Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

SSO with Active Directory - Apache 2.4 (Linux)

Hello,

I am trying to get SSO to work where I am automatically logged in through Active Directory when visiting the osTicket subdirectory.  I am presently able to log in when entering in my Active Directory username and password, but would like for the system to automatically log me and everyone else (including those submitting new tickets) into the system since I only want people who are authenticated to be able to place tickets (which is everyone).  I know I will hear a *lot* of flack if I require them to login before submitting tickets since even the antiquated system we use doesn't require that (it uses automatic authentication).

I am running SuSE with Apache 2.4 with both auth-ldap and auth-passthru installed/enabled.

I also wanted to mention that the passthru phar file is bad on the website.  It's missing some of the config when I downloaded it.  I have recompiled it and have attached it to this ticket.

Thanks for any help.

Ryan

Comments

  • edited June 2014
    May be why pass thru isn't working on my Windows 2008 R2. Not as much of a code monkey I once was and would love to have that recompiled phar for pass thru...

    Had s similiar post here earlier today here
  • edited June 2014
    For some reason this system is hiding my file attachment.  In any case, here it is again recompiled:


    However, I still would like to know how to fix the issue I am having where I am not being automatically authenticated into the system without having to enter in my credentials.  Anyone know how to fix this issue?
  • Many thanks...I'll let you know what I can find. Disregard my PM.
  • One note...if you already have the plugin installed, I would recommend disabling it and then deleting it using the web portal (or at least that's what I did).  Then I went in and uploaded the new .phar, clicked Add plugin...Install, and it suddenly now shows two options for enabling for client and staff.  Only problem is that it still doesn't work correctly for me...
  • Exactly what I found as well.
  • hey @rblake,

    I have a similar requirement as yours. AD authentication is working for me.

    I installed the Passthru plugin which you have uploaded. However, I do not see any config settings.

    When I click on the plugin, I get following message.

    This plugin has no configurable settings
    Every plugin should be so easy to use
    Am I missing something important here? Do I need to edit Apache conf file before installing HTTP Passthru plugin? could you please advise?

    osTicket Versionv1.9.0-3-gae5e138 (ae5e138)Server SoftwareApache/2.2.22 (Ubuntu)
  • edited June 2014
    I will post a little tutorial about SSO + AD + apache, but not now (no time), maybe later or tomorrow.

    Only one thing: Download the plugin php files from github and build the .phar from them to make sure you have staff AND CLIENT passthru-auth working. Currently passthru-auth phar only includes staff login! So you need to build you own .phar from the github files (https://github.com/osTicket/core-plugins/tree/develop/auth-ldap)

    PS: SSO (with AD + apache on openSuse) is working fine here :D
  • hey @rblake, I have a similar requirement as yours. AD authentication is working for me. I installed the Passthru plugin which you have uploaded. However, I do not see any config settings. When I click on the plugin, I get following message. This plugin has no configurable settingsEvery plugin should be so easy to use Am I missing something important here? Do I need to edit Apache conf file before installing HTTP Passthru plugin? could you please advise? osTicket Versionv1.9.0-3-gae5e138 (ae5e138)Server SoftwareApache/2.2.22 (Ubuntu)
    Did you download the version I have uploaded?  I actually inadvertently uploaded the wrong version of the phar file initially (I had uploaded the bad one from the website).  If you click on the link from my thread above, it will download the correct version.  You can confirm by verifying the file matches the below signature(s):

    MD5: 4dea9c5f1dbbfd2db2a341120ba34851
    SHA1: ef7b8709aeb2202fcae870a197ad5b79f2004b32
    SHA256: de84b10038a48dc4243af14ddcfe3f4b46e776688fef349fdeac71523d912081
    CRC32: ca81f655

    Hope this helps.
  • Did you download the version I have uploaded?  I actually inadvertently uploaded the wrong version of the phar file initially (I had uploaded the bad one from the website).  If you click on the link from my thread above, it will download the correct version.  
    You can confirm by verifying the file matches the below signature(s): 
     MD5: 4dea9c5f1dbbfd2db2a341120ba34851 
    SHA1: ef7b8709aeb2202fcae870a197ad5b79f2004b32
     SHA256: de84b10038a48dc4243af14ddcfe3f4b46e776688fef349fdeac71523d912081 
    CRC32: ca81f655 Hope this helps.
    Hello @rblake,

    It appears that, I had downloaded the problematic phar file earlier.

