Linux to connect to Active Directory for Single Sign On
NTLM authentication
PyAuthenNTLM2
Trying these I only get REMOTE_USER variable correct using PyAuthenNTLM2, but i can't get drupal to use this to login.
When I set my apache like this:
I only get "You were not authenticated by the server. You may log in with your credentials below."
Drupal error log: $_SERVER['REMOTE_USER'] not found
httpd error log:
[Fri May 10 09:55:59 2013] [notice] caught SIGTERM, shutting down
[Fri May 10 09:55:59 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri May 10 09:55:59 2013] [notice] Digest: generating secret for digest authentication ...
[Fri May 10 09:55:59 2013] [notice] Digest: done
[Fri May 10 09:55:59 2013] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Fri May 10 09:55:59 2013] [notice] mod_python: using mutex_directory /tmp
[Fri May 10 09:55:59 2013] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 PHP/5.3.3 mod_python/3.3.1 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal opertions
If I change apache conf to:
I get error 310 (net::ERR_TOO_MANY_REDIRECTS) when browsing to ?q=user/login/sso
However when browsing to the rest of the site I get "You have been successfully authenticated", but i'm not logged in as drupal user.
Drupal shows no new entry in log
http.log: [Fri May 10 10:06:32 2013] [notice] [client ] PYNTLM: User / has been authenticated to access URI /phpinfo.php
I used phpinfo to test variable REMOTE_USER, which is set correctly
Any idea what I have forgot?
UPDATE:
If i set
<Location /sites/default/files>
REMOTE_USER is set on phpinfo.php I set in that folder..Seems I'm not able to set tag on /user/login/sso, or that rewrite is not correct?
As I understood using Location on that path should work?
Comment #4
haydeniv CreditAttribution: haydeniv commented/user/login/sso will only work if you have mod rewrite configured and working properly. What happens when you go to http://yoursite.com/admin
Do you get the admin page? If not you need to get mod rewrite workign properly then you should be good to go.
Comment #5
hdlverde CreditAttribution: hdlverde commentedYup, you're right...
After fixing the mod_rewrite it actually fixed two issues..
The login now works, AND it fixed another problem i had in case anyone else might have it (proxy related)
Thanks!
Comment #6
haydeniv CreditAttribution: haydeniv commentedThat sounds great.
Comment #7
johnbarclay CreditAttribution: johnbarclay commentedI'm changing this to a task. Can someone integrate this into the documentation for SSO?
Comment #8
haydeniv CreditAttribution: haydeniv commentedAre we making Clean URLs a requirement for LDAP SSO then? We could almost consider this a bug report because SSO is not working with clean URLs disabled.
If not I could take on updating the documentation making clean URLs a requirement.
Comment #9
johnbarclay CreditAttribution: johnbarclay commentedyes. lets make them required for sso. Patch would be appreciated.
Comment #10
haydeniv CreditAttribution: haydeniv commentedI'm on it.
Comment #11
haydeniv CreditAttribution: haydeniv commentedI updated the documentation at https://drupal.org/node/1371478 as a start. Patch still to come.
Comment #12
grahlReview for d8.
Comment #13
grahlREADME.md should contain all necessary examples for D8.