http://sammoffatt.com.au/jauthtools/index.php?title=Special:Contributions&feed=atom&target=PasamioAuthentication Tools for Joomla! (JAuthTools) - User contributions [en]2024-03-29T16:00:41ZFrom Authentication Tools for Joomla! (JAuthTools)MediaWiki 1.15.3http://sammoffatt.com.au/jauthtools/Main_PageMain Page2013-01-01T22:03:37Z<p>Pasamio: </p>
<hr />
<div>Welcome to the Authentication Tools for Joomla! wiki (JAuthTools).<br />
<br />
Authentication Tools for Joomla! (JAuthTools) are a collection of Joomla! extensions that allow greater integration of Joomla! into a corporate environment. By providing authentication support it allows both single sign on and single sign in style authentication against the corporate directory (e.g. openLDAP, MSAD, eDirectory) for Joomla! powered sites. The ideal that JAuthTools strives for is to avoid altering the core of Joomla!, unlike previous LDAP integration projects which required altering core files. By attempting to avoid this we aim to be more flexible in allowing users to easily upgrade their Joomla! site without having to re-edit files.<br />
<br />
JAuthTools is comprised of various components:<br />
* [[LDAP Tools]] (Joomla! 1.0 and 1.5)<br />
* [[SSO|Single Sign On]] (SSO) (Joomla! 1.0 and 1.5)<br />
* [[User Sources]] (Joomla! 1.5)<br />
* [[JAuthManager]] (Joomla! 1.5; coming soon!)<br />
* [[Remote Joomla]] (Joomla! 1.5)<br />
<br />
Each component provides specific abilities extending the base Joomla! install. Different projects are relevant to different releases of Joomla!, so if you are new check out the [[Supported Platforms]] page to work out which project is for you and what you will need for each project (e.g. PHP5, LDAP, etc).<br />
<br />
Additionally there is a [[History|history]] of the project, generic [[upgrade]] instructions and information about [[Compatibility|compatibility]] with other popular Joomla! extensions.<br />
<br />
== Getting Help ==<br />
* [[FAQ]]<br />
* [[:Category:Guide|Guides]] provide detailed instructions on tasks.<br />
* [[Quickstart for 1.0]]<br />
* [[Quickstart for 1.5]]<br />
* [[JAuth Tools Install Guide for Joomla 1.5 and MSAD]]<br />
<br />
== Contributing ==<br />
* [[Wiki]] additions/alterations/suggestions<br />
* [[Patches]]<br />
* [[Donations]]<br />
<br />
== Related Reading ==<br />
These are external links.<br />
<br />
* [http://dev.joomla.org/component/option,com_jd-wp/Itemid,33/p,93/|Authentication Options: SSO vs SSI] - a dev.joomla.org blog post detailing the SSO and SSI terms<br />
* [[ChangeLog]] has the unified change log for the project.<br />
<br />
== Related Projects ==<br />
<br />
These are some other Joomla! based authentication projects:<br />
* [http://joomlacode.org/gf/project/sso/ Mambo | Joomla! Single Sign On] provides the ability to designate certain sites to provide authentication for other sites by using a module. It achieves a similar goal that OpenID does (but for Joomla! 1.0.x). JAuthTools has an updated version of this tool that works with both Joomla! 1.0 and Joomla! 1.5 in legacy mode, see [[SSO/SOAP|SOAP SSO]].<br />
* [http://joomlacode.org/gf/project/mysql_extdbauth MySQL External DB Auth] is a "plugin for Joomla 1.5 let authenticate users against external MySQL database. The plugin is fully configurable by Admin area where the host, port, database, table, username column, password column, first name column, last name column and email column can be configured. If the password at remote site changed, then you will be able to login by using that new password"<br />
* [http://www.ioplex.com/joomla_plugin.html IOPlex] offer Joomla! plugins to aide integration into AD at a cost.<br />
* [http://joomlacode.org/gf/project/jfusion/ JFusion] provides the ability where "Joomla can authorise users based on other software such as vbulletin or phpbb forums (without making any changes to the core files)"<br />
* [http://joomlacode.org/gf/project/auth_manager/ Authentication Manager] is "designed to give the administrator the ability to use external authentication server (SSO) such as CAS, openid, AOL OpenAuth, Google AuthSub (when it will manage the userid), Microsoft Windows Live Contacts API, Yahoo BBAuth"<br />
<br />
There are also some Joomla! LDAP related projects:<br />
* [http://joomlacode.org/gf/project/whitepages/ LDAP White Pages] is a 1.5 component for building a telephone directory from LDAP.<br />
* [http://joomlacode.org/gf/project/joomlaaaa/ Joomla! AAA] is an "attempt to collect and build other authentication, authorization and accounting plug-ins."</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Main_PageMain Page2012-12-27T03:07:36Z<p>Pasamio: </p>
<hr />
<div>Welcome to the Joomla! Authentication Tools wiki (JAuthTools).<br />
<br />
Joomla! Authentication Tools are a collection of Joomla! extensions that allow greater integration of Joomla! into a corporate environment. By providing authentication support it allows both single sign on and single sign in style authentication against the corporate directory (e.g. openLDAP, MSAD, eDirectory) for Joomla! powered sites. The ideal that JAuthTools strives for is to avoid altering the core of Joomla!, unlike previous LDAP integration projects which required altering core files. By attempting to avoid this we aim to be more flexible in allowing users to easily upgrade their Joomla! site without having to re-edit files.<br />
<br />
JAuthTools is comprised of various components:<br />
* [[LDAP Tools]] (Joomla! 1.0 and 1.5)<br />
* [[SSO|Single Sign On]] (SSO) (Joomla! 1.0 and 1.5)<br />
* [[User Sources]] (Joomla! 1.5)<br />
* [[JAuthManager]] (Joomla! 1.5; coming soon!)<br />
* [[Remote Joomla]] (Joomla! 1.5)<br />
<br />
Each component provides specific abilities extending the base Joomla! install. Different projects are relevant to different releases of Joomla!, so if you are new check out the [[Supported Platforms]] page to work out which project is for you and what you will need for each project (e.g. PHP5, LDAP, etc).<br />
<br />
Additionally there is a [[History|history]] of the project, generic [[upgrade]] instructions and information about [[Compatibility|compatibility]] with other popular Joomla! extensions.<br />
<br />
== Getting Help ==<br />
* [[FAQ]]<br />
* [[:Category:Guide|Guides]] provide detailed instructions on tasks.<br />
* [[Quickstart for 1.0]]<br />
* [[Quickstart for 1.5]]<br />
* [[JAuth Tools Install Guide for Joomla 1.5 and MSAD]]<br />
<br />
== Contributing ==<br />
* [[Wiki]] additions/alterations/suggestions<br />
* [[Patches]]<br />
* [[Donations]]<br />
<br />
== Related Reading ==<br />
These are external links.<br />
<br />
* [http://dev.joomla.org/component/option,com_jd-wp/Itemid,33/p,93/|Authentication Options: SSO vs SSI] - a dev.joomla.org blog post detailing the SSO and SSI terms<br />
* [[ChangeLog]] has the unified change log for the project.<br />
<br />
== Related Projects ==<br />
<br />
These are some other Joomla! based authentication projects:<br />
* [http://joomlacode.org/gf/project/sso/ Mambo | Joomla! Single Sign On] provides the ability to designate certain sites to provide authentication for other sites by using a module. It achieves a similar goal that OpenID does (but for Joomla! 1.0.x). JAuthTools has an updated version of this tool that works with both Joomla! 1.0 and Joomla! 1.5 in legacy mode, see [[SSO/SOAP|SOAP SSO]].<br />
* [http://joomlacode.org/gf/project/mysql_extdbauth MySQL External DB Auth] is a "plugin for Joomla 1.5 let authenticate users against external MySQL database. The plugin is fully configurable by Admin area where the host, port, database, table, username column, password column, first name column, last name column and email column can be configured. If the password at remote site changed, then you will be able to login by using that new password"<br />
* [http://www.ioplex.com/joomla_plugin.html IOPlex] offer Joomla! plugins to aide integration into AD at a cost.<br />
* [http://joomlacode.org/gf/project/jfusion/ JFusion] provides the ability where "Joomla can authorise users based on other software such as vbulletin or phpbb forums (without making any changes to the core files)"<br />
* [http://joomlacode.org/gf/project/auth_manager/ Authentication Manager] is "designed to give the administrator the ability to use external authentication server (SSO) such as CAS, openid, AOL OpenAuth, Google AuthSub (when it will manage the userid), Microsoft Windows Live Contacts API, Yahoo BBAuth"<br />
<br />
There are also some Joomla! LDAP related projects:<br />
* [http://joomlacode.org/gf/project/whitepages/ LDAP White Pages] is a 1.5 component for building a telephone directory from LDAP.<br />
* [http://joomlacode.org/gf/project/joomlaaaa/ Joomla! AAA] is an "attempt to collect and build other authentication, authorization and accounting plug-ins."</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Main_PageMain Page2012-12-25T20:46:13Z<p>Pasamio: </p>
<hr />
<div>Welcome to the Joomla! Authentication Tools wiki (JAuthTools).<br />
<br />
<br />
= JAUTHTOOLS IS NO LONGER SUPPORTED =<br />
These pages are kept for reference.<br />
<br />
<br />
Joomla! Authentication Tools are a collection of Joomla! extensions that allow greater integration of Joomla! into a corporate environment. By providing authentication support it allows both single sign on and single sign in style authentication against the corporate directory (e.g. openLDAP, MSAD, eDirectory) for Joomla! powered sites. The ideal that JAuthTools strives for is to avoid altering the core of Joomla!, unlike previous LDAP integration projects which required altering core files. By attempting to avoid this we aim to be more flexible in allowing users to easily upgrade their Joomla! site without having to re-edit files.<br />
<br />
JAuthTools is comprised of various components:<br />
* [[LDAP Tools]] (Joomla! 1.0 and 1.5)<br />
* [[SSO|Single Sign On]] (SSO) (Joomla! 1.0 and 1.5)<br />
* [[User Sources]] (Joomla! 1.5)<br />
* [[JAuthManager]] (Joomla! 1.5; coming soon!)<br />
* [[Remote Joomla]] (Joomla! 1.5)<br />
<br />
Each component provides specific abilities extending the base Joomla! install. Different projects are relevant to different releases of Joomla!, so if you are new check out the [[Supported Platforms]] page to work out which project is for you and what you will need for each project (e.g. PHP5, LDAP, etc).<br />
<br />
Additionally there is a [[History|history]] of the project, generic [[upgrade]] instructions and information about [[Compatibility|compatibility]] with other popular Joomla! extensions.<br />
<br />
== Getting Help ==<br />
* [[FAQ]]<br />
* [[:Category:Guide|Guides]] provide detailed instructions on tasks.<br />
* [[Quickstart for 1.0]]<br />
* [[Quickstart for 1.5]]<br />
* [[JAuth Tools Install Guide for Joomla 1.5 and MSAD]]<br />
<br />
== Contributing ==<br />
* [[Wiki]] additions/alterations/suggestions<br />
* [[Patches]]<br />
* [[Donations]]<br />
<br />
== Related Reading ==<br />
These are external links.<br />
<br />
* [http://dev.joomla.org/component/option,com_jd-wp/Itemid,33/p,93/|Authentication Options: SSO vs SSI] - a dev.joomla.org blog post detailing the SSO and SSI terms<br />
* [[ChangeLog]] has the unified change log for the project.<br />
<br />
== Related Projects ==<br />
<br />
These are some other Joomla! based authentication projects:<br />
* [http://joomlacode.org/gf/project/sso/ Mambo | Joomla! Single Sign On] provides the ability to designate certain sites to provide authentication for other sites by using a module. It achieves a similar goal that OpenID does (but for Joomla! 1.0.x). JAuthTools has an updated version of this tool that works with both Joomla! 1.0 and Joomla! 1.5 in legacy mode, see [[SSO/SOAP|SOAP SSO]].<br />
* [http://joomlacode.org/gf/project/mysql_extdbauth MySQL External DB Auth] is a "plugin for Joomla 1.5 let authenticate users against external MySQL database. The plugin is fully configurable by Admin area where the host, port, database, table, username column, password column, first name column, last name column and email column can be configured. If the password at remote site changed, then you will be able to login by using that new password"<br />
* [http://www.ioplex.com/joomla_plugin.html IOPlex] offer Joomla! plugins to aide integration into AD at a cost.<br />
* [http://joomlacode.org/gf/project/jfusion/ JFusion] provides the ability where "Joomla can authorise users based on other software such as vbulletin or phpbb forums (without making any changes to the core files)"<br />
* [http://joomlacode.org/gf/project/auth_manager/ Authentication Manager] is "designed to give the administrator the ability to use external authentication server (SSO) such as CAS, openid, AOL OpenAuth, Google AuthSub (when it will manage the userid), Microsoft Windows Live Contacts API, Yahoo BBAuth"<br />
<br />
There are also some Joomla! LDAP related projects:<br />
* [http://joomlacode.org/gf/project/whitepages/ LDAP White Pages] is a 1.5 component for building a telephone directory from LDAP.<br />
* [http://joomlacode.org/gf/project/joomlaaaa/ Joomla! AAA] is an "attempt to collect and build other authentication, authorization and accounting plug-ins."</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Main_PageMain Page2012-12-25T20:45:49Z<p>Pasamio: </p>
<hr />
<div>Welcome to the Joomla! Authentication Tools wiki (JAuthTools).<br />
<br />
<br />
** NOTE: JAUTHTOOLS IS NO LONGER SUPPORTED **<br />
<br />
<br />
<br />
Joomla! Authentication Tools are a collection of Joomla! extensions that allow greater integration of Joomla! into a corporate environment. By providing authentication support it allows both single sign on and single sign in style authentication against the corporate directory (e.g. openLDAP, MSAD, eDirectory) for Joomla! powered sites. The ideal that JAuthTools strives for is to avoid altering the core of Joomla!, unlike previous LDAP integration projects which required altering core files. By attempting to avoid this we aim to be more flexible in allowing users to easily upgrade their Joomla! site without having to re-edit files.<br />
<br />
JAuthTools is comprised of various components:<br />
* [[LDAP Tools]] (Joomla! 1.0 and 1.5)<br />
* [[SSO|Single Sign On]] (SSO) (Joomla! 1.0 and 1.5)<br />
* [[User Sources]] (Joomla! 1.5)<br />
* [[JAuthManager]] (Joomla! 1.5; coming soon!)<br />
* [[Remote Joomla]] (Joomla! 1.5)<br />
<br />
Each component provides specific abilities extending the base Joomla! install. Different projects are relevant to different releases of Joomla!, so if you are new check out the [[Supported Platforms]] page to work out which project is for you and what you will need for each project (e.g. PHP5, LDAP, etc).<br />
<br />
Additionally there is a [[History|history]] of the project, generic [[upgrade]] instructions and information about [[Compatibility|compatibility]] with other popular Joomla! extensions.<br />
<br />
== Getting Help ==<br />
* [[FAQ]]<br />
* [[:Category:Guide|Guides]] provide detailed instructions on tasks.<br />
* [[Quickstart for 1.0]]<br />
* [[Quickstart for 1.5]]<br />
* [[JAuth Tools Install Guide for Joomla 1.5 and MSAD]]<br />
<br />
== Contributing ==<br />
* [[Wiki]] additions/alterations/suggestions<br />
* [[Patches]]<br />
* [[Donations]]<br />
<br />
== Related Reading ==<br />
These are external links.<br />
<br />
* [http://dev.joomla.org/component/option,com_jd-wp/Itemid,33/p,93/|Authentication Options: SSO vs SSI] - a dev.joomla.org blog post detailing the SSO and SSI terms<br />
* [[ChangeLog]] has the unified change log for the project.<br />
<br />
== Related Projects ==<br />
<br />
These are some other Joomla! based authentication projects:<br />
* [http://joomlacode.org/gf/project/sso/ Mambo | Joomla! Single Sign On] provides the ability to designate certain sites to provide authentication for other sites by using a module. It achieves a similar goal that OpenID does (but for Joomla! 1.0.x). JAuthTools has an updated version of this tool that works with both Joomla! 1.0 and Joomla! 1.5 in legacy mode, see [[SSO/SOAP|SOAP SSO]].<br />
* [http://joomlacode.org/gf/project/mysql_extdbauth MySQL External DB Auth] is a "plugin for Joomla 1.5 let authenticate users against external MySQL database. The plugin is fully configurable by Admin area where the host, port, database, table, username column, password column, first name column, last name column and email column can be configured. If the password at remote site changed, then you will be able to login by using that new password"<br />
* [http://www.ioplex.com/joomla_plugin.html IOPlex] offer Joomla! plugins to aide integration into AD at a cost.<br />