    I downloaded the new file from google drive (mentioned in your post above), post installing the plugin, I can see the plugin options.

    Configuration

    Unnamed:

    Authentication Modes

    Authentication modes for clients and staff members can be enabled independently. Client discovery can be supported via a separate backend (such as LDAP)
    Staff Authentication:
     Enable authentication of staff members
    Client Authentication:
     Enable authentication and discovery of clients

    Thanks so much, appreciated.
  • So here is a little tutorial to setup client + staff SSO using apache (we use opensuse), kerberos, samba an AD.

    Requirements:
    - osTicket is installed, configured and working
    - LDAP-Plugin (currently v0.5) is installed, configured and enabled
    - HTTP-Passthru-Plugin (currently v0.1, but to include client user auth, download + create .phar from github repo files, instructions below) is installed, configured and enabled

    HTTP Passthru Plugin
    - Download the raw files from github (https://github.com/osTicket/core-pluginsusing wget to a folder with a subdirectory called "directory"
    - Move all files to the subdirectory called "directory"
    - Build phar with this command:
    php -r '$phar = new Phar("auth-passthru.phar"); $phar->buildFromDirectory("./directory");'
    - Done. Phar is now up to date and can be installed, configured and enabled

    Packages:
    - First install ntp, kerberos and samba packages on your webserver
    zypper install samba samba-client samba-libs samba-winbind krb5 krb5-appl-clients krb5-client pam_krb5 apache2-mod_auth_kerb apache2-mod_auth_ntlm_winbind
    - Maybe not all of the packages above are needed, but I installed them all and it's working, but some are may used by other stuff running on the same webserver

    NTP
    - Configuring ntp on the webserver to make sure the webserver and the domain controller / kdc server are in sync
    vi /etc/ntp.conf
    - Add the following line (replace your.timeserver.com with the address of your timeserver)
    server   your.timeserver.com

    Kerberos
    - Edit krb5.conf file:
    vi /etc/krb5.conf
    - My krb5.conf looks like:
    [libdefaults]
        default_realm = EXA.MPLE.COM
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true
        default_keytab_name = FILE:/etc/krb5.keytab

    [realms]
        exa.mple.com = {
            kdc = kdc-server.exa.mple.com
            master_kdc = kdc-server.exa.mple.com
            admin_server = kdc-server.exa.mple.com
            default_domain = exa.mple.com
        }

    [domain_realm]
        .exa.mple.com = EXA.MPLE.COM
        exa.mple.com = EXA.MPLE.COM

    [logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

    - Now check if you are able to authenticate to AD using Domain Account (here: EXA.MPLE.COM\administrator) :
    kinit administrator
    Password for administrator@EXA.MPLE.COM:

    - Verify that authentication was successful:
    klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: administrator@EXA.MPLE.COM

    Valid starting     Expires            Service principal
    05/08/09 22:57:48  05/09/09 08:57:52  krbtgt/EXA.MPLE.COM@EXA.MPLE.COM
    renew until 05/09/09 22:57:48


    Samba
    - Configure samba now:
    vi /etc/samba/smb.conf

    - Here my samba config:
    [global]
            netbios name = webserver-hostname
            realm = EXA.MPLE.COM
            security = ADS
            encrypt passwords = yes
            password server = kdc-server.exa.mple.com
            workgroup = EXAMPLE-DOMAIN
            usershare allow guests = No
            wins server =
            wins support = No

    - Join the domain:
    net ads join -U administrator
    Using short domain name -- EXAMPLE-DOMAIN
    Joined 'webserver-hostname' to realm 'exa.mple.com'`


  • edited June 2014
    - Create keytab:
    net ads keytab add HTTP -U administrator

    - Verify with ktutil:
    ktutil
    ktutil:  rkt /etc/krb5.keytab
    ktutil:  l
    slot KVNO Principal
    ---- ---- ---------------------------------------------------------------------
       1    2    HTTP/webserver-hostname.exa.mple.com@EXA.MPLE.COM
       2    2    HTTP/webserver-hostname.exa.mple.com@EXA.MPLE.COM
       3    2    HTTP/webserver-hostname.exa.mple.com@EXA.MPLE.COM
       4    2    HTTP/webserver-hostname.exa.mple.com@EXA.MPLE.COM
       5    2    HTTP/webserver-hostname.exa.mple.com@EXA.MPLE.COM
       6    2                HTTP/webserver-hostname@EXA.MPLE.COM
       7    2                HTTP/webserver-hostname@EXA.MPLE.COM
       8    2                HTTP/webserver-hostname@EXA.MPLE.COM
       9    2                HTTP/webserver-hostname@EXA.MPLE.COM
      10    2                HTTP/webserver-hostname@EXA.MPLE.COM

