If you have a Joomla site on your windows domain you may want users to be logged in automaticly. This is done by using a plugin called Jdapmyldap. I thought this would be quite easy but I was very wrong. I will try to describe the steps I did to make this work. What you will end up with is that when you open the browser you are logged in by default. It is done in two steps. The first is configuring Linux and the second Joomla.
I assume you already have:
- A Linux LAMP server
- An Active directory and access to the server
- Some knowledge about Windows, Joomla and Linux
Part 1 – Linux
1. Create an account in your active directory. It can be called whatever you want. I used kerberos.
2. Open your Linux server prompt via ssh and run
apt-get install apache2-mpm-prefork libapache2-mod-auth-kerb krb5-config krb5-clients krb5-user samba-client openntpd
This will install the things you will need.
3. Make sure you have a working ntp on your linux server. Edit etc/ntp.conf like below. This is VERY important. If the clock is not synchronized it does not work. Check the date on both tad and linux server so it is the same.
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help driftfile /var/lib/ntp/ntp.drift # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable # Specify one or more NTP servers. # Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board # on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for # more information. mydc.domain.local #server 1.ubuntu.pool.ntp.org #server 2.ubuntu.pool.ntp.org #server 3.ubuntu.pool.ntp.org
4. Edit /etc/krb5.conf:
[libdefaults] default_realm = DOMAIN.LOCAL kdc_timesync = 1 default_keytab_name = FILE:/etc/krb5.keytab # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] DOMAIN.LOCAL = { kdc = mydc.domain.local:88 master_kdc = mydc.domain.local:88 admin_server = mydc.domain.local default_domain = domain.local } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } MEDIA-LAB.MIT.EDU = { kdc = kerberos.media.mit.edu admin_server = kerberos.media.mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } MOOF.MIT.EDU = { kdc = three-headed-dogcow.mit.edu:88 kdc = three-headed-dogcow-1.mit.edu:88 admin_server = three-headed-dogcow.mit.edu } CSAIL.MIT.EDU = { kdc = kerberos-1.csail.mit.edu kdc = kerberos-2.csail.mit.edu admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu krb524_server = krb524.csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } GNU.ORG = { kdc = kerberos.gnu.org kdc = kerberos-2.gnu.org kdc = kerberos-3.gnu.org admin_server = kerberos.gnu.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } GRATUITOUS.ORG = { kdc = kerberos.gratuitous.org admin_server = kerberos.gratuitous.org } DOOMCOM.ORG = { kdc = kerberos.doomcom.org admin_server = kerberos.doomcom.org } ANDREW.CMU.EDU = { kdc = kerberos.andrew.cmu.edu kdc = kerberos2.andrew.cmu.edu kdc = kerberos3.andrew.cmu.edu admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA .domain.local = DOMAIN.LOCAL domain.local = DOMAIN.LOCAL [login] krb4_convert = true krb4_get_tickets = false
5. Run kinit and make sure it works. It should just return an empty line.
sudo kinit Administrator
Password for Administrator@DOMAIN.LOCAL:
6. Run Klist and make sure it works.
admin@linuxserver:/etc$ sudo klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Kerberos@DOMAIN.LOCAL Valid starting Expires Service principal 2014-09-26 15:27:57 2014-09-27 01:27:57 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL renew until 2014-09-27 15:27:50 admin@linuxserver:/etc$
7. When Kerberos is working configure Samba. The file /etc/samba/smb.conf should contain the following:
netbios name = thenameofthelinuxserver
realm = DOMAIN.LOCAL
security = ADS
encrypt passwords = yes
password server = mydc.domain.local
workgroup = LOCAL
8. Join the domain
linuxserver:~# net ads join -U Administrator
Using short domain name -- DOMAINLOCAL
Joined 'linuxserver' to realm 'domain.local'`
9. Now you can create keytabs in two ways. I had problems with the samba way but it could be because my clock was unsyncronized. I also lacked the HTTP Info in the keytab file. But it may be added later for you.
A/ The SMB Way
www:~# net ads keytab add HTTP -U administrator
Processing principals to add...
Enter administrator's password:
If you do not get the HTTP you may have to write like this instead. This is what I did.
net ads keytab add HTTP/linuxservername.domain.local@DOMAIN.LOCAL
It should now be service principals for HTTP/linuxserver.domain.local.
Verify with:
linuxserver:~# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 19 HTTP/linuxserver
.domain.test@DOMAIN.LOCAL
2 19 HTTP/linuxserver
.domain
.test@DOMAIN
.LOCAL
3 19 HTTP/linuxserver
.domain
.test@DOMAIN
.LOCAL
4 19 HTTP/linuxserver
@DOMAIN
.LOCAL
5 19 HTTP/linuxserver
@DOMAIN
.LOCAL
6 19 HTTP/linuxserver
@DOMAIN
.LOCAL
Add permissions.
linuxserver
:~# chmod 740 /etc/krb5.keytab
linuxserver
:~# chgrp www-data /etc/krb5.keytab
B/The Windows way
You can create the keyfile on the ad server as well and later copy it to the linuxserver. Replace the krb5.keytab so you do not have to change the other config files.
ktpass -out C:\tmp\krb5.keytab -princ HTTP/myaccountname.domain.local@WHITE.LOCAL -mapUser myaccountname@domain.local -mapOp set -pass 5a51z9gr! -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
I used the command setspn to add HTTP. Maybe you will have to do this even if you use the smb method if HTTP is not added.
setspn -l myserver.mydomain.local
10. Make sure the module is loaded by running:
a2enmod auth_kerb
11. Change /etc/apache2.conf. It should look something like this:
<Directory /var/www/html/joomla> Options Indexes FollowSymLinks AllowOverride None #Require all granted AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms DOMAIN.LOCAL KrbServiceName HTTP Krb5KeyTab /etc/krb5.keytab require valid-user </Directory>
Part 2 – Joomla
You can start with configuring joomla if you want to but I think it is better to do this as a second step. There are two versions of the plug in. I have used 1.0 as my Joomla site were 1.7. There are detailed instructions for the plugin at the link below so I will just give you some tips what settings I used.
http://shmanic.com/tools/jmapmyldap/documentation/ver-1-guide.htm
1. Start by downloading and installing the plugin files. Activate them.
2. Before starting to configure the plugins it might be smart to find the ldap settings that actually works. Download the ldap test below.
http://shmanic.com/tools/jmapmyldap/documentation/ver-1-auth-debug-method.htm
This is most likely what will be causing problems. The settings I used was.
Connect user: domain\username Use search yes Base DN: dc=domain,dc=local Use DN Filter: (sAMAccountName=[username]) Mapuserid: sAMAccountName Mapfullname: name
When this works configure the plugins in Joomla.
3. Also make sure that you get the value REMOTE_USER in Php settings in Joomla (site information.) If you do not get this value there is something wrong with the kerberos settings. And it will not work. Check the log files of apache to see what might be wrong.
4. Also make sure your clients understand Kerberos authentication. In internet explorer this should work. In mozilla you may have to change some settings described in the links below. You may have to add your site to trusted local sites in explorer.
5. Configure the SSO plugin in Joomla as well. When done everything should be done and you should be able to login automaticly. Something I noticed is that you may have to restaert your computer after you added http on your ad server. It seems like the settings need to be refreshed to the client.
I used instructions from these sites. However I had to modify them a little.
http://acksyn.org/blog/2009/05/24/active-directory-and-apache-kerberos-authentication/
http://shmanic.com/tools/jmapmyldap/documentation/ver-1-guide.htm