SSO/LDAP on Joomla running on Ubuntu Linux

If you have a Joomla site on your windows domain you may want users to be logged in automaticly. This is done by using a plugin called Jdapmyldap. I thought this would be quite easy but I was very wrong. I will try to describe the steps I did to make this work. What you will end up with is that when you open the browser you are logged in by default. It is done in two steps. The first is configuring Linux and the second Joomla.

I assume you already have:

  • A Linux LAMP server
  • An Active directory and access to the server
  • Some knowledge about Windows, Joomla and Linux

Part 1 – Linux

1. Create an account in your active directory. It can be called whatever you want. I used kerberos.

2. Open your Linux server prompt via ssh and run

apt-get install apache2-mpm-prefork libapache2-mod-auth-kerb krb5-config krb5-clients krb5-user samba-client openntpd

This will install the things you will need.

3. Make sure you have a working ntp on your linux server. Edit etc/ntp.conf like below. This is VERY important. If the clock is not synchronized it does not work. Check the date on both tad and linux server so it is the same.

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Specify one or more NTP servers.
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
mydc.domain.local
#server 1.ubuntu.pool.ntp.org
#server 2.ubuntu.pool.ntp.org
#server 3.ubuntu.pool.ntp.org

4. Edit /etc/krb5.conf:

[libdefaults]
    default_realm = DOMAIN.LOCAL
    kdc_timesync = 1
    default_keytab_name = FILE:/etc/krb5.keytab

# The following krb5.conf variables are only for MIT Kerberos.
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
#    default_tgs_enctypes = des3-hmac-sha1
#    default_tkt_enctypes = des3-hmac-sha1
#    permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true
[realms]

    DOMAIN.LOCAL = {
        kdc = mydc.domain.local:88
        master_kdc = mydc.domain.local:88
        admin_server = mydc.domain.local
        default_domain = domain.local
    }
    ATHENA.MIT.EDU = {
        kdc = kerberos.mit.edu:88
        kdc = kerberos-1.mit.edu:88
        kdc = kerberos-2.mit.edu:88
        admin_server = kerberos.mit.edu
        default_domain = mit.edu
    }
    MEDIA-LAB.MIT.EDU = {
        kdc = kerberos.media.mit.edu
        admin_server = kerberos.media.mit.edu
    }
    ZONE.MIT.EDU = {
        kdc = casio.mit.edu
        kdc = seiko.mit.edu
        admin_server = casio.mit.edu
    }
    MOOF.MIT.EDU = {
        kdc = three-headed-dogcow.mit.edu:88
        kdc = three-headed-dogcow-1.mit.edu:88
        admin_server = three-headed-dogcow.mit.edu
    }
    CSAIL.MIT.EDU = {
        kdc = kerberos-1.csail.mit.edu
        kdc = kerberos-2.csail.mit.edu
        admin_server = kerberos.csail.mit.edu
        default_domain = csail.mit.edu
        krb524_server = krb524.csail.mit.edu
    }
    IHTFP.ORG = {
        kdc = kerberos.ihtfp.org
        admin_server = kerberos.ihtfp.org
    }
    GNU.ORG = {
        kdc = kerberos.gnu.org
        kdc = kerberos-2.gnu.org
        kdc = kerberos-3.gnu.org
        admin_server = kerberos.gnu.org
    }
    1TS.ORG = {
        kdc = kerberos.1ts.org
        admin_server = kerberos.1ts.org
    }
    GRATUITOUS.ORG = {
        kdc = kerberos.gratuitous.org
        admin_server = kerberos.gratuitous.org
    }
    DOOMCOM.ORG = {
        kdc = kerberos.doomcom.org
        admin_server = kerberos.doomcom.org
    }
    ANDREW.CMU.EDU = {
        kdc = kerberos.andrew.cmu.edu
        kdc = kerberos2.andrew.cmu.edu
        kdc = kerberos3.andrew.cmu.edu
        admin_server = kerberos.andrew.cmu.edu
        default_domain = andrew.cmu.edu
    }
    CS.CMU.EDU = {
        kdc = kerberos.cs.cmu.edu
        kdc = kerberos-2.srv.cs.cmu.edu
        admin_server = kerberos.cs.cmu.edu
    }
    DEMENTIA.ORG = {
        kdc = kerberos.dementix.org
        kdc = kerberos2.dementix.org
        admin_server = kerberos.dementix.org
    }
    stanford.edu = {
        kdc = krb5auth1.stanford.edu
        kdc = krb5auth2.stanford.edu
        kdc = krb5auth3.stanford.edu
        master_kdc = krb5auth1.stanford.edu
        admin_server = krb5-admin.stanford.edu
        default_domain = stanford.edu
    }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
    }
[domain_realm]
    .mit.edu = ATHENA.MIT.EDU
    mit.edu = ATHENA.MIT.EDU
    .media.mit.edu = MEDIA-LAB.MIT.EDU
    media.mit.edu = MEDIA-LAB.MIT.EDU
    .csail.mit.edu = CSAIL.MIT.EDU
    csail.mit.edu = CSAIL.MIT.EDU
    .whoi.edu = ATHENA.MIT.EDU
    whoi.edu = ATHENA.MIT.EDU
    .stanford.edu = stanford.edu
    .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA
    .domain.local = DOMAIN.LOCAL
    domain.local = DOMAIN.LOCAL
[login]
    krb4_convert = true
    krb4_get_tickets = false