* [http://joomlacode.org/gf/project/jfusion/ JFusion] provides the ability where "Joomla can authorise users based on other software such as vbulletin or phpbb forums (without making any changes to the core files)"<br />
* [http://joomlacode.org/gf/project/auth_manager/ Authentication Manager] is "designed to give the administrator the ability to use external authentication server (SSO) such as CAS, openid, AOL OpenAuth, Google AuthSub (when it will manage the userid), Microsoft Windows Live Contacts API, Yahoo BBAuth"<br />
<br />
There are also some Joomla! LDAP related projects:<br />
* [http://joomlacode.org/gf/project/whitepages/ LDAP White Pages] is a 1.5 component for building a telephone directory from LDAP.<br />
* [http://joomlacode.org/gf/project/joomlaaaa/ Joomla! AAA] is an "attempt to collect and build other authentication, authorization and accounting plug-ins."</div>Pasamiohttp://sammoffatt.com.au/jauthtools/LDAP_TestingLDAP Testing2012-07-03T23:56:23Z<p>Pasamio: </p>
<hr />
<div>Notes for LDAP Testing:<br />
<br />
* http://ddubbya.blogspot.com/2011/07/mocking-ldap-servers-for-junit.html<br />
* https://www.unboundid.com/products/ldap-sdk/<br />
* https://www.unboundid.com/blog/2011/03/23/test-smarter-–-the-new-unboundid-ldap-sdk-for-java/<br />
* https://www.unboundid.com/products/ldapsdk/docs/javadoc/com/unboundid/ldap/listener/InMemoryDirectoryServer.html</div>Pasamiohttp://sammoffatt.com.au/jauthtools/LDAP_TestingLDAP Testing2012-07-03T23:55:59Z<p>Pasamio: Created page with 'Notes for LDAP Testing: - http://ddubbya.blogspot.com/2011/07/mocking-ldap-servers-for-junit.html - https://www.unboundid.com/products/ldap-sdk/ - https://www.unboundid.com/blog…'</p>
<hr />
<div>Notes for LDAP Testing:<br />
<br />
- http://ddubbya.blogspot.com/2011/07/mocking-ldap-servers-for-junit.html<br />
- https://www.unboundid.com/products/ldap-sdk/<br />
- https://www.unboundid.com/blog/2011/03/23/test-smarter-–-the-new-unboundid-ldap-sdk-for-java/<br />
- https://www.unboundid.com/products/ldapsdk/docs/javadoc/com/unboundid/ldap/listener/InMemoryDirectoryServer.html</div>Pasamiohttp://sammoffatt.com.au/jauthtools/File:Ldap-ad-params.pngFile:Ldap-ad-params.png2012-06-05T15:54:00Z<p>Pasamio: </p>
<hr />
<div></div>Pasamiohttp://sammoffatt.com.au/jauthtools/JAuth_Tools_Install_Guide_for_Joomla_1.5_and_MSADJAuth Tools Install Guide for Joomla 1.5 and MSAD2012-06-05T15:53:23Z<p>Pasamio: </p>
<hr />
<div>This guide will detail the steps I took to successfully install Authentication and Synchronization against a Microsoft Active Directory LDAP server for my Joomla site.<br />
<br />
My environment consists of:<br />
<br />
:* Joomla version 1.5.9<br />
:* XAMPP 1.7.1<br />
:* PHP 5.2.9<br />
:* Windows XP SP3<br />
:* JAuth Tools 1.5.4<br />
<br />
These are the steps I performed to get this working:<br />
<br />
* Download JAuth Tools from [http://joomlacode.org/gf/project/jauthtools/frs/ http://joomlacode.org/gf/project/jauthtools/frs/]<br />
* Under ‘Packages 5-prodution/stable’, I downloaded<br />
** Pkg_jauthtools_core.tgz<br />
** Pkg_jauthtools_extras.tgz<br />
** Pkg_jauthtools_usersource.tgz<br />
* In Joomla back-end, extensions install, install each of the three packages.<br />
* Enable phpLDAP in your XAMPP environment<br />
** Edit your php.ini (go to Joomla admin panel, select ‘system info’, ‘PHP Information’, find the setting ‘Loaded Configuration File’ to make sure you’re editing the right one. Usually either \XAMPP\Apache\bin\php.ini or \XAMPP\php\php.ini.)<br />
** Remove the comment (;) from the line ‘extension=php_ldap.dll’<br />
** Stop and restart Apache<br />
** Go back to ‘PHP Information’ and verify that ldap shows up in the list of installed extensions.<br />
* Download and install jDiagnostic from [http://extensions.joomla.org/extensions/administration/admin-add%252dons/7014/details http://extensions.joomla.org/extensions/administration/admin-add%252dons/7014/details]<br />
* Before enabling the new plug-ins, configure the Authentication-LDAP plugin that came with Joomla 1.5.x using the 'ldapconfigurator' from the JDiagnostic Tools.<br />
*Try the 'authtest' in JDiagnostic Tools and see if it works, if it does, you may skip the next several steps.<br />
*If it doesn't work then try to eliminate possible sources of problems. I would first test the connection from a utility outside Joomla.<br />
** Install an LDAP browser such as jxplorer from [http://www.jxplorer.org/ http://www.jxplorer.org/] . <br />
** Use the parameters that were set from the configurator and attempt to connect to your LDAP server. This will enable you to test and verify your ldap settings outside of Joomla and your browser. It also allows for browsing of all the information that your server provides. This is very helpful for seeing exact CN's, memberOf names etc. for subsequent activities. <br />
** Then I would test the connection from inside your browser, I used the simple testldap.php script (thanks to the php site) below with the configuration variables from before plugged in.<br />
<pre><br />
<?php <br />
// LDAP variables<br />
$ldaphost = "nn.nn.nn.nn"; // your ldap servers<br />
$ldapport = 389; // your ldap server's port number<br />
$ldaprdn = 'CN=Name,OU=Users,OU=Name,OU=Name,DC=Name,DC=Local'; // ldap rdn or dn<br />
$ldappass = 'pswd'; // associated password<br />
<br />
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 0);<br />
<br />
// Connecting to LDAP<br />
$ldapconn = ldap_connect($ldaphost, $ldapport)<br />
or die("Could not connect to $ldaphost");<br />
echo $ldapconn;<br />
<br />
if (ldap_set_option($ldapconn,LDAP_OPT_PROTOCOL_VERSION,3))<br />
{<br />
echo "Using LDAP v3";<br />
}else{<br />
echo "Failed to set version to protocol 3";<br />
}<br />
<br />
// using ldap bind<br />
<br />
if ($ldapconn) {<br />
<br />
// binding to ldap server<br />
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);<br />
<br />
// verify binding<br />
if ($ldapbind) {<br />
echo "LDAP bind successful...";<br />
} else {<br />
echo "LDAP bind failed...";<br />
}<br />
<br />
}<br />
?><br />
</pre><br />
** This helped me find that if you have Norton or other firewall, you have to be sure that you allow Apache to communicate on port 389 with your server, mine was blocking it but throwing no error message or log entry.<br />
*Once you get to where the 'authtest' is successful go to the plug-in manager and:<br />
** Enable Authentication-Advanced LDAP<br />
** Disable Authentication-LDAP<br />
** Enable System-JAuthTools Synchronization Plugin<br />
** Enable UserSource-LDAP<br />
** DO NOT Enable UserSource-Session or User-LDAP, in fact you can uninstall them.<br />
** My parameter settings for each of the above are as follows:<br />
** Advanced LDAP<br />
*** Enable User Source Sync – YES<br />
*** Require Joomla User – NO<br />
** Synchronization Plugin<br />
*** Demote User – YES<br />
*** UserSource – LDAP<br />
*** Map User Blocked – loginDisabled<br />
*** Map User Groups – memberOf (*Note- this is the setting for MSAD, Novell uses groupmembership)<br />
*** Map Group Members – member<br />
*** Group Map - <br />
****CN=LocalAdmins,OU=NAME,OU=Name,DC=NAME,DC=LOCAL;25;Super Administrator;999<br />
**** CN=_GroupName,OU=Users,OU=Name,OU=Name,DC=NAME,DC=LOCAL;18;Registered;100<br />
***Your Group Mapping will replace the above with your particular names and tree structure. This is where the LDAP browser comes in handy because you can directly see what the memberOf attribute is for your particular user. Also remember, that these are CASE SENSITIVE. The layout for this parameter is available at [LDAP_Tools/Group_Mapping http://sammoffatt.com.au/jauthtools/LDAP_Tools/Group_Mapping]<br />
*** Next four – NO<br />
*** Original Encoding - ISO8859-1<br />
*** Target Encoding – UTF-8<br />
*** User-Joomla should remain enabled and the Auto-Create Users parameter set to YES.<br />
* You should now be able to sign-on using the LDAP authentication. Use the jDiagnostic tools 'authtest' and 'usersourcechecker' to make sure things are coming through correctly. This should now allow users to sign-on, create the Joomla user for them with the appropriate Group assignment. There is a small bug at the moment where the group assignment isn’t recognized by the Joomla engine until the second sign-on but check the forum for a possible fix [http://forum.joomla.org/viewtopic.php?f=473&t=285372&p=1811943#p1811943].<br />
<br />
[[File:ldap-ad-params.png]]<br />
<br />
<br />
I hope this helps someone. It took me several frustrating days to get this working correctly.<br />
<br />
<br />
<br />
[[Category: Guide]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/KerberosKerberos2011-10-08T19:31:17Z<p>Pasamio: /* Web browsers */</p>
<hr />
<div>Kerberos is a technology developed by MIT to allow for mutual authentication and ticket based authentication systems and is considered a standard authentication system for most services, computers and users. Kerberos is implemented as the main form of authentication in Microsoft's Active Directory system and eDirectory also provides Kerberos functionality.<br />
<br />
==Kerberos Guides==<br />
*[[Kerberos/Configuring Apache To Authenticate PHP Documents|Configuring Apache To Authenticate PHP Documents]]<br />
*[[Kerberos/Kerberos and SLES9|Kerberos and SLES9]]<br />
*[[Kerberos/Kerberos and Debian|Kerberos and Debian]]<br />
*[[Kerberos/Troubleshooting|Kerberos Troubleshooting]]<br />
*[[Kerberos/Browser Support|Browser Support]]<br />
<br />
==Other Resources==<br />
These are alternate resources that may be useful in setting up Kerberos, mostly aimed at Apache<br />
<br />
=== Web browsers ===<br />
* [http://grolmsnet.de/kerbtut/firefox.html Kerberos and Firefox]<br />
* [http://dev.chromium.org/developers/design-documents/http-authentication HTTP Authentication in Chrome] (includes docs on SPN generation for Chrome)<br />
<br />
=== IIS ===<br />
* [http://en.wikipedia.org/wiki/Integrated_Windows_Authentication Integrated Windows Authentication] (Wikipedia)<br />
* [http://support.microsoft.com/kb/324274 IIS Web site authentication in Windows Server 2003] (Look for "Integrated Windows Authentication")<br />
* [http://support.microsoft.com/kb/303650 IE not correctly identifying sites in the intranet] (This can cause token errors in Apache)<br />
* [http://msdn.microsoft.com/en-us/library/ms998358.aspx Enabling Integrated Windows Authentication in IE] (Required to avoid password prompts)<br />
* [http://technet.microsoft.com/en-us/library/cc733010(WS.10).aspx Configuration Authentication in IIS7]<br />
<br />
=== Kerberos and Apache guides ===<br />
*[http://www.grolmsnet.de/kerbtut/ Tutorial: Using mod_auth_kerb with Windows 2000/2003 as KDC] (This is one of the original tutorials that I followed in the SLES9 build)<br />
*[http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/ Kerberos based SSO with Apache]<br />
*[http://sl.mvps.org/docs/LinuxApacheKerberosAD.htm Configure Apache on Linux for Kerberos Authentication]<br />
*[http://michele.pupazzo.org/diary/?p=460 Active Directory and Apache Kerberos authentication] (Debian using the Samba approach)<br />
<br />
=== Kerberos Troubleshooting ===<br />
*[http://support.microsoft.com/kb/230476 Common Kerberos related errors in Windows 2000] (Microsoft Knowledge Base Article)<br />
*[http://support.microsoft.com/kb/919557 Preauthentication errors with keys and Windows 2003 SP1] (also related to key version number issues)<br />
*[http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/d0229b5e69414a3/298a3436829fb172?lnk=gst&q=windows+2003&rnum=46&utoken=sr-PmzkAAAAcKcOjbwnhHQIzo1cF4IQzLkPNKwi-0NO8rAWVaHL63pBI8ofuZidr1hIm37QuoNLMFfYmITmO1nk4CbSXWulr&pli=1 Google Groups thread on comp.protocols.kerberos about issues with Windows 2003 SP1 and ktpass.exe]<br />
*[http://www.openafs.org/pipermail/openafs-info/2007-January/025039.html OpenAFS: Windows 2003 Service Keys Info] (has some AFS related notes but a lot of useful information)<br />
*[http://www.ncsa.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html UNIX Kerberos Troubleshooting Guide] (has some useful information and hints)<br />
<br />
=== Scott Lowe on Kerberos ===<br />
This man has lots of really useful Kerberos related goodies and each page has useful comments that can help you out with a multitude of little issues. Some of it covers more than just Kerberos and moves into what you need to do to get Linux to play nicely, but lots of the information is useful even if only in part.<br />
*[http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/ Complete Linux AD Authentication Details] (Windows 2000 and Windows 2003 pre-R2)<br />
*[http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/ Linux AD Integration] (Windows 2003 R2+)<br />
*[http://blog.scottlowe.org/2006/08/21/more-on-kerberos-authentication-against-active-directory/ More on Kerberos Authentication against Active Directory]<br />
*[http://blog.scottlowe.org/2006/05/01/esx-server-integration-with-active-directory/ ESX integration with Active Directory]<br />
<br />
<br />
[[Category:Kerberos]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Articles/SSO_vs_SSIArticles/SSO vs SSI2011-01-17T07:07:00Z<p>Pasamio: Created page with 'A while back I blogged on the new GMail authentication plugin. Recently I have had a few questions about my work with LDAP integration (and I've also done work with Kerberos - bu…'</p>
<hr />
<div>A while back I blogged on the new GMail authentication plugin. Recently I have had a few questions about my work with LDAP integration (and I've also done work with Kerberos - but thats not for the feint hearted admin). So I've decided to write this clarifying post on SSO (Single Sign On) versus SSI (Single Sign In).<br />
<br />
Note: This is my take on what the two items mean and how I apply my definition, other people might work things a different way.<br />
<br />
To me we have three systems of authenticating users in a system. We can use a standalone login framework (such as what Joomla! uses by default), a Single Sign In interface (examples being LDAP and now GMail) and Single Sign On (examples being LDAP and Kerberos). For a large number of sites the builtin Joomla! authentication system is great as it allows them to control their users in an independant manner. When we move into sites with a large community user base the ability to use their GMail credentials to validate their login (and email) or perhaps with an existing LDAP system implemented for address book. The final one is a medium to large corporate environment running perhaps Microsoft Active Directory (Kerberos SSO) or Novell Netware/eDirectory (LDAP SSO). In both cases (SSO and SSI) I have used LDAP as an example - so whats the difference?<br />
<br />
When a user sits down at their computer and logs in the the morning and their credentials are then used to validate them during that ENTIRE session, this is called single sign on. With one sign on they have validated themselves. Systems that support this are Kerberos (namely a Windows environment) and LDAP (using IP address validation). The side effect of this to users will be their perceived in ability to 'signout' of a managed site - they will always be signed in. For my own reasons I have this disabled for administrator and only enabled on the front end. This is a single sign on event, the user enters their username and password in once.<br />
<br />
Single Sign In is used to determine that the same credentials are used with many systems but eadh system will typically require the user to re-enter their details. GMail is my best example of this now in Joomla when the appropriate plugin is enabled. While your username and password remain the same for logging into your GMail/GTalk/GServiceNameHere, you still have to re-enter it again into the Joomla! site(s). You aren't automagically assigned priviledges like in SSO, but your details are the same for each distinct system.<br />
<br />
Within Joomla! 1.5 at the moment there is GMail and LDAP support in addition to the default Joomla! user table authentication (keep in mind that in 1.5 the user has to exist in this table for any other form of authentication to work, but that will be fixed in later releases to make this more flexible.). These plugins provide a Single Sign In interface to Joomla! allowing for example a community site to use a very common and popular system (GMail) to handle secondary authentication or larger more structured organizations to use their LDAP data (which can be easily synchronized with Active Directory or Netware and who knows what else).<br />
<br />
