Support Incident Tracker Forum

[kalyah]

Hello,

I want to know if we can use the Single Sign-on (SSO) mode to authenticate clients ?
If not, will this feature be available in a coming version ?

Regards

[ivanlucas]

Hi Kaylah,

SiT! doesn't directly support SSO but it can be used with Reverse-proxy type single-sign-on. SiT! also supports LDAP authentication and can be used with eDirectory, openLDAP or Microsoft AD.

I don't know much about single sign on software myself, but if you have any specific questions about it maybe I can try to help.

Cheers,

Ivan

[paulvh]

I have made some modifications to our version of SiT! to Allo SSO with NTLM credentials to a Windows 2008 R2 Active Directory LDAP

Linux Config:
http://bloke.org/linux/ntlm-authenticat ... che-linux/

Apache httpd.conf setting in the Directory entry for SiT!
<Files ntlm.php>
AuthName "Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Files>


several files changed:
index.php
lib/configvars.inc.php
lib/defaults.inc.php

added:
ntlm.php
netlib.php

Once I have cleaned up the files I will make DIFs and post them here.

[Tomse]

this is pretty great... I'm going to test it when you cleaned up the code.... cheers mate

[paulvh]

Here are the files

[paulvh]

Made a few more changes so here are the updated files.

[paulvh]

Found a problem with the ntlm.php file so here is an updated one

[Tomse]

Hi Paulvh

I've tried setting up the NTLM auth.

but can't get it to corporate.

1.
I'm presented with the Basic auth screen when opening SiT! with IE9, entering correct username and password redirects me to sit/index.php?id=3 (invalid username/password)

using the same credentials again on the login screen of SiT! I get my access.
so I can see LDAP and NTLM auth both work, but somehow the auth going through from the ntlm to sit doesn't seem to work properly.

After the NTLM auth with the std IE9 username/password block, logging in as a user, and get he username/password error, I cannot login to SiT! as admin, (first NTLM auth as user and then SiT auth as admin) won't log me on.

I've used the 2 last attachments you posted, (with the ntlm.php as the last one copied).


2.
I've tried changing the allowed IP addresses from one subnet to another. lets call them 192.168.0.0/24 and 192.168.1.0/24 and the server is 192.168.0.10, and client is 192.168.0.100
allowing 192.168.0.0/24 gives the username/password error mentioned above.

allowing 192.168.1.0/24 doesn't open up for NTLM auth, thus working as NTLM isn't installed.
I looked in the code and it should give an error message when doing this.



in the apache webserver I used the <Files ntlm.php> as you described, but I'm not using

Code: Select all

<Directory />
Options FollowSymLinks Multiviews Indexes
AllowOverride All
AuthName "Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Directory>

as described in the guide that you linked.


though Im running on FreeBSD, I don't think thats an issue.

and unfortunately I don't see anything useful in the logs.
I'll see if I can add some debugging functions to the ntlm.php file to see whats going on.
I'll post again shortly

[Tomse]

After doing some debugging, it looks like the NTLM is weird here...

$_SERVER['REMOTE_USER'] = DOMAIN+username

where you expect it to be DOMAIN\\username

fixing that makes it work.. awesome job there

I wonder how many different types there are ?

[Tomse]

Hello Paulvh

I've done some testing...
and this is embarrasing
NTLM doesn't seem to work properly on IE9 on win7 (integrated logon is active in settings)
but Firefox with it's ntlm setting enabled runs perfectly.

anyway..
There's an issue at hand where a disabled SiT user (deactivated by the way that it's been removed from the AD group), so in SiT it's disabled. but the user (or rather admin) can still logon using NTLM.

I'll provide more feedback the more I get to test it.