You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

Pages: 1

#1 2018-03-28 18:03:13

Bedoui
Member
Registered: 2017-08-10
Posts: 68

Problems to Enable SSO (kerberos ) for GLPI

Always with troubles in order to enable SSO (kerberos ) for GLPI , i have  followed  many tutorials and checked  configuration files , I doubt that it requires apache skills ,
In fact our glpi server is packaged into EON (centos 7)
I have create a user in Active Directory (not requires kerberos Authentication )
I have generated a keytab file

C:\Users\administrateur.GCT>ktpass -princ HTTP/eonhelpdesk.gct.com.tn@GCT.COM.TN
-mapuser gct\eonhelpdesk -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass eon
helpdesk -out C:\temp\eonhelpdesk.keytab
Targeting domain controller: SRV-ADGCTGAB.GCT.COM.TN
Successfully mapped HTTP/eonhelpdesk.gct.com.tn to eonhelpdesk.
Password succesfully set!
Key created.
Output keytab to C:\temp\eonhelpdesk.keytab:
Keytab version: 0x502
keysize 73 HTTP/eonhelpdesk.gct.com.tn@GCT.COM.TN ptype 1 (KRB5_NT_PRINCIPAL) vn
o 3 etype 0x17 (RC4-HMAC) keylength 16 (0xf10523bec71de004153ee7ffde36c96a)

then after generating them , i placed it into etc/httpd/keytab/eonhelpdesk.keytab 

this settings are on /etc/httpd/conf.d/glpi.conf (I hope that's the right file )


Alias /glpi "/srv/eyesofnetwork/glpi"

<Directory /srv/eyesofnetwork/glpi>
        AuthType kerberos
        AuthName "kerberos authenticated"
        KrbAuthRealms GCT.COM.TN
        KrbServiceName  HTTP/eonhelpdesk.gct.com.tn@GCT.COM.TN
        KrbVerifyKDC on
        Krb5KeyTab /etc/httpd/keytab/eonhelpdesk.keytab
        KrbMethodNegotiate ON
        KrbMethodK5Passwd ON
        require valid-user
        Options None
        AllowOverride Limit Options FileInfo
        Require all granted
</Directory>

I checked communication  based on
kinit -k -t /etc/httpd/keytab/eonhelpdesk.keytab HTTP/eonhelpdesk.gct.com.tn
list
Ticket cache: KEYRING:persistent:0:0
Default principal: HTTP/eonhelpdesk.gct.com.tn@GCT.COM.TN

Valid starting       Expires              Service principal
28/03/2018 16:54:48  29/03/2018 02:54:48  krbtgt/GCT.COM.TN@GCT.COM.TN
        renew until 04/04/2018 16:54:48
[root@eonhelpdesk ~]#  kvno  HTTP/eonhelpdesk.gct.com.tn@GCT.COM.TN             HTTP/eonhelpdesk.gct.com.tn@GCT.COM.TN: kvno = 3

That's right without errors



i have updated /etc/httpd/conf.d/ssl.conf by adding

<VirtualHost _default_:443>
DocumentRoot /srv/eyesofnetwork/glpi


ServerName eonhelpdesk.gct.com.tn

finally i add on intranet zone on IE our FQDN but unfortunately that's not enough to enable sso

Thanks for your time

Offline

#2 2018-03-29 14:48:08

Bedoui
Member
Registered: 2017-08-10
Posts: 68

Re: Problems to Enable SSO (kerberos ) for GLPI

Currently I'm sure that's the right file is /etc/httpd/conf.d/glpi.conf cause when i have changed Alias /glpi "/srv/eyesofnetwork/glpi" to Alias /glpitest "/srv/eyesofnetwork/glpi" apache take on charge but some tutorials mention that the path is  "/usr/share/glpi"   , this path is non-existent for me how to resolve this issue .thanks for your time and support .

Offline

Pages: 1

Board footer

Powered by FluxBB