So that is the difference between SSO (Single Sign On) and SSI (Single Sign In) - but which one is for you? For most people, I would say that SSI is all that most people will need. Its an inconvenience but atleast its synchronized to a point. Change your password in AD, etc and it changes magically for Joomla! SSO is useful for those companies who have a lot of employees access a corporate intranet portal as it absolves the users of having to sign in. These places are perhaps more likely to have the extra infrastructure required to fully leverage that platform - as well as the technical skills to implement (LDAP SSO is by far the easiest for those using Netware/eDirectory, Kerberos SSO requires a lot of configuration for Linux servers).<br />
<br />
I hope that this has been informing and gives you a clue as to some of the things I work on behind the scenes. I hope to release the instructions required to set up and configure Kerberos SSO and at present a Joomla! 1.5 version of the LDAP SSO bot for Novell eDirectory is available under the LDAP tools project. In addition I am presently working on a synchronization manager to mitigate for the limitation of Joomla!'s requirement on users existing within the system to log in.<br />
<br />
Best of luck,<br />
Sam :)<br />
<br />
P.S. My logic behind placing the GMail plugin in the core is that it provides not only an example on how to develop this technology but provides community sites with a very useful tool that they can enable. Since the process proves that the email address is valid and the person has access to it - automatic user creation can be done seamlessly.<br />
<br />
Update: There is now a JAuthTools wiki with information about how to configure various LDAP implementations with Joomla!</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Kerberos/TroubleshootingKerberos/Troubleshooting2010-07-06T05:19:27Z<p>Pasamio: /* Unknown responses */</p>
<hr />
<div>This page documents some solutions for common Kerberos issues. It isn't comprehensive but should give you a guide what to look for when resolving the issues.<br />
<br />
= Known Errors and Resolutions =<br />
== kinit(v5): KRB5 error code 68 while getting initial credentials ==<br />
Wrong Kerberos domain, check that the Linux box is configured to use the right domain.<br />
<br />
<br />
== kinit(v5): Permission denied while getting initial credentials ==<br />
Check the permission on your keytab file to ensure that the process can get access to it appropriately.<br />
<br />
<br />
== Client not found in Kerberos database ==<br />
* kinit(v5): Client not found in Kerberos database while getting initial credentials<br />
* krb5_get_init_creds_password() failed: Client not found in Kerberos database<br />
Make sure that you're typing in the right name and the server has the right name (double check the account tab of the user, especially the realm)<br />
<br />
<br />
== kinit(v5): Preauthentication failed while getting initial credentials ==<br />
Wrong password - use the right password. This may also occur with keys and a buggy version of ktpass.exe, some versions of ktpass.exe had issues generating keys (Windows 2003 SP1) so upgrading to the latest release should fix this (see [http://support.microsoft.com/kb/919557 Microsoft KB 919557])<br />
<br />
<br />
== kinit(v5): Key table entry not found while getting initial credentials ==<br />
Regenerate keytab file and make sure that your file is correct.<br />
<br />
<br />
== krb5_get_init_creds_password() failed: Clock skew too great ==<br />
* failed to verify krb5 credentials: Clock skew too great<br />
<br />
Time between HTTP server and Kerberos server is too big; alternatively may also indicate a client issue. Check that you have NTP setup properly, using the KDC as the primary NTP server.<br />
<br />
<br />
== failed to verify krb5 credentials: Server not found in Kerberos database ==<br />
Check the default_realms to ensure there is a proper mapping, also check that the host/FQDN@REALM entry exists.<br />
<br />
<br />
== gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name) ==<br />
Check default_realms to ensure there is a domain mapping. Check the keytab file (klist -k /etc/krb5.keytab or similar) to ensure that the appropriate domain is present. Also ensure that your hostname is the FQDN of the machine.<br />
<br />
<br />
== gss_accept_sec_context() failed: A token was invalid (Token header is malformed or corrupt) ==<br />
Check that the site is in the local domain for IE's security settings; likely an NTLM token is being sent, see [http://support.microsoft.com/kb/303650 IE not correctly identifying sites in the intranet] to help resolve this issue.<br />
<br />
<br />
== gss_accept_sec_context() failed: Miscellaneous failure (Key version number for principal in key table is incorrect) ==<br />
Wrong key version is being used. Check the key on the server (kinit -k PRINCIPAL) and also restart any client to clear their local cache or restart the server to clear its cache. kerbtray.exe can also delete old tickets. Also note that some versions of ktpass.exe had issues generating keys (Windows 2003 SP1) so upgrading to the latest release should fix this (see http://support.microsoft.com/kb/919557 Microsoft KB 919557])<br />
<br />
<br />
== Issues with mapuser ==<br />
AD may or may not have had time to properly replicate the user to all DC's. Ensure that the DC you're querying is the same as the one you created the user to avoid this as much as possible.<br />
<br />
<br />
== IE prompts for a password on each access ==<br />
From [http://msdn.microsoft.com/en-us/library/ms998358.aspx Windows Authentication and ASP.Net]:<br />
''Internet Explorer security settings must be configured to enable Integrated Windows authentication. By default, Integrated Windows authentication is not enabled in Internet Explorer 6. To enable the browser to respond to a negotiate challenge and perform Kerberos authentication, select the Enable Integrated Windows Authentication check box in the Security section of the Advanced tab of the Internet Options menu, and then restart the browser.'''<br />
<br />
Alternatively this may be an issue with the site not being in the intranet zone. IE won't send authentication details automatically to sites that aren't located within the intranet zone. See [http://support.microsoft.com/kb/303650 IE not correctly identifying sites in the intranet] for more information.<br />
<br />
<br />
= Unknown responses =<br />
== krb5_get_init_creds_password() failed: KDC reply did not match expectations ==<br />
See http://mailman.mit.edu/pipermail/kerberos/2007-November/012585.html<br />
<br />
== Specified realm `OTHER.REALM.NAME' not allowed by configuration ==<br />
Another realm is trying to authenticate against the server than is permissable by the servers configuration. This could point to a mismatch between the servers configured realm and the actual realm of the user or the fact that there are multiple realms available and only one configured.<br />
<br />
== KDC has no support for encryption type ==<br />
Would indicate that the KDC doesn't like the encryption protocols being used. If you're not using the MIT implementation (e.g. Hiemdal) see if switching to MIT works.<br />
<br />
[[Category:Kerberos]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/KerberosKerberos2010-02-14T00:06:56Z<p>Pasamio: /* IIS */</p>
<hr />
<div>Kerberos is a technology developed by MIT to allow for mutual authentication and ticket based authentication systems and is considered a standard authentication system for most services, computers and users. Kerberos is implemented as the main form of authentication in Microsoft's Active Directory system and eDirectory also provides Kerberos functionality.<br />
<br />
==Kerberos Guides==<br />
*[[Kerberos/Configuring Apache To Authenticate PHP Documents|Configuring Apache To Authenticate PHP Documents]]<br />
*[[Kerberos/Kerberos and SLES9|Kerberos and SLES9]]<br />
*[[Kerberos/Kerberos and Debian|Kerberos and Debian]]<br />
*[[Kerberos/Troubleshooting|Kerberos Troubleshooting]]<br />
*[[Kerberos/Browser Support|Browser Support]]<br />
<br />
==Other Resources==<br />
These are alternate resources that may be useful in setting up Kerberos, mostly aimed at Apache<br />
<br />
=== Web browsers ===<br />
* [http://grolmsnet.de/kerbtut/firefox.html Kerberos and Firefox]<br />
<br />
=== IIS ===<br />
* [http://en.wikipedia.org/wiki/Integrated_Windows_Authentication Integrated Windows Authentication] (Wikipedia)<br />
* [http://support.microsoft.com/kb/324274 IIS Web site authentication in Windows Server 2003] (Look for "Integrated Windows Authentication")<br />
* [http://support.microsoft.com/kb/303650 IE not correctly identifying sites in the intranet] (This can cause token errors in Apache)<br />
* [http://msdn.microsoft.com/en-us/library/ms998358.aspx Enabling Integrated Windows Authentication in IE] (Required to avoid password prompts)<br />
* [http://technet.microsoft.com/en-us/library/cc733010(WS.10).aspx Configuration Authentication in IIS7]<br />
<br />
=== Kerberos and Apache guides ===<br />
*[http://www.grolmsnet.de/kerbtut/ Tutorial: Using mod_auth_kerb with Windows 2000/2003 as KDC] (This is one of the original tutorials that I followed in the SLES9 build)<br />
*[http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/ Kerberos based SSO with Apache]<br />
*[http://sl.mvps.org/docs/LinuxApacheKerberosAD.htm Configure Apache on Linux for Kerberos Authentication]<br />
*[http://michele.pupazzo.org/diary/?p=460 Active Directory and Apache Kerberos authentication] (Debian using the Samba approach)<br />
<br />
=== Kerberos Troubleshooting ===<br />
*[http://support.microsoft.com/kb/230476 Common Kerberos related errors in Windows 2000] (Microsoft Knowledge Base Article)<br />
*[http://support.microsoft.com/kb/919557 Preauthentication errors with keys and Windows 2003 SP1] (also related to key version number issues)<br />
*[http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/d0229b5e69414a3/298a3436829fb172?lnk=gst&q=windows+2003&rnum=46&utoken=sr-PmzkAAAAcKcOjbwnhHQIzo1cF4IQzLkPNKwi-0NO8rAWVaHL63pBI8ofuZidr1hIm37QuoNLMFfYmITmO1nk4CbSXWulr&pli=1 Google Groups thread on comp.protocols.kerberos about issues with Windows 2003 SP1 and ktpass.exe]<br />
*[http://www.openafs.org/pipermail/openafs-info/2007-January/025039.html OpenAFS: Windows 2003 Service Keys Info] (has some AFS related notes but a lot of useful information)<br />
*[http://www.ncsa.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html UNIX Kerberos Troubleshooting Guide] (has some useful information and hints)<br />
<br />
=== Scott Lowe on Kerberos ===<br />
This man has lots of really useful Kerberos related goodies and each page has useful comments that can help you out with a multitude of little issues. Some of it covers more than just Kerberos and moves into what you need to do to get Linux to play nicely, but lots of the information is useful even if only in part.<br />
*[http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/ Complete Linux AD Authentication Details] (Windows 2000 and Windows 2003 pre-R2)<br />
*[http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/ Linux AD Integration] (Windows 2003 R2+)<br />
*[http://blog.scottlowe.org/2006/08/21/more-on-kerberos-authentication-against-active-directory/ More on Kerberos Authentication against Active Directory]<br />
*[http://blog.scottlowe.org/2006/05/01/esx-server-integration-with-active-directory/ ESX integration with Active Directory]<br />
<br />
<br />
[[Category:Kerberos]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/KerberosKerberos2009-12-28T05:18:29Z<p>Pasamio: /* Kerberos and Apache guides */</p>
<hr />
<div>Kerberos is a technology developed by MIT to allow for mutual authentication and ticket based authentication systems and is considered a standard authentication system for most services, computers and users. Kerberos is implemented as the main form of authentication in Microsoft's Active Directory system and eDirectory also provides Kerberos functionality.<br />
<br />
==Kerberos Guides==<br />
*[[Kerberos/Configuring Apache To Authenticate PHP Documents|Configuring Apache To Authenticate PHP Documents]]<br />
*[[Kerberos/Kerberos and SLES9|Kerberos and SLES9]]<br />
*[[Kerberos/Kerberos and Debian|Kerberos and Debian]]<br />
*[[Kerberos/Troubleshooting|Kerberos Troubleshooting]]<br />
*[[Kerberos/Browser Support|Browser Support]]<br />
<br />
==Other Resources==<br />
These are alternate resources that may be useful in setting up Kerberos, mostly aimed at Apache<br />
<br />
=== Web browsers ===<br />
* [http://grolmsnet.de/kerbtut/firefox.html Kerberos and Firefox]<br />
<br />
=== IIS ===<br />
* [http://en.wikipedia.org/wiki/Integrated_Windows_Authentication Integrated Windows Authentication] (Wikipedia)<br />
* [http://support.microsoft.com/kb/324274 IIS Web site authentication in Windows Server 2003] (Look for "Integrated Windows Authentication")<br />
* [http://support.microsoft.com/kb/303650 IE not correctly identifying sites in the intranet] (This can cause token errors in Apache)<br />
* [http://msdn.microsoft.com/en-us/library/ms998358.aspx Enabling Integrated Windows Authentication in IE] (Required to avoid password prompts)<br />
<br />
=== Kerberos and Apache guides ===<br />
*[http://www.grolmsnet.de/kerbtut/ Tutorial: Using mod_auth_kerb with Windows 2000/2003 as KDC] (This is one of the original tutorials that I followed in the SLES9 build)<br />
*[http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/ Kerberos based SSO with Apache]<br />
*[http://sl.mvps.org/docs/LinuxApacheKerberosAD.htm Configure Apache on Linux for Kerberos Authentication]<br />
*[http://michele.pupazzo.org/diary/?p=460 Active Directory and Apache Kerberos authentication] (Debian using the Samba approach)<br />
<br />
=== Kerberos Troubleshooting ===<br />
*[http://support.microsoft.com/kb/230476 Common Kerberos related errors in Windows 2000] (Microsoft Knowledge Base Article)<br />
*[http://support.microsoft.com/kb/919557 Preauthentication errors with keys and Windows 2003 SP1] (also related to key version number issues)<br />
*[http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/d0229b5e69414a3/298a3436829fb172?lnk=gst&q=windows+2003&rnum=46&utoken=sr-PmzkAAAAcKcOjbwnhHQIzo1cF4IQzLkPNKwi-0NO8rAWVaHL63pBI8ofuZidr1hIm37QuoNLMFfYmITmO1nk4CbSXWulr&pli=1 Google Groups thread on comp.protocols.kerberos about issues with Windows 2003 SP1 and ktpass.exe]<br />
*[http://www.openafs.org/pipermail/openafs-info/2007-January/025039.html OpenAFS: Windows 2003 Service Keys Info] (has some AFS related notes but a lot of useful information)<br />
*[http://www.ncsa.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html UNIX Kerberos Troubleshooting Guide] (has some useful information and hints)<br />
<br />
=== Scott Lowe on Kerberos ===<br />
This man has lots of really useful Kerberos related goodies and each page has useful comments that can help you out with a multitude of little issues. Some of it covers more than just Kerberos and moves into what you need to do to get Linux to play nicely, but lots of the information is useful even if only in part.<br />
*[http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/ Complete Linux AD Authentication Details] (Windows 2000 and Windows 2003 pre-R2)<br />
*[http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/ Linux AD Integration] (Windows 2003 R2+)<br />
*[http://blog.scottlowe.org/2006/08/21/more-on-kerberos-authentication-against-active-directory/ More on Kerberos Authentication against Active Directory]<br />
*[http://blog.scottlowe.org/2006/05/01/esx-server-integration-with-active-directory/ ESX integration with Active Directory]<br />
<br />
<br />
[[Category:Kerberos]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/KerberosKerberos2009-12-28T05:10:46Z<p>Pasamio: /* Kerberos and Apache guides */</p>
<hr />
<div>Kerberos is a technology developed by MIT to allow for mutual authentication and ticket based authentication systems and is considered a standard authentication system for most services, computers and users. Kerberos is implemented as the main form of authentication in Microsoft's Active Directory system and eDirectory also provides Kerberos functionality.<br />
<br />
==Kerberos Guides==<br />
*[[Kerberos/Configuring Apache To Authenticate PHP Documents|Configuring Apache To Authenticate PHP Documents]]<br />
*[[Kerberos/Kerberos and SLES9|Kerberos and SLES9]]<br />
*[[Kerberos/Kerberos and Debian|Kerberos and Debian]]<br />
*[[Kerberos/Troubleshooting|Kerberos Troubleshooting]]<br />
*[[Kerberos/Browser Support|Browser Support]]<br />
<br />
==Other Resources==<br />
