You are not logged in.
- Topics: Active | Unanswered
Announcement
Download last stable version of GLPI - What can you do for GLPI ? : Contribute
#1 2007-01-09 01:31:53
- jimh
- Member
- Registered: 2007-01-09
- Posts: 3
Generalized HTTPD Auth (SSO) with LDAP lookup
I have read most of the forum/wiki documents I could find about Web-type authentication in GLPI. That includes this Wiki document: http://glpi-project.org/wiki/doku.php?id=fr:authautoad and a long forum thread en Francais (I did my best!!): http://www.glpi-project.org/forum/viewtopic.php?id=1397
We utilize PubCookie (www.pubcookie.org) for authentication and this allows us to use REMOTE_USER variable to control access to many intranet applications. We also have a departmental LDAP directory that can supply additional user information (like email) to our applications. I was able to configure GLPI to use LDAP and retrieve LDAP user information, but I want to user Pubcookie REMOTE_USER for HTTPD SSO-style authentication, but then look up LDAP details.
For fun, I started to dig this tunnel from the other side of the mountain -- modifying the external authentication setup menu to include SSO. So now my setup menu includes a SSO section:
/*********** menu addition **************/
SSO may be used alone for auth or in combination with LDAP (to provide additional user info)
SSO/Webauth Configuration
Enable SSO __
Use LDAP to populate new account information __
/*********************************************/
"Enable SSO" would turn on use of REMOTE_USER -- trust REMOTE_USER and do not require sign-on password; "Use LDAP" would be option where you tell GLPI to fetch other details from LDAP based on REMOTE_USER. Presently, I use an external file to satisfy "valid user", but you could extend LDAP settings to allow no-password authorization against LDAP.
In some of the earlier threads, I see a lot of discussion about the different Web server auth modules used to generate authentication info. I also find a lot of discussion of "works on IE but not Firefox" or "works on Firefox but not IE". I also see specific references about making this work with specific modules like SSPI, like so:
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
......
Is it not possible to implement this more generically so that GLPI does not have to be concerned with Web server module implementation details?
I mean, set "Enable (WebAuth) SSO" to "yes" and let module evaluate whether REMOTE_USER is set regardless of what specific Web server module set it.
I may just be reacting to the AD/Windows oriented nature of the Wiki document, but I think this would be something that would be worth thinking of more generically. I *really* do not understand why anyone should have to worry about browser specifics to make a generic HTTPD auth work, yet I see a lot of discussion on that subject. But I may be naive. And my French comprehension is very poor! Anyhow, I am digging the tunnel from the other side of the Alps So, now all I have to do is make it work 
Jim
Offline
#2 2007-02-20 00:22:40
- dj
- Member
- From: Germany
- Registered: 2007-02-16
- Posts: 21
- Website
Re: Generalized HTTPD Auth (SSO) with LDAP lookup
I believe the only method to make HTTP authentication generic would be to use GSSAPI and SPNEGO. While surely possible, it would again need authentication modules, requere browser support and restrict the available authentication methods. I have done a short writeup based on the french article you refer to which deals with NTLM authentication. This one is available in IE as well as in Firefox but obviously will not help you with your specific problem very much.
BTW - what all the patches actually do is "implementing" HTTP authentication by just short-circuiting the auth checks whenever $_SERVER["REMOTE_USER"] is defined. So, you could use it with any HTTP auth mechanism you might be able to configure on your targets.
dj
Offline