Apache single sign on

Printable View

29th September 2010, 12:01 PM
danbuntu

Apache single sign on

I'm trying to get get single on for an application i've built. so far I have enabled authnz-user and mod-ldap and have the following in my vhost;

Code:

<VirtualHost *:80> ServerAdmin dan.attwood@midkent.ac.uk DocumentRoot "C:/xampplite/htdocs/test" ServerName test.midkent.ac.uk ServerAlias test.midkent.ac.uk ErrorLog "logs/moodledev.log" CustomLog "logs/moodledev-access.log" combined <Location /test2/> Order deny,allow Allow from all AuthBasicProvider ldap AuthzLDAPAuthoritative Off AuthLDAPURL "ldap://serverip:3268/ou=Staff,ou=Users OU,dc=domain,dc=ac,DC=uk?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "CN=dattwood,OU=ICT,OU=Support,OU=Staff,OU=Users OU,DC=domain,DC=ac,DC=uk" AuthLDAPBindPassword "mypassword" AuthType Basic AuthName "Protected" require valid-user </Location> </VirtualHost>

when I go to my test2 url I get a pop up box as expected but it refuses to take my user anme and password and let me in. I can find anything in the error or access logs that points me in the right direction. Ultimately I want this to be able to do single sign on and a quick and dirty access control method
1st October 2010, 04:09 PM
Cools

have you got samba with ntlm and kerberos all setup??? and when you wbinfo -u you see all the users ???
1st October 2010, 04:16 PM
danbuntu

It's all sat on windows I'm afraid so no samba.

I've actually got part way there with sspi. I can can protect a folder and allow access to it only if the user is a member of a specific group.

Unfortunately they get a pop up box and I can't get the single sign on bit running.
1st October 2010, 06:29 PM
Cools

what ya using wamp or just apachi..
1st October 2010, 06:33 PM
danbuntu

It's Apache installed from the exe with php and mysql. No xamppl or wamp installer this time
1st October 2010, 06:37 PM
Cools

have a look at ..
http://plone.293351.n2.nabble.com/SS...td4086748.html
1st October 2010, 06:43 PM
danbuntu

ok cool i'll give that ago when i'm back in the office on monday
4th October 2010, 09:45 AM
danbuntu

looks like I sussed it. Was was adding the site to the 'trusted site' - turns out it needs to be added to 'local intranet' then sign in is seamless.

I just to read up on grabbing the user name from the header now so that I can display it on the page and use it as a string for latter.
6th October 2010, 10:41 AM
Cools

Well done that man... might need the how to guide off you just in case... i need to set it up..
6th October 2010, 11:00 AM
danbuntu

it's one of those things which is actually really easy once you know what your doing! Below are my notes;

Apache Single sign on with Mod_sspi
Brief
To password protect one or more apache directories. This is to disallow student access to the admin functions within the MTG calculator and Risk Tracker

Step 1
Download the sspi mod from: mod_auth_sspi | Download mod_auth_sspi software for free at SourceForge.net
Unzip the folder and find the mod_atuh_sspi.so file
Copy this in the apache modules directory

Step 2
Add the following to httpd.conf to load the module;
<IfModule !mod_auth_sspi.c>
LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>

Step 3

Add the flowing to the vhost file within the virtualhost tags;
<Location /test2/ >
AuthType SSPI
AuthName "Test Login"
SSPIAuth On
SSPIAuthoritative On
SSPIDomain domain.ac.uk
SSPIOfferBasic On
SSPIOmitDomain Off
SSPIBasicPreferred On
Require group "domain\GroupName"
</Location>

Change the domain as needed and the location to the folder you want to protect
!important – the groups name can’t contain spaces!
6th October 2010, 11:51 AM
Cools

Simple.. when you know how.. lol.. thanks..