These are alternate resources that may be useful in setting up Kerberos, mostly aimed at Apache<br />
<br />
=== Web browsers ===<br />
* [http://grolmsnet.de/kerbtut/firefox.html Kerberos and Firefox]<br />
<br />
=== IIS ===<br />
* [http://en.wikipedia.org/wiki/Integrated_Windows_Authentication Integrated Windows Authentication] (Wikipedia)<br />
* [http://support.microsoft.com/kb/324274 IIS Web site authentication in Windows Server 2003] (Look for "Integrated Windows Authentication")<br />
* [http://support.microsoft.com/kb/303650 IE not correctly identifying sites in the intranet] (This can cause token errors in Apache)<br />
* [http://msdn.microsoft.com/en-us/library/ms998358.aspx Enabling Integrated Windows Authentication in IE] (Required to avoid password prompts)<br />
<br />
=== Kerberos and Apache guides ===<br />
*[http://www.grolmsnet.de/kerbtut/ Tutorial: Using mod_auth_kerb with Windows 2000/2003 as KDC] (This is one of the original tutorials that I followed in the SLES9 build)<br />
*[http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/ Kerberos based SSO with Apache]<br />
*[http://sl.mvps.org/docs/LinuxApacheKerberosAD.htm Configure Apache on Linux for Kerberos Authentication]<br />
*[http://michele.pupazzo.org/diary/?p=460 Active Directory and Apache Kerberos authentication (Debian using the Samba approach)]<br />
<br />
=== Kerberos Troubleshooting ===<br />
*[http://support.microsoft.com/kb/230476 Common Kerberos related errors in Windows 2000] (Microsoft Knowledge Base Article)<br />
*[http://support.microsoft.com/kb/919557 Preauthentication errors with keys and Windows 2003 SP1] (also related to key version number issues)<br />
*[http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/d0229b5e69414a3/298a3436829fb172?lnk=gst&q=windows+2003&rnum=46&utoken=sr-PmzkAAAAcKcOjbwnhHQIzo1cF4IQzLkPNKwi-0NO8rAWVaHL63pBI8ofuZidr1hIm37QuoNLMFfYmITmO1nk4CbSXWulr&pli=1 Google Groups thread on comp.protocols.kerberos about issues with Windows 2003 SP1 and ktpass.exe]<br />
*[http://www.openafs.org/pipermail/openafs-info/2007-January/025039.html OpenAFS: Windows 2003 Service Keys Info] (has some AFS related notes but a lot of useful information)<br />
*[http://www.ncsa.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html UNIX Kerberos Troubleshooting Guide] (has some useful information and hints)<br />
<br />
=== Scott Lowe on Kerberos ===<br />
This man has lots of really useful Kerberos related goodies and each page has useful comments that can help you out with a multitude of little issues. Some of it covers more than just Kerberos and moves into what you need to do to get Linux to play nicely, but lots of the information is useful even if only in part.<br />
*[http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/ Complete Linux AD Authentication Details] (Windows 2000 and Windows 2003 pre-R2)<br />
*[http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/ Linux AD Integration] (Windows 2003 R2+)<br />
*[http://blog.scottlowe.org/2006/08/21/more-on-kerberos-authentication-against-active-directory/ More on Kerberos Authentication against Active Directory]<br />
*[http://blog.scottlowe.org/2006/05/01/esx-server-integration-with-active-directory/ ESX integration with Active Directory]<br />
<br />
<br />
[[Category:Kerberos]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Kerberos/Browser_SupportKerberos/Browser Support2009-09-17T05:09:54Z<p>Pasamio: /* Internet Explorer */</p>
<hr />
<div>Most browsers have no issues, this page documents issues with specific browsers. Failed browsers typically revert to Basic authentication and challenge the user for a password. Browser may have failed due to configuration issues however where possible this variable has been removed. Where possible all testing is done in the same environment but potentially different machines, though this may not hold true of all platforms.<br />
<br />
=== Internet Explorer ===<br />
Internet Explorer has its ups and its downs. Some versions of IE will work perfectly yet others may not. <br />
<br />
Tested working versions: <br />
* Internet Explorer 7.0.5730.13 on Windows XP SP2<br />
* Internet Explorer 6.0.2900.2180.xpsp_sp2_gdr.080814-1233 on Windows XP SP2<br />
* Internet Explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 on Windows XP SP2<br />
* Internet Explorer 7.0.6001.18000 on Windows Vista SP1 <br />
<br />
Tested failed browsers:<br />
* Internet Explorer 7.0.5730.13 on Windows XP SP2 (possible configuration error)<br />
* Internet Explorer 6.0.3790.3959 on Windows Server 2003 SP2 Standard Edition<br />
<br />
<br />
Possible conflicting factors:<br />
* Novell client software seems to modify systems and cause issues of their own. The test environment for IE is a shared AD/Novell environment (joined by Novell IDM).<br />
<br />
<br />
Other Notes<br />
* In one of my test non-domain joined virtual machines I installed IE7 to receive an error about intranet settings being turned off however when I looked at the particular area they were on. Enabling them from the information bar had the effect that "automatically detect intranet network" was unticked though the three child options were ticked.<br />
<br />
Text below copyright Microsoft Corporation. Used under fair use provisions for education purposes.<br />
<br />
* ''Intranet settings are now disabled in Internet Explorer by default. Click for more options.'' information bar notice <br /><br />
Internet Explorer detected an intranet webpage address, but intranet address checking is not on. Click the Information bar for more information or see What do I need to know about intranet security settings? <br /><br />
If you are connected to an intranet but receive an Information bar notice that an intranet address has been detected, it means that Internet Explorer did not automatically detect your intranet. To tell Internet Explorer that you are on an intranet, follow the steps in the section above.<br />
<br />
==== Do I need to set anything in Internet Explorer to have intranet security? ====<br />
Not usually. When you first install Internet Explorer, it will check to see if you are on an intranet and set address checking appropriately. Your network administrator can also control whether Internet Explorer uses the intranet security zone settings. If Internet Explorer recognizes that you are on an intranet, you do not need to do anything else. If it does not recognize that you're on an intranet, follow these steps to to tell Internet Explorer that you are on one:<br />
<br />
'''To tell Internet Explorer that you are on an intranet'''<br />
<br />
In Internet Explorer, click the '''Tools''' button, and then click '''Internet Options'''. <br />
Click the Security tab, and then click '''Local intranet'''. <br />
Click the '''Sites''' button. <br />
In the '''Local intranet''' dialog box, clear the '''Automatically detect intranet network''' check box, if it is selected. <br />
Select all other check boxes, and then click '''OK''' twice.<br />
<br />
=== Firefox ===<br />
Assuming that you have Kerberos set up on your client (e.g. Windows machine joined to the domain, Linux or Mac OS X box set up to obtain a Kerberos ticket) all you should need to do is set "network.negotiate-auth.trusted-uris" to the name of your web server. With this it should work.<br />
<br />
Tested working browsers:<br />
* Firefox 3.0.1 on Windows XP SP2<br />
* Firefox 3.0.2 on Mac OS X 10.4<br />
* Firefox 3.0.x on Mac OS X 10.5<br />
Tested failed browsers:<br />
* Firefox 2.0.0.2 on SuSE Linux 10<br />
<br />
<br />
=== Safari === <br />
Safari has no configuration option and if its working at the lower levels, 'just works' and if not then you've got to dig through the lower levels to work out what is wrong. This applies to both Windows and Mac versions. <br />
<br />
When Kerberos is working properly on your Mac and everything is set up appropriatly, Safari will automatically authenticate the user using Digest authentication. Keep in mind that you might need to set up DNS names that the realm is also responsible for to ensure that it works properly. Kerberos with Safari occurs at the CFNetwork layer, which can make debugging a bit hard. The Kerberos ticket was acquired using the Kerberos utility manually (/System/Library/CoreServices/Kerberos). The Mac OS X 10.4 testing was completed with the Microsoft Active Directory integration enabled on the Mac (e.g. joined to the domain). Safari appears to have issues with sites that are not on the same DNS domain as the Kerberos domain whislt Firefox doesn't appear to exhibit this behaviour on the same .<br />
<br />
In limited testing Safari on Windows seems to send an NTLM token in response to the authentication request, which when using mod_auth_kerb results in an error. Testing was done on a stock Windows 2003 install with the exception of the installation of Windows Installer 3.1 to allow Safari to install. In extended testing in a different environment, Safari appeared to handle Kerberos style authentication fine in some situations but failed in others (typically where NTLM was required for Firefox to automatically work).<br />
<br />
Tested working browsers:<br />
* Safari 3.0.4 on Mac OS X 10.4<br />
* Safari 3.0.x on Mac OS X 10.5<br />
* Safari 3.2.1 on Windows XP SP2 (using IIS server)<br />
<br />
Known issues:<br />
* Websites not sharing their DNS name in the domain will fail to work in some cases (10.4)<br />
<br />
=== Google Chrome ===<br />
Google Chrome seems to ignore the Kerberos ticket and directly prompts with a password dialogue when challenged. Testing was done on a stock Windows 2003 install with the exception of the installation of Windows Installer 3.1 to allow Safari to install. Further testing on XP SP2 against Microsoft IIS servers appears to confirm that Chrome is incapable of handling either NTLM or Kerberos authentication.</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Kerberos/Browser_SupportKerberos/Browser Support2009-09-17T05:08:06Z<p>Pasamio: /* Internet Explorer */</p>
<hr />
<div>Most browsers have no issues, this page documents issues with specific browsers. Failed browsers typically revert to Basic authentication and challenge the user for a password. Browser may have failed due to configuration issues however where possible this variable has been removed. Where possible all testing is done in the same environment but potentially different machines, though this may not hold true of all platforms.<br />
<br />
=== Internet Explorer ===<br />
Internet Explorer has its ups and its downs. Some versions of IE will work perfectly yet others may not. <br />
<br />
Tested working versions: <br />
* Internet Explorer 7.0.5730.13 on Windows XP SP2<br />
* Internet Explorer 6.0.2900.2180.xpsp_sp2_gdr.080814-1233 on Windows XP SP2<br />
* Internet Explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 on Windows XP SP2<br />
* Internet Explorer 7.0.6001.18000 on Windows Vista SP1 <br />
<br />
Tested failed browsers:<br />
* Internet Explorer 7.0.5730.13 on Windows XP SP2 (possible configuration error)<br />
* Internet Explorer 6.0.3790.3959 on Windows Server 2003 SP2 Standard Edition<br />
<br />
<br />
Possible conflicting factors:<br />
* Novell client software seems to modify systems and cause issues of their own. The test environment for IE is a shared AD/Novell environment (joined by Novell IDM).<br />
<br />
<br />
Other Notes<br />
* In one of my test non-domain joined virtual machines I installed IE7 to receive an error about intranet settings being turned off however when I looked at the particular area they were on. Go figure.<br />
<br />
Text below copyright Microsoft Corporation. Used under fair use provisions for education purposes.<br />
<br />
* ''Intranet settings are now disabled in Internet Explorer by default. Click for more options.'' information bar notice <br /><br />
Internet Explorer detected an intranet webpage address, but intranet address checking is not on. Click the Information bar for more information or see What do I need to know about intranet security settings? <br /><br />
If you are connected to an intranet but receive an Information bar notice that an intranet address has been detected, it means that Internet Explorer did not automatically detect your intranet. To tell Internet Explorer that you are on an intranet, follow the steps in the section above.<br />
<br />
==== Do I need to set anything in Internet Explorer to have intranet security? ====<br />
Not usually. When you first install Internet Explorer, it will check to see if you are on an intranet and set address checking appropriately. Your network administrator can also control whether Internet Explorer uses the intranet security zone settings. If Internet Explorer recognizes that you are on an intranet, you do not need to do anything else. If it does not recognize that you're on an intranet, follow these steps to to tell Internet Explorer that you are on one:<br />
<br />
'''To tell Internet Explorer that you are on an intranet'''<br />
<br />
In Internet Explorer, click the '''Tools''' button, and then click '''Internet Options'''. <br />
Click the Security tab, and then click '''Local intranet'''. <br />
Click the '''Sites''' button. <br />
In the '''Local intranet''' dialog box, clear the '''Automatically detect intranet network''' check box, if it is selected. <br />
Select all other check boxes, and then click '''OK''' twice.<br />
<br />
=== Firefox ===<br />
Assuming that you have Kerberos set up on your client (e.g. Windows machine joined to the domain, Linux or Mac OS X box set up to obtain a Kerberos ticket) all you should need to do is set "network.negotiate-auth.trusted-uris" to the name of your web server. With this it should work.<br />
<br />
Tested working browsers:<br />
* Firefox 3.0.1 on Windows XP SP2<br />
* Firefox 3.0.2 on Mac OS X 10.4<br />
* Firefox 3.0.x on Mac OS X 10.5<br />
Tested failed browsers:<br />
* Firefox 2.0.0.2 on SuSE Linux 10<br />
<br />
<br />
=== Safari === <br />
Safari has no configuration option and if its working at the lower levels, 'just works' and if not then you've got to dig through the lower levels to work out what is wrong. This applies to both Windows and Mac versions. <br />
<br />
When Kerberos is working properly on your Mac and everything is set up appropriatly, Safari will automatically authenticate the user using Digest authentication. Keep in mind that you might need to set up DNS names that the realm is also responsible for to ensure that it works properly. Kerberos with Safari occurs at the CFNetwork layer, which can make debugging a bit hard. The Kerberos ticket was acquired using the Kerberos utility manually (/System/Library/CoreServices/Kerberos). The Mac OS X 10.4 testing was completed with the Microsoft Active Directory integration enabled on the Mac (e.g. joined to the domain). Safari appears to have issues with sites that are not on the same DNS domain as the Kerberos domain whislt Firefox doesn't appear to exhibit this behaviour on the same .<br />
<br />
In limited testing Safari on Windows seems to send an NTLM token in response to the authentication request, which when using mod_auth_kerb results in an error. Testing was done on a stock Windows 2003 install with the exception of the installation of Windows Installer 3.1 to allow Safari to install. In extended testing in a different environment, Safari appeared to handle Kerberos style authentication fine in some situations but failed in others (typically where NTLM was required for Firefox to automatically work).<br />
<br />
Tested working browsers:<br />
* Safari 3.0.4 on Mac OS X 10.4<br />
* Safari 3.0.x on Mac OS X 10.5<br />
* Safari 3.2.1 on Windows XP SP2 (using IIS server)<br />
<br />
Known issues:<br />
* Websites not sharing their DNS name in the domain will fail to work in some cases (10.4)<br />
<br />
=== Google Chrome ===<br />
Google Chrome seems to ignore the Kerberos ticket and directly prompts with a password dialogue when challenged. Testing was done on a stock Windows 2003 install with the exception of the installation of Windows Installer 3.1 to allow Safari to install. Further testing on XP SP2 against Microsoft IIS servers appears to confirm that Chrome is incapable of handling either NTLM or Kerberos authentication.</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Kerberos/Browser_SupportKerberos/Browser Support2009-09-17T05:05:05Z<p>Pasamio: /* Internet Explorer */</p>
<hr />
<div>Most browsers have no issues, this page documents issues with specific browsers. Failed browsers typically revert to Basic authentication and challenge the user for a password. Browser may have failed due to configuration issues however where possible this variable has been removed. Where possible all testing is done in the same environment but potentially different machines, though this may not hold true of all platforms.<br />
