logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Configuring mod_auth_sspi to find remote user
Author
gdhp



Joined: 29 Jan 2014
Posts: 1

PostPosted: Wed 29 Jan '14 13:45    Post subject: Configuring mod_auth_sspi to find remote user Reply with quote

I have been trying for a while now to get mod_auth_sspi up and running to help run a Drupal Intranet.

The Drupal LDAP modul and the Drupal SSO instructions https://drupal.org/node/1371478 have been followed.

I am running a Uniform Server 8.12 - running apache 2.2 and php 5.3

mod_auth_sspi is installed on the modules, and referenced in httpd.conf file.

The LDAP itself works, in that going to /user someone can log into their site using the company login details from their Active Directory. The test mechanism on Drupal also pulls through relevant information such as emails etc.

However unfortunately I can't get them to authenticate automatically.

The httpd.conf file also contains:
Code:
# Virtual hosts
Include conf/extra/httpd-vhosts.conf
# Pass NTLM authentication to Apache
LoadModule sspi_auth_module modules/mod_auth_sspi.so
<IfModule !mod_auth_sspi.c>
 LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>



Then the vhosts file contains
Code:
  NameVirtualHost intranet.example.co.uk
<VirtualHost intranet.example.co.uk>
 DocumentRoot "C:/UniServer2/www"
 ServerName Intranet
 <directory "C:/UniServer2/www">
   Options Indexes FollowSymLinks MultiViews
   AllowOverride All
   Order Allow,Deny
   Allow from all
 </directory>
 <Location /intranet/user/login/sso>
   AuthType SSPI
   AuthName "Intranet"
   SSPIAuth On
   SSPIAuthoritative On
   ### The domain used to authenticate with LDAP; this should match the domain
   ### configured in the LDAP integration configuration within Drupal
   SSPIDomain xxx.xxx.x.x
   SSPIOmitDomain On
   SSPIOfferBasic On
   Require valid-user
   #SSPIBasicPreferred On
   #SSPIofferSSPI off
 </Location>
</VirtualHost>



For information intranet.example.co.uk has been replaced with name of company xxx.xxx.x.x is the IP of the Active Directory. Obviously I've replaced these bits for security reasons.

Location is intranet/ because there is also another internal web application on the same server.

However when I go the site I receive the error message:

Quote:
"You were not authenticated by the server. You may log in with your credentials below."


This happens at both intranet.example.co.uk and intranet.example.co.uk/user/login/sso

The following error reports are logged by Drupal:

Quote:
ldap_sso_user_login_sso.step1: implementation: mod_auth_sspi, enabled: 1, server_remote_user: , server_redirect_remote_user: , ssoRemoteUserStripDomainName: ,seamlessLogin: 1 ldap_sso_user_login_sso.implementation: username=, (realm=) found $_SERVER['REMOTE_USER'] not found ldap_sso_user_login_sso.no_remote_user.seamlessLogin ldap_sso_user_login_sso.no_remote_user.drupal_goto user/login


So clearly Drupal isn't finding the remote user. Furthermore I have a simple whoami.php script running in cgi-bin. The code for this is:
Code:
<html>
<head>
  <title>whoami at <?php $_SERVER['SERVER_NAME']; ?> </title>
</head>
<body style='font-family:Verdana;font-size:-1'>
<?php

$cred = explode('\\',$_SERVER['REMOTE_USER']);
if (count($cred) == 1) array_unshift($cred, "(no domain info - perhaps SSPIOmitDomain is On)");
list($domain, $user) = $cred;

echo "You appear to be user <B>$user</B><BR/>";
echo "logged into the Windows NT domain <B>$domain</B>";

?>
</body>
</html>

This produced "You appear to be user" with no following text and "logged into the Windows NT domain (no domain info - perhaps SSPIOmitDomain is On)", suggesting that the server is also not picking up on the remote user.

I haven't made any specific odd alterations to the server, so I am assuming the problem I am having must be one suffered by others using mod_auth_sspi.

Couple of things it could be although my knowledge isn't enough to tell?

I don't have Tomcat on the server. On the Apache wiki (http://wiki.apache.org/httpd/ModAuthSSPI) it says a common problem with mod_auth_sspi is that mod.jk isn't configured correctly. Mod.jk seems to be a file relevant to Tomcat - however I haven't seen Tomcat listed anywhere as a requirement for mod_auth_sspi?


Something to do with htaccess? I've seen some mentioned of mod_auth_sspi and htaccess but nothing specific. However htaccess is the only place where I have done something vaguely unusual with the server as it has been configured to only allow people with the same IP address as the organisation to access the site (in other words only people in the offices can use it, and it can't be accessed from the outside).


Any advice or steps that could be taken to debug this would be greatly appreciated as I seem to be going round in circles.

Thanks.
Back to top


Reply to topic   Topic: Configuring mod_auth_sspi to find remote user View previous topic :: View next topic
Post new topic   Forum Index -> Apache