 

5. Run kinit and make sure it works. It should just return an empty line.

sudo kinit Administrator
Password for Administrator@DOMAIN.LOCAL:

6. Run Klist and make sure it works.

admin@linuxserver:/etc$ sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Kerberos@DOMAIN.LOCAL

Valid starting       Expires              Service principal
2014-09-26 15:27:57  2014-09-27 01:27:57  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
        renew until 2014-09-27 15:27:50
admin@linuxserver:/etc$

7. When Kerberos is working configure Samba. The file /etc/samba/smb.conf should contain the following:

netbios name = thenameofthelinuxserver
realm = DOMAIN.LOCAL
security = ADS
encrypt passwords = yes
password server = mydc.domain.local
workgroup = LOCAL

8. Join the domain

linuxserver:~# net ads join -U Administrator
Using short domain name -- DOMAINLOCAL
Joined 'linuxserver' to realm 'domain.local'`

9. Now you can create keytabs in two ways. I had problems with the samba way but it could be because my clock was unsyncronized.  I also lacked the HTTP Info in the keytab file. But it may be added later for you.

A/ The SMB Way

www:~# net ads keytab add HTTP -U administrator
Processing principals to add...
Enter administrator's password:

If you do not get the HTTP you may have to write like this instead. This is what I did.

net ads keytab add HTTP/linuxservername.domain.local@DOMAIN.LOCAL

It should now be service principals for HTTP/linuxserver.domain.local.

Verify with:

linuxserver:~# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1   19               HTTP/linuxserver.domain.test@DOMAIN.LOCAL
2   19               HTTP/linuxserver.domain.test@DOMAIN.LOCAL
3   19               HTTP/linuxserver.domain.test@DOMAIN.LOCAL
4   19                        HTTP/linuxserver@DOMAIN.LOCAL
5   19                        HTTP/linuxserver@DOMAIN.LOCAL
6   19                        HTTP/linuxserver@DOMAIN.LOCAL

Add permissions.

linuxserver:~# chmod 740 /etc/krb5.keytab
linuxserver:~# chgrp www-data /etc/krb5.keytab

B/The Windows way

You can create the keyfile on the ad server as well and later copy it to the linuxserver. Replace the krb5.keytab so you do not have to change the other config files.

ktpass -out C:\tmp\krb5.keytab -princ HTTP/myaccountname.domain.local@WHITE.LOCAL -mapUser myaccountname@domain.local -mapOp set -pass 5a51z9gr! -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

I used the command setspn to add HTTP. Maybe you will have to do this even if you use the smb method if HTTP is not added.

setspn -l myserver.mydomain.local

10. Make sure the module is loaded by running:

a2enmod auth_kerb

 

11. Change /etc/apache2.conf. It should look something like this:

 

<Directory /var/www/html/joomla>
        Options Indexes FollowSymLinks
        AllowOverride None
        #Require all granted
        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms DOMAIN.LOCAL
        KrbServiceName HTTP
        Krb5KeyTab /etc/krb5.keytab
        require valid-user
</Directory>

Part 2 – Joomla

You can start with configuring joomla if you want to but I think it is better to do this as a second step. There are two versions of the plug in. I have used 1.0 as my Joomla site were 1.7. There are detailed instructions for the plugin at the link below so I will just give you some tips what settings I used.

http://shmanic.com/tools/jmapmyldap/documentation/ver-1-guide.htm

1. Start by downloading and installing the plugin files. Activate them.

2. Before starting to configure the plugins it might be smart to find the ldap settings that actually works. Download the ldap test below.

http://shmanic.com/tools/jmapmyldap/documentation/ver-1-auth-debug-method.htm

This is most likely what will be causing problems. The settings I used was.

Connect user: domain\username
Use search yes
Base DN: dc=domain,dc=local
Use DN Filter: (sAMAccountName=[username])
Mapuserid: sAMAccountName
Mapfullname: name

 

When this works configure the plugins in Joomla.

3. Also make sure that you get the value REMOTE_USER in Php settings in Joomla (site information.) If you do not get this value there is something wrong with the kerberos settings. And it will not work. Check the log files of apache to see what might be wrong.

remoteuserphp

 

4. Also make sure your clients understand Kerberos authentication. In internet explorer this should work. In mozilla you may have to change some settings described in the links below. You may have to add your site to trusted local sites in explorer.

5. Configure the SSO plugin in Joomla as well. When done everything should be done and you should be able to login automaticly. Something I noticed is that you may have to restaert your computer after you added http on your ad server. It seems like the settings need to be refreshed to the client.

I used instructions from these sites. However I had to modify them a little.

http://acksyn.org/blog/2009/05/24/active-directory-and-apache-kerberos-authentication/
http://shmanic.com/tools/jmapmyldap/documentation/ver-1-guide.htm