<br />
=== Internet Explorer ===<br />
Internet Explorer has its ups and its downs. Some versions of IE will work perfectly yet others may not. <br />
<br />
Tested working versions: <br />
* Internet Explorer 7.0.5730.13 on Windows XP SP2<br />
* Internet Explorer 6.0.2900.2180.xpsp_sp2_gdr.080814-1233 on Windows XP SP2<br />
* Internet Explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 on Windows XP SP2<br />
* Internet Explorer 7.0.6001.18000 on Windows Vista SP1 <br />
<br />
Tested failed browsers:<br />
* Internet Explorer 7.0.5730.13 on Windows XP SP2 (possible configuration error)<br />
* Internet Explorer 6.0.3790.3959 on Windows Server 2003 SP2 Standard Edition<br />
<br />
<br />
Possible conflicting factors:<br />
* Novell client software seems to modify systems and cause issues of their own. The test environment for IE is a shared AD/Novell environment (joined by Novell IDM).<br />
<br />
<br />
Other Notes<br />
* ''Intranet settings are now disabled in Internet Explorer by default. Click for more options.'' information bar notice [[br]]<br />
Internet Explorer detected an intranet webpage address, but intranet address checking is not on. Click the Information bar for more information or see What do I need to know about intranet security settings? [[br]]<br />
If you are connected to an intranet but receive an Information bar notice that an intranet address has been detected, it means that Internet Explorer did not automatically detect your intranet. To tell Internet Explorer that you are on an intranet, follow the steps in the section above.<br />
<br />
==== Do I need to set anything in Internet Explorer to have intranet security? ====<br />
Not usually. When you first install Internet Explorer, it will check to see if you are on an intranet and set address checking appropriately. Your network administrator can also control whether Internet Explorer uses the intranet security zone settings. If Internet Explorer recognizes that you are on an intranet, you do not need to do anything else. If it does not recognize that you're on an intranet, follow these steps to to tell Internet Explorer that you are on one:<br />
<br />
'''To tell Internet Explorer that you are on an intranet'''<br />
<br />
In Internet Explorer, click the '''Tools''' button, and then click '''Internet Options'''. <br />
Click the Security tab, and then click '''Local intranet'''. <br />
Click the '''Sites''' button. <br />
In the '''Local intranet''' dialog box, clear the '''Automatically detect intranet network''' check box, if it is selected. <br />
Select all other check boxes, and then click '''OK''' twice.<br />
<br />
=== Firefox ===<br />
Assuming that you have Kerberos set up on your client (e.g. Windows machine joined to the domain, Linux or Mac OS X box set up to obtain a Kerberos ticket) all you should need to do is set "network.negotiate-auth.trusted-uris" to the name of your web server. With this it should work.<br />
<br />
Tested working browsers:<br />
* Firefox 3.0.1 on Windows XP SP2<br />
* Firefox 3.0.2 on Mac OS X 10.4<br />
* Firefox 3.0.x on Mac OS X 10.5<br />
Tested failed browsers:<br />
* Firefox 2.0.0.2 on SuSE Linux 10<br />
<br />
<br />
=== Safari === <br />
Safari has no configuration option and if its working at the lower levels, 'just works' and if not then you've got to dig through the lower levels to work out what is wrong. This applies to both Windows and Mac versions. <br />
<br />
When Kerberos is working properly on your Mac and everything is set up appropriatly, Safari will automatically authenticate the user using Digest authentication. Keep in mind that you might need to set up DNS names that the realm is also responsible for to ensure that it works properly. Kerberos with Safari occurs at the CFNetwork layer, which can make debugging a bit hard. The Kerberos ticket was acquired using the Kerberos utility manually (/System/Library/CoreServices/Kerberos). The Mac OS X 10.4 testing was completed with the Microsoft Active Directory integration enabled on the Mac (e.g. joined to the domain). Safari appears to have issues with sites that are not on the same DNS domain as the Kerberos domain whislt Firefox doesn't appear to exhibit this behaviour on the same .<br />
<br />
In limited testing Safari on Windows seems to send an NTLM token in response to the authentication request, which when using mod_auth_kerb results in an error. Testing was done on a stock Windows 2003 install with the exception of the installation of Windows Installer 3.1 to allow Safari to install. In extended testing in a different environment, Safari appeared to handle Kerberos style authentication fine in some situations but failed in others (typically where NTLM was required for Firefox to automatically work).<br />
<br />
Tested working browsers:<br />
* Safari 3.0.4 on Mac OS X 10.4<br />
* Safari 3.0.x on Mac OS X 10.5<br />
* Safari 3.2.1 on Windows XP SP2 (using IIS server)<br />
<br />
Known issues:<br />
* Websites not sharing their DNS name in the domain will fail to work in some cases (10.4)<br />
<br />
=== Google Chrome ===<br />
Google Chrome seems to ignore the Kerberos ticket and directly prompts with a password dialogue when challenged. Testing was done on a stock Windows 2003 install with the exception of the installation of Windows Installer 3.1 to allow Safari to install. Further testing on XP SP2 against Microsoft IIS servers appears to confirm that Chrome is incapable of handling either NTLM or Kerberos authentication.</div>Pasamiohttp://sammoffatt.com.au/jauthtools/SSOSSO2009-08-15T14:03:30Z<p>Pasamio: </p>
<hr />
<div>The Single Sign On project is an attempt to provide a unified user login and authentication event for web based clients within a corporate infrastructure. SSO contains tools for automating this and providing a simple framework for integrating this into the Joomla! framework (both 1.0.x and 1.5.x).<br />
<br />
This project incorporates the following major SSO systems:<br />
* [[SSO/eDirectory|eDirectory]] IP based Lookup<br />
* Server Level [[SSO/HTTP|HTTP Based Authentication]]<br />
* [[SSO/IP|IP Based Authentication]]<br />
* Intersite [[SSO/SOAP|SOAP SSO]] enables Joomla! sites (1.0 and 1.5) to share users<br />
<br />
Additionally to support SSO, [[User Sources]] are used to populate information and create users.<br />
<br />
[[Category:SSO]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/SSOSSO2009-08-15T14:02:59Z<p>Pasamio: </p>
<hr />
<div>The Single Sign On project is an attempt to provide a unified user login and authentication event for web based clients within a corporate infrastructure. SSO contains tools for automating this and providing a simple framework for integrating this into the Joomla! framework (both 1.0.x and 1.5.x).<br />
<br />
This project incorporates the following major SSO systems:<br />
* [[SSO/eDirectory|eDirectory]] IP based Lookup<br />
* Server Level [[SSO/HTTP|HTTP Based Authentication]]<br />
* [[SSO/IP IP Based Authentication]]<br />
* Intersite [[SSO/SOAP|SOAP SSO]] enables Joomla! sites (1.0 and 1.5) to share users<br />
<br />
Additionally to support SSO, [[User Sources]] are used to populate information and create users.<br />
<br />
[[Category:SSO]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/SSO/IPSSO/IP2009-08-15T13:57:09Z<p>Pasamio: </p>
<hr />
<div>The SSO - IP plugin is a SSO plugin designed to authenticate users based on their IP address. This is usually not the best way of authenticating a user however organisations such as universities often rely on using this form of authentication.<br />
<br />
Prior to 1.5.5, the only way of configuring this plugin was a list of IP addresses and a single username. JAuthTools 1.5.5 added the ability for the plugin to use a table. This table is noted below:<br />
<pre><br />
CREATE TABLE `#__jauthtools_ipmap` (<br />
`id` int(10) unsigned NOT NULL auto_increment,<br />
`entry` varchar(40) NOT NULL,<br />
`username` varchar(150) NOT NULL,<br />
`description` varchar(255) NOT NULL,<br />
PRIMARY KEY (`id`)<br />
) ENGINE=MyISAM DEFAULT CHARSET=utf8;<br />
</pre><br />
<br />
When you run this code against your server, replace #__ with your Joomla! prefix (typically jos_).<br />
<br />
At this point in time the table needs to be created manually as the plugin has no means of creating the table itself. Additionally there is presently no editing tool for the table however if you have the "Table Editor" from the Advanced Tools package installed, you can install a table editor table definition.</div>Pasamiohttp://sammoffatt.com.au/jauthtools/SSO/IPSSO/IP2009-08-15T13:56:01Z<p>Pasamio: New page: The SSO - IP plugin is a SSO plugin designed to authenticate users based on their IP address. This is usually not the best way of authenticating a user however organisations such as univer...</p>
<hr />
<div>The SSO - IP plugin is a SSO plugin designed to authenticate users based on their IP address. This is usually not the best way of authenticating a user however organisations such as universities often rely on using this form of authentication.<br />
<br />
Prior to 1.5.5, the only way of configuring this plugin was a list of IP addresses and a single username. JAuthTools 1.5.5 added the ability for the plugin to use a table. This table is noted below:<br />
<code><br />
CREATE TABLE `#__jauthtools_ipmap` (<br />
`id` int(10) unsigned NOT NULL auto_increment,<br />
`entry` varchar(40) NOT NULL,<br />
`username` varchar(150) NOT NULL,<br />
`description` varchar(255) NOT NULL,<br />
PRIMARY KEY (`id`)<br />
) ENGINE=MyISAM DEFAULT CHARSET=utf8;<br />
</code><br />
<br />
When you run this code against your server, replace #__ with your Joomla! prefix (typically jos_).<br />
<br />
At this point in time the table needs to be created manually as the plugin has no means of creating the table itself. Additionally there is presently no editing tool for the table however if you have the "Table Editor" from the Advanced Tools package installed, you can install a table editor table definition.</div>Pasamiohttp://sammoffatt.com.au/jauthtools/MSAD_QuirksMSAD Quirks2009-08-11T14:43:34Z<p>Pasamio: /* Related Links */</p>
<hr />
<div>Microsoft Active Directory is an "almost" compliant implementation of LDAP complete with quirks and pitfalls that have caught even the most advanced Active Directory administrator. Whilst Microsoft makes integrating look easy with its partners, the truth of the matter is often a lot more complicated. This page documents all sorts of strange quirks with Active Directory that might catch some people.<br />
<br />
=Usernames=<br />
Active Directory doesn't have just one username, it has ''three'' potentially different usernames. They are represented in the LDAP view of Active Directory as the following attributes:<br />
* CN - Common Name (this is the name that appears in the listing of users in Active Directory Users and Computers)<br />
* sAMAccountName - This is the pre-2k name, sans the domain part (e.g. DOMAIN\)<br />
* userPrincipalName - The user principal name (UPN) is the post-2k name, and is in the form username@sitename<br />
<br />
Of the three, the CN is the one that is used when connecting via LDAP to form the DN of the user. For all intents and purposes the Organisation Unit structures of Active Directory are simply views on users. The sAMAccountName and userPrincipalName attributes must also be unique within the forest (yes, it would appear Microsoft lets you do this even though they say it will break things). The CN, when joined with its DN is the only identifier that retains the Organisational Unit (OU) information. Because of this it only needs to be unique within the container it is in, not the entire forest like the other two user names.<br />
<br />
=Case sensitive=<br />
Active Directory is case sensitive. For everything. Including user names and distinguished names (DN).<br />
<br />
=DN Syntax=<br />
Active Directory Distinguished Names follow this format:<br />
* DC=site,DC=name,DC=com<br />
Where your site name is '''site.name.com'''<br />
<br />
There are some interesting side effects of the way Active Directory names its container structures. Under the first layer of the AD tree is the "Users" container, which is designated by ''CN=Users,DC=site,DC=name,DC=com''. An organisational unit is designated normally like ''OU=Name'' but again remember that this is case sensitive. As a general rule of thumb, any container that an AD site has when it is initialised has the prefix "CN=" to its name. Also speaking the same way, the organisational units that are created by the end user are all "OU=".<br />
<br />
=Groups and OU's=<br />
Active Directory doesn't appear to permit applying permissions to OU's which makes them purely a cosmetic construct as opposed to other systems that permits associating permissions against them, such as for Novell eDirectory. Active Directory features two types of groups, distribution groups which appear to be mailing lists and security groups which appear to be capable of being used for security administration and permission purposes.<br />
<br />
So Active Directory's solution is that you can nest groups, though there are complications. Nested groups are only available with AD running in Windows 2000 native mode or better and by default Windows Server 2003 or lower installs with mixed mode by default. Windows Server 2008 now asks what forest and domain functional level you want by default which is a nice touch. They've removed mixed mode so 2000 is the minimal level anyway. So if it looks like you can't nest groups, check that your domain is running in at least 2000 native mode by right clicking on your site and clicking "Change Mode" (Windows 2000) or "Raise Domain Functional Level" (Windows 2003).<br />
<br />
<br />
<br />
=Related Links=<br />
* [http://support.microsoft.com/kb/251359 Duplicate User Principal Names]<br />
* [http://www.rlmueller.net/Name_Attributes.htm Names for Objects in Active Directory]<br />
* [http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_seaa.mspx?mfr=true Verifying That an Attribute Is Unique in the Forest]<br />
* [http://adldap.sf.net Active Directory LDAP PHP class]<br />
* [http://technet.microsoft.com/en-us/library/cc776499(WS.10).aspx Nesting Groups]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/MSAD_QuirksMSAD Quirks2009-08-11T12:42:10Z<p>Pasamio: </p>
<hr />
<div>Microsoft Active Directory is an "almost" compliant implementation of LDAP complete with quirks and pitfalls that have caught even the most advanced Active Directory administrator. Whilst Microsoft makes integrating look easy with its partners, the truth of the matter is often a lot more complicated. This page documents all sorts of strange quirks with Active Directory that might catch some people.<br />
<br />
=Usernames=<br />
Active Directory doesn't have just one username, it has ''three'' potentially different usernames. They are represented in the LDAP view of Active Directory as the following attributes:<br />
* CN - Common Name (this is the name that appears in the listing of users in Active Directory Users and Computers)<br />
* sAMAccountName - This is the pre-2k name, sans the domain part (e.g. DOMAIN\)<br />
* userPrincipalName - The user principal name (UPN) is the post-2k name, and is in the form username@sitename<br />
<br />
Of the three, the CN is the one that is used when connecting via LDAP to form the DN of the user. For all intents and purposes the Organisation Unit structures of Active Directory are simply views on users. The sAMAccountName and userPrincipalName attributes must also be unique within the forest (yes, it would appear Microsoft lets you do this even though they say it will break things). The CN, when joined with its DN is the only identifier that retains the Organisational Unit (OU) information. Because of this it only needs to be unique within the container it is in, not the entire forest like the other two user names.<br />
<br />
=Case sensitive=<br />
Active Directory is case sensitive. For everything. Including user names and distinguished names (DN).<br />
<br />
=DN Syntax=<br />
Active Directory Distinguished Names follow this format:<br />
* DC=site,DC=name,DC=com<br />
Where your site name is '''site.name.com'''<br />
<br />
