You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

#1 2017-04-04 10:12:45

GoempieK
Member
Registered: 2016-07-01
Posts: 72

sso glpi

I am trying to enable single sign on in glpi

Server is ubuntu 14.04.
Glpi version 9.1.2


Configuration i followed

https://www.johnthedeveloper.co.uk/sing … php-ubuntu
+
http://forum.glpi-project.org/viewtopic.php?id=33381

My configuration

<VirtualHost *:80>
Alias /glpi /usr/share/glpi

        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName glpi.clarebout.com

        ServerAdmin webmaster@localhost
        DocumentRoot /usr/share/glpi


        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/glpinieuwerror.log
        CustomLog ${APACHE_LOG_DIR}/glpinieuwaccess.log combined
        <Directory /usr/share/glpi>
                Options Indexes FollowSymLinks
                AllowOverride All
                Require all granted
                Allow from all
        </Directory>
<IfModule !auth_kerb_module>
  <Directory "/usr/share/glpi">
   Require all denied
  </Directory>
 </IfModule>

 <IfModule auth_kerb_module>
  <Directory "/usr/share/glpi">
   AuthType Kerberos
   AuthName "glpi"
   Krb5Keytab /etc/kerberos.keytab
   KrbAuthRealms clarebout.local
   Require valid-user
  </Directory>
 </IfModule>
        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

Error

[auth_kerb:error] [pid 10553] [client 10.20.96.161:64193] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, No key table entry found matching HTTP/localhost@)

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at webmaster@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Anybody have an idea why its not working?

Offline

#2 2017-04-06 14:38:26

GoempieK
Member
Registered: 2016-07-01
Posts: 72

Re: sso glpi

Nobody who has any experience with this?

Offline

#3 2017-04-14 23:47:14

LucaC
Member
Registered: 2012-04-10
Posts: 44

Re: sso glpi

Sure you registered the SPN for your server?

Offline

#4 2017-04-18 09:01:52

GoempieK
Member
Registered: 2016-07-01
Posts: 72

Re: sso glpi

Do you mean craeting a keytab?
I created a keytab with this command on the active directory server.

I alltered the login info.

ktpass -princ HTTP/alpha.ncl.johnthedeveloper.co.uk@NCL.JOHNTHEDEVELOPER.CO.UK -mapuser kerberos@NCL.JOHNTHEDEVELOPER.CO.UK -pass password -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\Temp\kerberos.keytab

Offline

#5 2017-04-18 16:19:02

small75
Member
From: Russia
Registered: 2016-06-27
Posts: 8

Re: sso glpi

KrbAuthRealms clarebout.local
must be identical domain for alpha.ncl.johnthedeveloper.co.uk@NCL.JOHNTHEDEVELOPER.CO.UK

must be:
KrbAuthRealms NCL.JOHNTHEDEVELOPER.CO.UK
and
KrbServiceName HTTP/alpha.ncl.johnthedeveloper.co.uk@NCL.JOHNTHEDEVELOPER.CO.UK

Offline

#6 2017-04-20 14:19:05

GoempieK
Member
Registered: 2016-07-01
Posts: 72

Re: sso glpi

I'm sorry i just copyed the command from the guide.

The command i used to create the keytab was this:

ktpass -princ HTTP/glpi@clarebout.local -mapuser glpi@clarebout.local -pass xxxx -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\tmp\kerberos.keytab

Offline

#7 2017-04-20 16:32:59

small75
Member
From: Russia
Registered: 2016-06-27
Posts: 8

Re: sso glpi

try
-crypto ALL -ptype KRB5_NT_SRV_HST +rndpass -out c:\keytab.it

Offline

#8 2017-04-21 10:57:06

GoempieK
Member
Registered: 2016-07-01
Posts: 72

Re: sso glpi

Ok when i try this i get this screen:

61feb68830794187a7ce3e3c8ef99989.png

Then i enter my ad credentials glpi then proceeds to this screen.

50640c0e59bc470f9c2ff5454e2d729f.png

Offline

#9 2017-04-24 08:58:52

small75
Member
From: Russia
Registered: 2016-06-27
Posts: 8

Re: sso glpi

may be this?
2rqD0MThJ9.jpg

Offline

#10 2017-05-04 09:48:12

GoempieK
Member
Registered: 2016-07-01
Posts: 72

Re: sso glpi

We are making progress.
Now when we go to our glpi we get this login screen.
b72560527ead46bb8df89f608914380f.png
There we can login with our active directory login and passwd.
I allready added the url to the intranet zone.

What should i do to bypass the login and passwd screen?
Thx

Offline

#11 2017-05-04 12:42:20

small75
Member
From: Russia
Registered: 2016-06-27
Posts: 8

Re: sso glpi

i'm used this article (sorry, but article in russian lang)
http://docs.ipi-manager.ru/Administrato … ry/Apache/

after this steps in GLPI
Setup/Authentication/Others/Other authentication sent in the HTTP request
Field storage of the login in the HTTP request: REMOTE_USER

Offline

#12 2018-05-15 03:38:04

general2000vn
Member
Registered: 2013-09-18
Posts: 2

Re: sso glpi

Hi small75,

Did you get your GLPI working with SSO Kerberor?

Offline

Board footer

Powered by FluxBB