You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

Pages: 1

#1 2024-10-09 09:09:20

Raltakk
Member
Registered: 2024-10-09
Posts: 1

Problème avec config SSO GSSAPI

Bonjour tout le monde,

Je me permets de poster mon soucis car cela fait 1 semaine que je tourne en rond. J'ai implémenté le SSO sur mon serveur GLPI, tout semble fonctionner correctement, cependant je m'aperçois que sur certaines pages j'obtiens des erreurs 400 Bad Request.
Exemple : j'utilise le plugin FormCreator, avant la mise en place du SSO, j'avais déjà créé plusieurs formulaires. Les formulaires fonctionnent, cependant lorsque je veux les modifier, j'ai bien les sections qui apparaissent, mais plus les questions. Si j'en créé une nouvelle, elle disparait lorsque je sauvegarde les modifications.Si j'utilise les DevTools de Chrome je vois des requêtes GET en statut : 400 Bad Request.

Lorsque j'analyse les logs Apache je vois ça :
[Wed Oct 09 09:00:24.391231 2024] [authz_core:debug] [pid 1284356] mod_authz_core.c(815): [client xx.xx.xx.xx:54616] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https //domain.fr/marketplace/formcreator/front/form.form.php?id=5
[Wed Oct 09 09:00:24.391250 2024] [authz_core:debug] [pid 1284356] mod_authz_core.c(815): [client xx.xx.xx.xx:54616] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https //domain.fr/marketplace/formcreator/front/form.form.php?id=5
[Wed Oct 09 09:00:24.391256 2024] [auth_gssapi:debug] [pid 1284356] mod_auth_gssapi.c(1005): [client xx.xx.xx.xx:54616] URI: /marketplace/formcreator/ajax/question_get.php, no main, no prev, referer: https //domain.fr/marketplace/formcreator/front/form.form.php?id=5
[Wed Oct 09 09:00:24.391265 2024] [auth_gssapi:info] [pid 1284356] [client xx.xx.xx.xx:54616] NO AUTH DATA Client did not send any authentication headers, referer: https //domain.fr/marketplace/formcreator/front/form.form.php?id=5
[Wed Oct 09 09:00:24.391291 2024] [authz_core:debug] [pid 1284356] mod_authz_core.c(815): [client xx.xx.xx.xx:54616] AH01626: authorization result of Require all granted: granted, referer: https //domain.fr/marketplace/formcreator/front/form.form.php?id=5
[Wed Oct 09 09:00:24.391295 2024] [authz_core:debug] [pid 1284356] mod_authz_core.c(815): [client xx.xx.xx.xx:54616] AH01626: authorization result of <RequireAny>: granted, referer: https //domain.fr/marketplace/formcreator/front/form.form.php?id=5
[Wed Oct 09 09:00:24.391326 2024] [auth_gssapi:debug] [pid 1284356] mod_auth_gssapi.c(838): [client xx.xx.xx.xx:54616] GSSapiImpersonate not On, skipping impersonation., referer: https //domain.fr/marketplace/formcreator/front/form.form.php?id=5
[Wed Oct 09 09:00:24.393097 2024] [ssl:debug] [pid 1284358] ssl_engine_kernel.c(415): [client xx.xx.xx.xx:54617] AH02034: Initial (No.1) HTTPS request received for child 3 (server domain.fr:443), referer: https //domain.fr/marketplace/formcreator/front/form.form.php?id=5
[Wed Oct 09 09:00:24.393182 2024] [authz_core:debug] [pid 1284358] mod_authz_core.c(815): [client xx.xx.xx.xx:54617] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https //domain.fr/marketplace/formcreator/front/form.form.php?id=5
[Wed Oct 09 09:00:24.393192 2024] [authz_core:debug] [pid 1284358] mod_authz_core.c(815): [client xx.xx.xx.xx:54617] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https //domain.fr/marketplace/formcreator/front/form.form.php?id=5
[Wed Oct 09 09:00:24.393198 2024] [auth_gssapi:debug] [pid 1284358] mod_auth_gssapi.c(1005): [client xx.xx.xx.xx:54617] URI: /marketplace/formcreator/ajax/question_get.php, no main, no prev, referer: https //domain.fr/marketplace/formcreator/front/form.form.php?id=5