There are some interesting side effects of the way Active Directory names its container structures. Under the first layer of the AD tree is the "Users" container, which is designated by ''CN=Users,DC=site,DC=name,DC=com''. An organisational unit is designated normally like ''OU=Name'' but again remember that this is case sensitive. As a general rule of thumb, any container that an AD site has when it is initialised has the prefix "CN=" to its name. Also speaking the same way, the organisational units that are created by the end user are all "OU=".<br />
<br />
=Groups and OU's=<br />
Active Directory doesn't appear to permit applying permissions to OU's which makes them purely a cosmetic construct as opposed to other systems that permits associating permissions against them, such as for Novell eDirectory. Active Directory features two types of groups, distribution groups which appear to be mailing lists and security groups which appear to be capable of being used for security administration and permission purposes.<br />
<br />
So Active Directory's solution is that you can nest groups, though there are complications. Nested groups are only available with AD running in Windows 2000 native mode or better and by default Windows Server 2003 or lower installs with mixed mode by default. Windows Server 2008 now asks what forest and domain functional level you want by default which is a nice touch. They've removed mixed mode so 2000 is the minimal level anyway. So if it looks like you can't nest groups, check that your domain is running in at least 2000 native mode by right clicking on your site and clicking "Change Mode" (Windows 2000) or "Raise Domain Functional Level" (Windows 2003).<br />
<br />
<br />
<br />
=Related Links=<br />
* [http://support.microsoft.com/kb/251359 Duplicate User Principal Names]<br />
* [http://www.rlmueller.net/Name_Attributes.htm Names for Objects in Active Directory]<br />
* [http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_seaa.mspx?mfr=true Verifying That an Attribute Is Unique in the Forest]<br />
* [http://adldap.sf.net Active Directory LDAP PHP class]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Main_PageMain Page2009-07-13T22:34:38Z<p>Pasamio: /* Related Projects */</p>
<hr />
<div>Welcome to the Joomla! Authentication Tools wiki (JAuthTools).<br />
<br />
Joomla! Authentication Tools are a collection of Joomla! extensions that allow greater integration of Joomla! into a corporate environment. By providing authentication support it allows both single sign on and single sign in style authentication against the corporate directory (e.g. openLDAP, MSAD, eDirectory) for Joomla! powered sites. The ideal that JAuthTools strives for is to avoid altering the core of Joomla!, unlike previous LDAP integration projects which required altering core files. By attempting to avoid this we aim to be more flexible in allowing users to easily upgrade their Joomla! site without having to re-edit files.<br />
<br />
JAuthTools is comprised of various components:<br />
* [[LDAP Tools]] (Joomla! 1.0 and 1.5)<br />
* [[SSO|Single Sign On]] (SSO) (Joomla! 1.0 and 1.5)<br />
* [[User Sources]] (Joomla! 1.5)<br />
* [[JAuthManager]] (Joomla! 1.5; coming soon!)<br />
* [[Remote Joomla]] (Joomla! 1.5)<br />
<br />
Each component provides specific abilities extending the base Joomla! install. Different projects are relevant to different releases of Joomla!, so if you are new check out the [[Supported Platforms]] page to work out which project is for you and what you will need for each project (e.g. PHP5, LDAP, etc).<br />
<br />
Additionally there is a [[History|history]] of the project, generic [[upgrade]] instructions and information about [[Compatibility|compatibility]] with other popular Joomla! extensions.<br />
<br />
== Getting Help ==<br />
* [[FAQ]]<br />
* [[:Category:Guide|Guides]] provide detailed instructions on tasks.<br />
* [[Quickstart for 1.0]]<br />
* [[Quickstart for 1.5]]<br />
<br />
== Contributing ==<br />
* [[Wiki]] additions/alterations/suggestions<br />
* [[Patches]]<br />
* [[Donations]]<br />
<br />
== Related Reading ==<br />
These are external links.<br />
<br />
* [http://dev.joomla.org/component/option,com_jd-wp/Itemid,33/p,93/|Authentication Options: SSO vs SSI] - a dev.joomla.org blog post detailing the SSO and SSI terms<br />
* [[ChangeLog]] has the unified change log for the project.<br />
<br />
== Related Projects ==<br />
<br />
These are some other Joomla! based authentication projects:<br />
* [http://joomlacode.org/gf/project/sso/ Mambo | Joomla! Single Sign On] provides the ability to designate certain sites to provide authentication for other sites by using a module. It achieves a similar goal that OpenID does (but for Joomla! 1.0.x). JAuthTools has an updated version of this tool that works with both Joomla! 1.0 and Joomla! 1.5 in legacy mode, see [[SSO/SOAP|SOAP SSO]].<br />
* [http://joomlacode.org/gf/project/mysql_extdbauth MySQL External DB Auth] is a "plugin for Joomla 1.5 let authenticate users against external MySQL database. The plugin is fully configurable by Admin area where the host, port, database, table, username column, password column, first name column, last name column and email column can be configured. If the password at remote site changed, then you will be able to login by using that new password"<br />
* [http://www.ioplex.com/joomla_plugin.html IOPlex] offer Joomla! plugins to aide integration into AD at a cost.<br />
* [http://joomlacode.org/gf/project/jfusion/ JFusion] provides the ability where "Joomla can authorise users based on other software such as vbulletin or phpbb forums (without making any changes to the core files)"<br />
* [http://joomlacode.org/gf/project/auth_manager/ Authentication Manager] is "designed to give the administrator the ability to use external authentication server (SSO) such as CAS, openid, AOL OpenAuth, Google AuthSub (when it will manage the userid), Microsoft Windows Live Contacts API, Yahoo BBAuth"<br />
<br />
There are also some Joomla! LDAP related projects:<br />
* [http://joomlacode.org/gf/project/whitepages/ LDAP White Pages] is a 1.5 component for building a telephone directory from LDAP.<br />
* [http://joomlacode.org/gf/project/joomlaaaa/ Joomla! AAA] is an "attempt to collect and build other authentication, authorization and accounting plug-ins."</div>Pasamiohttp://sammoffatt.com.au/jauthtools/LDAP_Tools/Sync_MappingLDAP Tools/Sync Mapping2009-07-13T22:28:27Z<p>Pasamio: </p>
<hr />
<div>The synchronisation map is a new line seperated map of information with the field name in the table, a colon character and then either an LDAP field name with optional index enclosed in square brackets or a fixed value (for example for category ID) enclosed in square brackets.<br />
<pre><br />
tablefield:ldapfield<br />
tablefield:ldapfield[index]<br />
tablefield:[fixedvalue]<br />
</pre><br />
<br />
An example for jos_contact_details:<br />
<pre><br />
name:fullName<br />
con_position:title<br />
telephone:telephoneNumber<br />
misc:objectClass[2]<br />
catid:[12]<br />
published:[1]<br />
email_to:mail<br />
</pre><br />
<br />
This is used by the [[LDAP Tools/LDAP Synchronization|advanced synchronisation mambot]]. The objectClass link for Misc is added for demonstration purposes. <br />
<br />
Additional settings to use with the example sync map above for the advanced synchronisation mambot:<br />
* External Table Name: jos_contact_details<br />
* User ID field: user_id<br />
* Primary Key: id<br />
<br />
[[Category:LDAP]] [[Category:User Sources]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/MSAD_QuirksMSAD Quirks2009-06-09T12:26:51Z<p>Pasamio: /* Usernames */</p>
<hr />
<div>Microsoft Active Directory is an "almost" compliant implementation of LDAP complete with quirks and pitfalls that have caught even the most advanced Active Directory administrator. Whilst Microsoft makes integrating look easy with its partners, the truth of the matter is often a lot more complicated. This page documents all sorts of strange quirks with Active Directory that might catch some people.<br />
<br />
=Usernames=<br />
Active Directory doesn't have just one username, it has ''three'' potentially different usernames. They are represented in the LDAP view of Active Directory as the following attributes:<br />
* CN - Common Name (this is the name that appears in the listing of users in Active Directory Users and Computers)<br />
* sAMAccountName - This is the pre-2k name, sans the domain part (e.g. DOMAIN\)<br />
* userPrincipalName - The user principal name (UPN) is the post-2k name, and is in the form username@sitename<br />
<br />
Of the three, the CN is the one that is used when connecting via LDAP to form the DN of the user. For all intents and purposes the Organisation Unit structures of Active Directory are simply views on users. The sAMAccountName and userPrincipalName attributes must also be unique within the forest (yes, it would appear Microsoft lets you do this even though they say it will break things). The CN, when joined with its DN is the only identifier that retains the Organisational Unit (OU) information. Because of this it only needs to be unique within the container it is in, not the entire forest like the other two user names.<br />
<br />
=Case sensitive=<br />
Active Directory is case sensitive. For everything. Including user names and distinguished names (DN).<br />
<br />
=DN Syntax=<br />
Active Directory Distinguished Names follow this format:<br />
* DC=site,DC=name,DC=com<br />
Where your site name is '''site.name.com'''<br />
<br />
There are some interesting side effects of the way Active Directory names its container structures. Under the first layer of the AD tree is the "Users" container, which is designated by ''CN=Users,DC=site,DC=name,DC=com''. An organisational unit is designated normally like ''OU=Name'' but again remember that this is case sensitive. As a general rule of thumb, any container that an AD site has when it is initialised has the prefix "CN=" to its name. Also speaking the same way, the organisational units that are created by the end user are all "OU=".<br />
<br />
=Related Links=<br />
* [http://support.microsoft.com/kb/251359 Duplicate User Principal Names]<br />
* [http://www.rlmueller.net/Name_Attributes.htm Names for Objects in Active Directory]<br />
* [http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_seaa.mspx?mfr=true Verifying That an Attribute Is Unique in the Forest]<br />
* [http://adldap.sf.net Active Directory LDAP PHP class]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/LDAP_Tools/SchemaLDAP Tools/Schema2009-05-14T12:41:11Z<p>Pasamio: /* Full Schema */</p>
<hr />
<div>Joomla! has an assigned enterprise number from IANA. This space is maintained by Samuel Moffatt. The aim of this is to provide extensions to LDAP to make it more friendly to Joomla! powered authentication and to provide extensions in future where they may be required.<br />
<br />
<br />
= Number allocation (1.3.6.1.4.1.27457) =<br />
Joomla! has been assigned the enterprise number 27457 within the space 1.3.6.1.4.1 and within this space the first entry, 1, is designated for Official Core use. <br />
<br />
== Official Joomla Schema (1.3.6.1.4.1.27457.1) ==<br />
Officially supported Joomla! schemas are created within this space.<br />
<br />
=== JoomlaGroup (1.3.6.1.4.1.27457.1.1) ===<br />
Teh JoomlaGroup attribute is designated so that a JoomlaGroup attribute may be added to users easily that doesn't conflict with any other LDAP attribute.<br />
<br />
<pre><br />
# Joomla Group Attribute; free form text<br />
attributetype ( 1.3.6.1.4.1.27457.1.1<br />
NAME 'JoomlaGroup'<br />
DESC 'Joomla: Group to belong to'<br />
EQUALITY caseIgnoreMatch<br />
SUBSTR caseIgnoreSubstringsMatch<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br />
</pre><br />
<br />
=== JoomlaUser (1.3.6.1.4.1.27457.1.2) ===<br />
The JoomlaUser object class exists to enforce and permit certain attributes for an entry to better integrate with Joomla.<br />
<br />
<pre><br />
# Joomla User Object Class<br />
# Requires various elements<br />
objectclass ( 1.3.6.1.4.1.27457.1.2<br />
NAME 'JoomlaUser'<br />
DESC 'User of a Joomla instance'<br />
AUXILIARY<br />
MUST ( cn $ JoomlaGroup $ uid $ mail $ userPassword )<br />
MAY ( givenName $ sn )<br />
)<br />
</pre><br />
<br />
=== uidAlias/useridAlias (1.3.6.1.4.1.27457.1.3) ===<br />
The user ID alias is used to enable redundant user ID's to be designated. The primary user ID field will actually identify the user. This is useful for migrating legacy systems with duplicate user ID's for distinct individuals.<br />
<br />
<pre><br />
# Joomla User Alias attribute; free form text<br />
attributetype ( 1.3.6.1.4.1.27457.1.3<br />
NAME ('uidAlias' 'useridAlias')<br />
DESC 'Aliased user id'<br />
EQUALITY caseIgnoreMatch<br />
SUBSTR caseIgnoreSubstringsMatch<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )<br />
</pre><br />
<br />
= Full Schema =<br />
Copy this text into a file (e.g. joomla.schema) to include in your LDAP system (e.g. copy it to /etc/ldap/schema).<br />
If you are using OpenLDAP on Debian, creating the file /etc/ldap/schema/joomla.schema and adding:<br />
<pre><br />
include /etc/ldap/schema/joomla.schema<br />
</pre><br />
to your /etc/ldap/slapd.conf file should work.<br />
<br />
joomla.schema:<br />
<pre><br />
# Joomla Group Attribute; free form text<br />
attributetype ( 1.3.6.1.4.1.27457.1.1<br />
NAME 'JoomlaGroup'<br />
DESC 'Joomla: Group to belong to'<br />
EQUALITY caseIgnoreMatch<br />
SUBSTR caseIgnoreSubstringsMatch<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )<br />
<br />
# Joomla User Alias attribute; free form text<br />
attributetype ( 1.3.6.1.4.1.27457.1.3<br />
NAME ('uidAlias' 'useridAlias')<br />
DESC 'Aliased user id'<br />
EQUALITY caseIgnoreMatch<br />
SUBSTR caseIgnoreSubstringsMatch<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )<br />
<br />
# Joomla Block User attribute; boolean<br />
attributetype ( 1.3.6.1.4.1.27457.1.4<br />
NAME 'JoomlaBlockUser'<br />
DESC 'If the user should be blocked'<br />
EQUALITY integerMatch<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27<br />
)<br />
<br />
# Joomla User Params; free form text<br />
attributetype ( 1.3.6.1.4.1.27457.1.5<br />
NAME 'JoomlaUserParams'<br />
DESC 'Joomla User Parameters'<br />
EQUALITY caseIgnoreMatch<br />
SUBSTR caseIgnoreSubstringsMatch<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{65535} )<br />
<br />
# Joomla User Object Class<br />
# Requires various elements<br />
# Extra name details are optional<br />
objectclass ( 1.3.6.1.4.1.27457.1.2<br />
NAME 'JoomlaUser'<br />
DESC 'User of a Joomla instance'<br />
AUXILIARY<br />
MUST ( cn $ JoomlaGroup $ uid $ mail $ userPassword $ JoomlaBlockUser )<br />
MAY ( givenName $ sn $ useridAlias $ displayName $ givenName $ initials $ JoomlaUserParams )<br />
)<br />
</pre></div>Pasamiohttp://sammoffatt.com.au/jauthtools/KerberosKerberos2009-04-25T08:39:20Z<p>Pasamio: </p>
<hr />
<div>Kerberos is a technology developed by MIT to allow for mutual authentication and ticket based authentication systems and is considered a standard authentication system for most services, computers and users. Kerberos is implemented as the main form of authentication in Microsoft's Active Directory system and eDirectory also provides Kerberos functionality.<br />
<br />
==Kerberos Guides==<br />
*[[Kerberos/Configuring Apache To Authenticate PHP Documents|Configuring Apache To Authenticate PHP Documents]]<br />
*[[Kerberos/Kerberos and SLES9|Kerberos and SLES9]]<br />
*[[Kerberos/Kerberos and Debian|Kerberos and Debian]]<br />
*[[Kerberos/Troubleshooting|Kerberos Troubleshooting]]<br />
*[[Kerberos/Browser Support|Browser Support]]<br />
<br />
==Other Resources==<br />
These are alternate resources that may be useful in setting up Kerberos, mostly aimed at Apache<br />
<br />
=== Web browsers ===<br />
* [http://grolmsnet.de/kerbtut/firefox.html Kerberos and Firefox]<br />
<br />
=== IIS ===<br />
* [http://en.wikipedia.org/wiki/Integrated_Windows_Authentication Integrated Windows Authentication] (Wikipedia)<br />
* [http://support.microsoft.com/kb/324274 IIS Web site authentication in Windows Server 2003] (Look for "Integrated Windows Authentication")<br />
* [http://support.microsoft.com/kb/303650 IE not correctly identifying sites in the intranet] (This can cause token errors in Apache)<br />
* [http://msdn.microsoft.com/en-us/library/ms998358.aspx Enabling Integrated Windows Authentication in IE] (Required to avoid password prompts)<br />
<br />
=== Kerberos and Apache guides ===<br />
*[http://www.grolmsnet.de/kerbtut/ Tutorial: Using mod_auth_kerb with Windows 2000/2003 as KDC] (This is one of the original tutorials that I followed in the SLES9 build)<br />
*[http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/ Kerberos based SSO with Apache]<br />