    - Give apache the rights to access keytab:
    chmod 740 /etc/krb5.keytab
    chgrp www /etc/krb5.keytab

    - Enable / Load auth_kerb module
    a2enmod auth_kerb

    - Create SSO config file for apache:
    vi /etc/apache2/conf.d/osticket.conf

    - Here is my osticket.conf:
    <Location /osticket/scp/>
      AuthType Kerberos
      AuthName "Login with your EXAMPLE-DOMAIN username and password"
      KrbMethodNegotiate On
      KrbMethodK5Passwd On
      KrbAuthRealms EXA.MPLE.COM
      Krb5KeyTab /etc/krb5.keytab
      require valid-user
    </Location>

    <Location /osticket/>
      AuthType Kerberos
      AuthName "Login with your EXAMPLE-DOMAIN username and password"
      KrbMethodNegotiate On
      KrbMethodK5Passwd On
      KrbAuthRealms EXA.MPLE.COM
      Krb5KeyTab /etc/krb5.keytab
      require valid-user
    </Location>


    Done. Now test it. Should work.
    Will add some instructions to enabled domain-wide SSO for Firefox - IE and Chrome do not need any special configuration.

    Helped me a lot:

    Cheers,
    Michael
  • Thanks for this tutorial,

    Working great once set up correctly. The only problem I'm running in to is that everytime after rebooting the osTicket server, I have to reissue "kinit administrator" to get SSO going again. Seems that the ticket cache in /tmp/krb5cc_0 gets removed and needs to be recreated after reboot.

    Best regards,
    J.
  • @Chefkeks,

    I followed your instructions but was still unable to get it to work automatically.  When I pull up the website, it prompts me for a username and password.  Once I enter the username and password, it acts as though the password was invalid.

    This computer was already joined to the domain previously because I am using samba to share some files.  That all is working just fine.  I also installed the Kerberos mod and attempted to follow your instructions for creating the key file and then setting the Directory parameters in the osticket.conf (modified to meet my requirements).  When I run the test, it works for the Administrator account...not sure what else to do.

    Thanks,
    Ryan
  • Hi rblake,

    I got the same problem (more or less) down the road when setting up SSO yesterday/today. Not sure if the same is going on in your environment but you might want to take a look here and check Access control settings -> Registration method is set to public in your setup. You might want to keep an eye on the user_account table for double entries.

    Hope that helps :-)
    J.
  • Hi @jerre,

    Thank you for the message.  However, I just checked and already have it set up to Public.  Also, when I go to the page and login with my credentials manually, it works just fine (after renaming the osticket.conf to osticket.conf.bad and restarting apache to bypass the config).  However, I would really like for users to be able to click on the link and it automatically recognize/authenticate them.

    Anyone have any suggestions?

    I even tried this config to no avail:

    <Location /facilities/>
      KrbServiceName HTTP
      KrbMethodNegotiate On
      KrbMethodK5Passwd On
      KrbAuthRealms DOMAIN.LOCAL
      Krb5KeyTab /etc/krb5.keytab

      AuthType Kerberos
      AuthName "Login with your Windows username and password"
      require valid-user
    </Location>
  • Hi @rblake,

    My apache config looks like this:

    <Location /support/>
      AuthType Kerberos
      AuthName "Login with your windows user"
      KrbMethodNegotiate On
      KrbMethodK5Passwd On
      KrbAuthRealms DOMAIN.LOCAL
      Krb5KeyTab /etc/krb5.keytab
      KrbLocalUserMapping Off (I don't think this matters as the passthru plugin strips the @DOMAIN.LOCAL automatically)
      KrbServiceName HTTP/hostname.domain.local
      require valid-user
    </Location>

    Did you check the ost_user_account table? username should be your samaccountname, passwd = null and backend ldap.client. Other than that I'm out of suggestions.

    I just noticed that by going directly navigating to /tickets.php or /login.php logs me in with my windows user straight away, whereas /index.php wants me to click the login link.

    Hope you get it working.
    J.

  • Thank you again @jerre ..  I did check and I am seeing the account table showing the users correctly...that part is working...just the auto-auth isn't...

    This is what I get in the error_log:

     gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
Sign In or Register to comment.