Voici la config de mon Vhost :

<VirtualHost *:443>
    DocumentRoot /var/www/SRVGLPI/public
    ServerName domain.fr

    <Directory "/var/www/SRVGLPI/public">
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} ^(.+)$
        RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ index.php [QSA,L]

        <If "%{HTTP_USER_AGENT} == 'GLPI-Agent_v1.4'">
            Require all granted
        </If>
        <ElseIf "%{HTTP_USER_AGENT} == 'GLPI-Agent_v1.10'">
            Require all granted
        </ElseIf>
        <ElseIf "%{HTTP_USER_AGENT} == 'GLPI-Agent_v1.11'">
            Require all granted
        </ElseIf>
        <ElseIf "%{HTTP_USER_AGENT} == 'Inventory Agent/1.3.0 (Linux; Android 8.1.0; GLPI Inventory Agent)'">
            Require all granted
        </ElseIf>
        <ElseIf "%{HTTP_USER_AGENT} == 'Inventory Agent/1.4.0 (Linux; Android 7.0; GLPI Inventory Agent)'">
            Require all granted
        </ElseIf>
        <ElseIf "%{HTTP_USER_AGENT} == 'Inventory Agent/1.4.0 (Linux; Android 8.0.0; GLPI Inventory Agent)'">
            Require all granted
        </ElseIf>
        <ElseIf "%{HTTP_USER_AGENT} == 'Inventory Agent/1.4.0 (Linux; Android 9; GLPI Inventory Agent)'">
            Require all granted
        </ElseIf>
        <ElseIf "%{HTTP_USER_AGENT} == 'Inventory Agent/1.4.0 (Linux; Android 10; GLPI Inventory Agent)'">
            Require all granted
        </ElseIf>
        <ElseIf "%{HTTP_USER_AGENT} == 'Inventory Agent/1.4.0 (Linux; Android 11; GLPI Inventory Agent)'">
            Require all granted
        </ElseIf>
        <ElseIf "%{HTTP_USER_AGENT} == 'Inventory Agent/1.4.0 (Linux; Android 12; GLPI Inventory Agent)'">
            Require all granted
        </ElseIf>
        <ElseIf "%{HTTP_USER_AGENT} == 'Inventory Agent/1.4.0 (Linux; Android 13; GLPI Inventory Agent)'">
            Require all granted
        </ElseIf>
        <ElseIf "%{HTTP_USER_AGENT} == 'Inventory Agent/1.4.0 (Linux; Android 14; GLPI Inventory Agent)'">
            Require all granted
        </ElseIf>
       
        # Authentification GSSAPI si l'argument noAUTO n'est pas présent, sinon fallback sur la page de connexion avec noAUTO
        <ElseIf "%{REMOTE_ADDR} == 'xx.xx.xx.xx' && %{QUERY_STRING} !~ /^noAUTO=1/">
            <Limit GET>
                AuthType GSSAPI
                AuthName "Authentificaton GLPI SSO"
                GssapiCredStore keytab:/etc/apache2/kerberos2.keytab
                require valid-user
                ErrorDocument 401 /index.php?noAUTO=1
                GssapiUseSessions On
                Session On
                SessionCookieName gssapi_session path=/private;httponly;secure;
                GssapiLocalName On
                GssapiNegotiateOnce on
                GssapiSSLonly On
                GssapiAllowedMech krb5
                GssapiBasicAuth On
            </Limit>
        </ElseIf>
        <Else>
            Require all granted
        </Else>
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/domain.fr_error.log
    CustomLog ${APACHE_LOG_DIR}/domain.fr_access.log combined
    LogLevel debug

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/domain.fr/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.fr/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Voici ma config :
GLPI Version: 10.0.15
FormCreator Plugin Version: 2.13.9
Server OS: Ubuntu 24.04.1
Web Server: Apache 2.4.58
AD : Windows Server 2012R2

Merci d'avance pour vos pistes de solution.

Last edited by Raltakk (2024-10-09 09:10:10)

Offline

Pages: 1

Board footer

Powered by FluxBB