*[http://sl.mvps.org/docs/LinuxApacheKerberosAD.htm Configure Apache on Linux for Kerberos Authentication]<br />
<br />
=== Kerberos Troubleshooting ===<br />
*[http://support.microsoft.com/kb/230476 Common Kerberos related errors in Windows 2000] (Microsoft Knowledge Base Article)<br />
*[http://support.microsoft.com/kb/919557 Preauthentication errors with keys and Windows 2003 SP1] (also related to key version number issues)<br />
*[http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/d0229b5e69414a3/298a3436829fb172?lnk=gst&q=windows+2003&rnum=46&utoken=sr-PmzkAAAAcKcOjbwnhHQIzo1cF4IQzLkPNKwi-0NO8rAWVaHL63pBI8ofuZidr1hIm37QuoNLMFfYmITmO1nk4CbSXWulr&pli=1 Google Groups thread on comp.protocols.kerberos about issues with Windows 2003 SP1 and ktpass.exe]<br />
*[http://www.openafs.org/pipermail/openafs-info/2007-January/025039.html OpenAFS: Windows 2003 Service Keys Info] (has some AFS related notes but a lot of useful information)<br />
*[http://www.ncsa.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html UNIX Kerberos Troubleshooting Guide] (has some useful information and hints)<br />
<br />
=== Scott Lowe on Kerberos ===<br />
This man has lots of really useful Kerberos related goodies and each page has useful comments that can help you out with a multitude of little issues. Some of it covers more than just Kerberos and moves into what you need to do to get Linux to play nicely, but lots of the information is useful even if only in part.<br />
*[http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/ Complete Linux AD Authentication Details] (Windows 2000 and Windows 2003 pre-R2)<br />
*[http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/ Linux AD Integration] (Windows 2003 R2+)<br />
*[http://blog.scottlowe.org/2006/08/21/more-on-kerberos-authentication-against-active-directory/ More on Kerberos Authentication against Active Directory]<br />
*[http://blog.scottlowe.org/2006/05/01/esx-server-integration-with-active-directory/ ESX integration with Active Directory]<br />
<br />
<br />
[[Category:Kerberos]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Quickstart_for_1.5Quickstart for 1.52009-04-17T01:55:08Z<p>Pasamio: /* SSO */</p>
<hr />
<div>This document contains a quickstart guide to getting things started with Joomla! 1.5<br />
<br />
= Out of the Box =<br />
By default Joomla! 1.5 provides the ability to use LDAP as an option for authentication within Joomla!. For most purposes this should suffice. However this extension does not provide all of the features that the JAuthTools LDAP SSI bot does for Joomla! 1.0 such as group mapping.<br />
<br />
If you want your Joomla! instance to authenticate across to an LDAP directory (MSAD/Microsoft Active Directory, eDirectory, etc) then all you need to do is configure this plugin. If you are having issues configuring the plugin (especially for MSAD) then you might wish to look at the JDiagnostic tool (http://joomlacode.org/gf/project/pasamioprojects/frs) which will give you a wizard to configure MSAD based authentication.<br />
<br />
= Getting Started =<br />
Joomla! 1.5 has some new features that make installing the JAuthTools services in 1.5 different to the 1.0 method. This page is currently a draft.<br />
<br />
The easiest way to get started is to install the Advanced Tools for 1.5 extension. This provides your Joomla! 1.5 site with the ability to install both packages and libraries, which makes your life easier along the line. Before you install Advanced Tools however, you need to ensure that the /libraries/joomla/installer/adapters folder is writeable by Joomla! so that the installer can put files there, in addition to the normal locations for files. Once you've done that, you can use the URL based installer to install the package straight off JoomlaCode or download and install the package by upload. At the time of writing the latest version of Advanced Tools was 1.5.1, you can check for updates at Pasamio's Projects FRS Site or directly download from the following: http://joomlacode.org/gf/download/frsrelease/6797/22390/com_advancedtools.tgz<br />
<br />
Once the Advanced Tools has installed successfully (Screenshot) you can continue to install the JAuthTools package. If some folders aren't writeable, the Advanced Tools installer might request that you copy files into /libraries/joomla/installer/adpaters manually. For JAuthTools you will need to ensure the 'libraries' folder is writeable as it will create a new 'jauthtools' folder there. <br />
<br />
<br />
== Libraries ==<br />
In Joomla! 1.5, libraries are available via a new interface designed to make the system more manageable. In 1.0 this system did not exist which meant that typically libraries were installed with an extension or using a mambot. JAuthTools in 1.0 used the mambot method of installing new classes which meant that the LDAP library was available for all extensions when the mambot was published. The new interface exposes libraries in a way similar to Java.<br />
<br />
=== Install the JAuthTools Libraries ===<br />
JAuthTools has two major libraries. The first is SSO, or Single Sign On, library which is used to handle the SSO system, namely for Kerberos integration. The second is the User Source library. The user source library is aimed at providing details on a given username, such as email address. There libraries are available from the JAuthTools FRS site. The SSO system is dependent upon the User Source library, so to use SSO you will need to install the User Source library.<br />
<br />
Increasingly JAuthTools extensions are becoming reliant on a third library, the helper library. The helper library is a dependency for the eDirLDAP SSO plugin, the LDAP User Source plugin as well as the Advanced LDAP and Advanced GMail authentication plugins.<br />
<br />
All three of these libraries are available individually or in a pack called "pkg_jauthtools_core.tgz" for ease of installation.<br />
<br />
The other two libraries available from JAuthTools are the Token Login library and the OpenID library. Both of these are distributed on their own as well as within their own packages (OpenID and Token Login respectively).<br />
<br />
== Packages ==<br />
JAuthTools is comprised of a number of packages in addition to the Core JAuthTools packages<br />
<br />
=== SSO ===<br />
The SSO system consists of a system plugin that bootstraps the SSO plugins. This package contains the SSO Manager Component, the SSO Module and the System SSO plugin.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9528 (Includes SSO Plugins below)<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36269/pkg_jauthtools_sso.tgz<br />
<br />
=== SSO Plugins ===<br />
SSO is a new type of plugin created for the system and there are a few SSO plugins available by default. This means that SSO plugins can be controlled using the normal plugin manager interface. Additionally since 1.5.4, there is a SSO manager and SSO module.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9528 (General SSO section)<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36175/pkg_jauthtools_ssoplugins.tgz<br />
<br />
=== User Sources ===<br />
The User Sources system consists of three major plugins: the Sync System plugin and the LDAP and Session user source plugins. The sync plugin is designed to ensure a user is set to the appropriate group and the LDAP user source is designed to provide user information.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9531<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36177/pkg_jauthtools_usersource.tgz<br />
<br />
=== Extras ===<br />
There are two authentication plugins, Advanced GMail and Advanced LDAP, that are distributed with JAuthTools. There is also a LDAP user plugin that is available and the [[Context Login|context login module]]. This package is dependent upon the helper library (part of the Core package).<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9532<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36195/pkg_jauthtools_extras.tgz<br />
<br />
=== OpenID ===<br />
JAuthTools ships one of its own OpenID plugins. It was contributed by Ian MacLennan and hasn't undergone extensive testing yet. We're releasing OpenID in 1.5.4 as a beta release looking towards doing some more work.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9533<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36173/pkg_jauthtools_openid.tgz<br />
<br />
=== Token Login ===<br />
Token Login is a new feature for 1.5.4 that allows you to easily integrating token logins into your Joomla! site. It ships with a token library for issuing tokens, a component that handles token issuing as well as editing and revocation and a token login SSO plugin that can be used to log the user in.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9529<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36176/pkg_jauthtools_tokenlogin.tgz<br />
<br />
<br />
<br />
[[Category:Guide]] [[Category:Quickstart]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Kerberos/TroubleshootingKerberos/Troubleshooting2009-02-24T04:01:06Z<p>Pasamio: </p>
<hr />
<div>This page documents some solutions for common Kerberos issues. It isn't comprehensive but should give you a guide what to look for when resolving the issues.<br />
<br />
= Known Errors and Resolutions =<br />
== kinit(v5): KRB5 error code 68 while getting initial credentials ==<br />
Wrong Kerberos domain, check that the Linux box is configured to use the right domain.<br />
<br />
<br />
== kinit(v5): Permission denied while getting initial credentials ==<br />
Check the permission on your keytab file to ensure that the process can get access to it appropriately.<br />
<br />
<br />
== Client not found in Kerberos database ==<br />
* kinit(v5): Client not found in Kerberos database while getting initial credentials<br />
* krb5_get_init_creds_password() failed: Client not found in Kerberos database<br />
Make sure that you're typing in the right name and the server has the right name (double check the account tab of the user, especially the realm)<br />
<br />
<br />
== kinit(v5): Preauthentication failed while getting initial credentials ==<br />
Wrong password - use the right password. This may also occur with keys and a buggy version of ktpass.exe, some versions of ktpass.exe had issues generating keys (Windows 2003 SP1) so upgrading to the latest release should fix this (see [http://support.microsoft.com/kb/919557 Microsoft KB 919557])<br />
<br />
<br />
== kinit(v5): Key table entry not found while getting initial credentials ==<br />
Regenerate keytab file and make sure that your file is correct.<br />
<br />
<br />
== krb5_get_init_creds_password() failed: Clock skew too great ==<br />
* failed to verify krb5 credentials: Clock skew too great<br />
<br />
Time between HTTP server and Kerberos server is too big; alternatively may also indicate a client issue. Check that you have NTP setup properly, using the KDC as the primary NTP server.<br />
<br />
<br />
== failed to verify krb5 credentials: Server not found in Kerberos database ==<br />
Check the default_realms to ensure there is a proper mapping, also check that the host/FQDN@REALM entry exists.<br />
<br />
<br />
== gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name) ==<br />
Check default_realms to ensure there is a domain mapping. Check the keytab file (klist -k /etc/krb5.keytab or similar) to ensure that the appropriate domain is present. Also ensure that your hostname is the FQDN of the machine.<br />
<br />
<br />
== gss_accept_sec_context() failed: A token was invalid (Token header is malformed or corrupt) ==<br />
Check that the site is in the local domain for IE's security settings; likely an NTLM token is being sent, see [http://support.microsoft.com/kb/303650 IE not correctly identifying sites in the intranet] to help resolve this issue.<br />
<br />
<br />
== gss_accept_sec_context() failed: Miscellaneous failure (Key version number for principal in key table is incorrect) ==<br />
Wrong key version is being used. Check the key on the server (kinit -k PRINCIPAL) and also restart any client to clear their local cache or restart the server to clear its cache. kerbtray.exe can also delete old tickets. Also note that some versions of ktpass.exe had issues generating keys (Windows 2003 SP1) so upgrading to the latest release should fix this (see http://support.microsoft.com/kb/919557 Microsoft KB 919557])<br />
<br />
<br />
== Issues with mapuser ==<br />
AD may or may not have had time to properly replicate the user to all DC's. Ensure that the DC you're querying is the same as the one you created the user to avoid this as much as possible.<br />
<br />
<br />
== IE prompts for a password on each access ==<br />
From [http://msdn.microsoft.com/en-us/library/ms998358.aspx Windows Authentication and ASP.Net]:<br />
''Internet Explorer security settings must be configured to enable Integrated Windows authentication. By default, Integrated Windows authentication is not enabled in Internet Explorer 6. To enable the browser to respond to a negotiate challenge and perform Kerberos authentication, select the Enable Integrated Windows Authentication check box in the Security section of the Advanced tab of the Internet Options menu, and then restart the browser.'''<br />
<br />
Alternatively this may be an issue with the site not being in the intranet zone. IE won't send authentication details automatically to sites that aren't located within the intranet zone. See [http://support.microsoft.com/kb/303650 IE not correctly identifying sites in the intranet] for more information.<br />
<br />
<br />
= Unknown responses =<br />
== krb5_get_init_creds_password() failed: KDC reply did not match expectations ==<br />
See http://mailman.mit.edu/pipermail/kerberos/2007-November/012585.html<br />
<br />
== Specified realm `OTHER.REALM.NAME' not allowed by configuration ==<br />
Another realm is trying to authenticate against the server than is permissable by the servers configuration. This could point to a mismatch between the servers configured realm and the actual realm of the user or the fact that there are multiple realms available and only one configured.<br />
<br />
[[Category:Kerberos]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Kerberos/TroubleshootingKerberos/Troubleshooting2009-02-24T04:00:34Z<p>Pasamio: /* Unknown responses */</p>
<hr />
<div>This page documents some solutions for common Kerberos issues. It isn't comprehensive but should give you a guide what to look for when resolving the issues.<br />
<br />
== kinit(v5): KRB5 error code 68 while getting initial credentials ==<br />
Wrong Kerberos domain, check that the Linux box is configured to use the right domain.<br />
<br />
<br />
== kinit(v5): Permission denied while getting initial credentials ==<br />
Check the permission on your keytab file to ensure that the process can get access to it appropriately.<br />
<br />
<br />
== Client not found in Kerberos database ==<br />
* kinit(v5): Client not found in Kerberos database while getting initial credentials<br />
* krb5_get_init_creds_password() failed: Client not found in Kerberos database<br />
Make sure that you're typing in the right name and the server has the right name (double check the account tab of the user, especially the realm)<br />
<br />
<br />
== kinit(v5): Preauthentication failed while getting initial credentials ==<br />
Wrong password - use the right password. This may also occur with keys and a buggy version of ktpass.exe, some versions of ktpass.exe had issues generating keys (Windows 2003 SP1) so upgrading to the latest release should fix this (see [http://support.microsoft.com/kb/919557 Microsoft KB 919557])<br />
<br />
<br />
== kinit(v5): Key table entry not found while getting initial credentials ==<br />
Regenerate keytab file and make sure that your file is correct.<br />
<br />
<br />
== krb5_get_init_creds_password() failed: Clock skew too great ==<br />
* failed to verify krb5 credentials: Clock skew too great<br />
<br />
Time between HTTP server and Kerberos server is too big; alternatively may also indicate a client issue. Check that you have NTP setup properly, using the KDC as the primary NTP server.<br />
<br />
<br />
== failed to verify krb5 credentials: Server not found in Kerberos database ==<br />
Check the default_realms to ensure there is a proper mapping, also check that the host/FQDN@REALM entry exists.<br />
<br />
<br />
== gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name) ==<br />
Check default_realms to ensure there is a domain mapping. Check the keytab file (klist -k /etc/krb5.keytab or similar) to ensure that the appropriate domain is present. Also ensure that your hostname is the FQDN of the machine.<br />
<br />
<br />
== gss_accept_sec_context() failed: A token was invalid (Token header is malformed or corrupt) ==<br />
Check that the site is in the local domain for IE's security settings; likely an NTLM token is being sent, see [http://support.microsoft.com/kb/303650 IE not correctly identifying sites in the intranet] to help resolve this issue.<br />
<br />
<br />
== gss_accept_sec_context() failed: Miscellaneous failure (Key version number for principal in key table is incorrect) ==<br />
Wrong key version is being used. Check the key on the server (kinit -k PRINCIPAL) and also restart any client to clear their local cache or restart the server to clear its cache. kerbtray.exe can also delete old tickets. Also note that some versions of ktpass.exe had issues generating keys (Windows 2003 SP1) so upgrading to the latest release should fix this (see http://support.microsoft.com/kb/919557 Microsoft KB 919557])<br />
<br />
<br />
== Issues with mapuser ==<br />
AD may or may not have had time to properly replicate the user to all DC's. Ensure that the DC you're querying is the same as the one you created the user to avoid this as much as possible.<br />
<br />
<br />
== IE prompts for a password on each access ==<br />
From [http://msdn.microsoft.com/en-us/library/ms998358.aspx Windows Authentication and ASP.Net]:<br />
''Internet Explorer security settings must be configured to enable Integrated Windows authentication. By default, Integrated Windows authentication is not enabled in Internet Explorer 6. To enable the browser to respond to a negotiate challenge and perform Kerberos authentication, select the Enable Integrated Windows Authentication check box in the Security section of the Advanced tab of the Internet Options menu, and then restart the browser.'''<br />
<br />
Alternatively this may be an issue with the site not being in the intranet zone. IE won't send authentication details automatically to sites that aren't located within the intranet zone. See [http://support.microsoft.com/kb/303650 IE not correctly identifying sites in the intranet] for more information.<br />
<br />
<br />
= Unknown responses =<br />
== krb5_get_init_creds_password() failed: KDC reply did not match expectations ==<br />
See http://mailman.mit.edu/pipermail/kerberos/2007-November/012585.html<br />
<br />
== Specified realm `OTHER.REALM.NAME' not allowed by configuration ==<br />
Another realm is trying to authenticate against the server than is permissable by the servers configuration. This could point to a mismatch between the servers configured realm and the actual realm of the user or the fact that there are multiple realms available and only one configured.<br />
<br />
[[Category:Kerberos]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Kerberos/TroubleshootingKerberos/Troubleshooting2009-02-24T03:30:31Z<p>Pasamio: </p>
<hr />
<div>This page documents some solutions for common Kerberos issues. It isn't comprehensive but should give you a guide what to look for when resolving the issues.<br />
<br />
== kinit(v5): KRB5 error code 68 while getting initial credentials ==<br />
Wrong Kerberos domain, check that the Linux box is configured to use the right domain.<br />
<br />
<br />
== kinit(v5): Permission denied while getting initial credentials ==<br />
Check the permission on your keytab file to ensure that the process can get access to it appropriately.<br />
<br />
<br />
== Client not found in Kerberos database ==<br />
* kinit(v5): Client not found in Kerberos database while getting initial credentials<br />
* krb5_get_init_creds_password() failed: Client not found in Kerberos database<br />
Make sure that you're typing in the right name and the server has the right name (double check the account tab of the user, especially the realm)<br />
<br />
<br />
== kinit(v5): Preauthentication failed while getting initial credentials ==<br />
Wrong password - use the right password. This may also occur with keys and a buggy version of ktpass.exe, some versions of ktpass.exe had issues generating keys (Windows 2003 SP1) so upgrading to the latest release should fix this (see [http://support.microsoft.com/kb/919557 Microsoft KB 919557])<br />
<br />
<br />
== kinit(v5): Key table entry not found while getting initial credentials ==<br />
Regenerate keytab file and make sure that your file is correct.<br />
<br />
<br />
== krb5_get_init_creds_password() failed: Clock skew too great ==<br />
* failed to verify krb5 credentials: Clock skew too great<br />
<br />
Time between HTTP server and Kerberos server is too big; alternatively may also indicate a client issue. Check that you have NTP setup properly, using the KDC as the primary NTP server.<br />
<br />
<br />
== failed to verify krb5 credentials: Server not found in Kerberos database ==<br />
Check the default_realms to ensure there is a proper mapping, also check that the host/FQDN@REALM entry exists.<br />
<br />
<br />
== gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name) ==<br />
Check default_realms to ensure there is a domain mapping. Check the keytab file (klist -k /etc/krb5.keytab or similar) to ensure that the appropriate domain is present. Also ensure that your hostname is the FQDN of the machine.<br />
<br />
<br />
== gss_accept_sec_context() failed: A token was invalid (Token header is malformed or corrupt) ==<br />
Check that the site is in the local domain for IE's security settings; likely an NTLM token is being sent, see [http://support.microsoft.com/kb/303650 IE not correctly identifying sites in the intranet] to help resolve this issue.<br />
<br />
<br />
== gss_accept_sec_context() failed: Miscellaneous failure (Key version number for principal in key table is incorrect) ==<br />
Wrong key version is being used. Check the key on the server (kinit -k PRINCIPAL) and also restart any client to clear their local cache or restart the server to clear its cache. kerbtray.exe can also delete old tickets. Also note that some versions of ktpass.exe had issues generating keys (Windows 2003 SP1) so upgrading to the latest release should fix this (see http://support.microsoft.com/kb/919557 Microsoft KB 919557])<br />
<br />
<br />
== Issues with mapuser ==<br />
AD may or may not have had time to properly replicate the user to all DC's. Ensure that the DC you're querying is the same as the one you created the user to avoid this as much as possible.<br />
<br />
<br />
== IE prompts for a password on each access ==<br />
From [http://msdn.microsoft.com/en-us/library/ms998358.aspx Windows Authentication and ASP.Net]:<br />
''Internet Explorer security settings must be configured to enable Integrated Windows authentication. By default, Integrated Windows authentication is not enabled in Internet Explorer 6. To enable the browser to respond to a negotiate challenge and perform Kerberos authentication, select the Enable Integrated Windows Authentication check box in the Security section of the Advanced tab of the Internet Options menu, and then restart the browser.'''<br />
<br />
Alternatively this may be an issue with the site not being in the intranet zone. IE won't send authentication details automatically to sites that aren't located within the intranet zone. See [http://support.microsoft.com/kb/303650 IE not correctly identifying sites in the intranet] for more information.<br />
<br />
<br />
= Unknown responses =<br />
== krb5_get_init_creds_password() failed: KDC reply did not match expectations ==<br />
See http://mailman.mit.edu/pipermail/kerberos/2007-November/012585.html<br />
<br />
<br />
<br />
[[Category:Kerberos]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Kerberos/Kerberos_and_DebianKerberos/Kerberos and Debian2009-02-23T09:39:28Z<p>Pasamio: /* Firefox configuration */</p>
<hr />
<div>This guide covers Windows Server 2003 and Debian 4.0 configuration. Please note that there are noted issues with 2003 SP1, I suggest upgrading to SP2/R2 where possible to resolve these issues before you start. Alternateively look at the Kerberos page and view the links mentioning 2003 SP1 issues. If you want to continue with 2003 SP1, consult [http://support.microsoft.com/kb/919557 Microsoft KB 919557]. If you have issues you may wish to look at the [[Kerberos/Troubleshooting|Kerberos Troubleshooting]] page to see if your specific error is listed. Active Directory has a habbit of being case sensitive for some interfaces (typically non-MS ones) and being very forgiving of case in others (typically MS tools). Case is always important, so make sure that this is typed appropriately.<br />
<br />
= Before we begin =<br />
== Terminology ==<br />
The following terms are more or less equivalent and may be used interchangeably. Some may also suggest replacements, for reference they are all listed here:<br />
{| border=1<br />
| Kerberos realm || Active Directory Domain, Active Directory Site; typically this means writing the site name in capitals, see below<br />
|-<br />
| REALM || Your AD realm, typically your DNS site name all in capitals; in this case its SITE3.DIGITALPAPER.HOMELINUX.NET<br />
|-<br />
| SERVERNAME || Substitute this with the name of your Linux server<br />
|-<br />
| FQDN || The fully qualified domain name; you may need to fill this in for specific commands<br />
|}<br />
<br />
Where possible, items requiring replacement are marked in bold.<br />
<br />
== AD Domain Setup ==<br />
The set up in this case is actually mildly unique. There are two servers, one called "pie" (Debian 4.0) and another called "notpie" (Windows 2003). "notpie" has the AD site "site3.digitalpaper.homelinux.net" assigned to it and its DNS also contains entries for the digitalpaper.homelinux.net domain as well. "pie" is not a member of the domain and not actually in the same subdomain. For reference:<br />
{| border=1<br />
! Server Name !! FQDN !! IP address<br />
|-<br />
| notpie || notpie.site3.digitalpaper.homelinux.net || 192.168.1.20<br />
|-<br />
| pie || pie.digitalpaper.homelinux.net || 192.168.1.10<br />
|}<br />
<br />
We want to authenticate requests to Apache on pie from clients in the Kerberos realm SITE3.DIGITALPAPER.HOMELINUX.NET (the site name all in caps) in a way that doesn't require a password or uses their domain logins. A noble goal, and for bonus mark we're mixing our domains around a bit. The down level (pre 2000) name for the domain is "SITE3".<br />
<br />
From this point, I'm going to assume that the above is setup already and working properly. <br />
<br />
== Linux box setup ==<br />
I'm assumimg you have a working Debian 4.0 machine with Apache 2 up and running. Some of the instructions use Apache 2, if you are using Apache 1 you will likely need to modify them slightly (possibly removing the "2"). The machine should have some form of an IP address and DNS hostname assigned to it within the Active Directory Domain Controller's DNS server or in a DNS server that both machines can acknowledge. For the purposes of this tutorial we are going to assume that your domain controller is your DNS server and that your Linux server exists in its DNS properly. We only have two machines, the Linux box and the domain controller so if your set up is different, some of the values used may not meet this assumption. You will have to change this where necessary. I would also advise installing and configuring NTP to point to your domain controller to ensure that your time is synchronised otherwise clock skew errors may appear.<br />
<br />
No matter where your DNS is located you will need to ensure that forward and reverse lookups for the Linux box are properly working so that you can resolve it appropriately.<br />
<br />
I'm also going to presume that you have Joomla! 1.5 set up and installed with the LDAP plugins configured properly and working. Ideally if you have a base set up with Joomla! site already authenticating to Active Directory this would be a useful point to launch from. Since we're trying to get SSO working, the Joomla! 1.5 site obviously needs to be on the same server.<br />
<br />
= System Configuration =<br />
<br />
== Linux Configuration ==<br />
Our first port of call is to set up the Linux server to look towards the AD domain. You may have done this already, but you may not have. Most of the files referenced exist as full copies at the end of this page for reference.<br />
<br />
=== Installing software ===<br />
Before we begin, we're going to need some tools installed:<br />
<pre>sudo aptitude install krb5-user libapache2-mod-auth-kerb</pre><br />
<br />
Please note that this will also install krb5-config which will request information such as your KDC and similar servers as well as the realm. Depending on your debconf configuration, it may automatically detect the realm from the FQDN of the machine. If this assumption is wrong (as it was for mine) then you will have need to reconfigure the package to work properly and enter the appropriate default realm:<br />
<pre>sudo dpkg-reconfigure krb5-config</pre><br />
And fill in the values properly.<br />
<br />
If you have already got krb5-config installed it may be worthwhile reconfiguring it anyway to validate that the settings it has are correct. If it is wrong it will cause you issues further along.<br />
<br />
<br />
=== /etc/resolv.conf ===<br />
Since we've got two domains we care about (one that "pie" is in and the one for the AD domain and "notpie"). This will configure the Linux machine to search both domains and use AD as the domain controller.<br />
<pre><br />
search site3.digitalpaper.homelinux.net digitalpaper.homelinux.net<br />
nameserver 192.168.1.20<br />
</pre><br />
<br />
=== /etc/hosts ===<br />
One of the useful tidbits I've picked up is ensuring that your local hosts file is set up with the correct external IP address for the DNS domain name and not pointing back to everyone's favourite IP address 127.0.0.1:<br />
<pre><br />
192.168.1.10 pie.digitalpaper.homelinux.net pie<br />
</pre><br />
<br />
The order is also important, make sure that the FQDN is before the shorter name. Using the external interface address instead of local loopback is also important and will help us to avoid other issues later on with Kerberos.<br />
<br />
=== /etc/krb5.conf ===<br />
This is the main Kerberos configuration file, Debian will automatically generate this file for you when you installed the krb5-config package. With any luck, it should look like the sample at the end of this document with your values instead of mine and probably a bit more junk. In my due domain situation, I needed to do one more modification in the [domain_realm] section of the document to add the domain for pie. This enables the server to find the correct realm for itself. There should be some lines already but the looks like this when completed fully:<br />
<pre><br />
[domain_realm]<br />
.site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
</pre><br />
<br />
At this point we should to be authenticate as a Kerberos user and obtain a Kerberos ticket, so lets authenticate as a user with kinit to check if things work:<br />
kinit <b>username</b><br />
Password for <b>username</b>@<b>REALM</b>: (type users password here)<br />
With any luck this will complete without error. If you do encounter an error, check out the [[Kerberos/Troubleshooting|Kerberos troubleshooting]] page to see how you can resolve the issue. You may also optionally specify a realm instead of just the username but the command should default to the correct realm anyway.<br />
<br />
=== Samba Note ===<br />
If you're using Samba, you may wish to check out a comment on Scott Lowe's guide on Kerberos SSO with Apache from [http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/#comment-4003 Emmanuel Gomez]. In theory, this should absolve you from having to do any configuration on the Windows side and your keytab for both the operating system and Apache would be one file. I haven't tried this option, and prefer the method detailed below.<br />
<br />
<br />
== Windows configuration ==<br />
Presuming that this is all done we now need to configure AD with accounts for the Linux box and Apache. <br />
<br />
=== Installing software ===<br />
You will need the Windows 2003 Support Tools otherwise your install won't have ktpass.exe and other useful utilities (ldp.exe and kerbtray.exe are two hidden jewels of the system). You will need this to be installed before you can continue. I would advise that you at least login and log off (or if possible restart) after installing these tools to get the path available otherwise you will need to type commands like the following to get to the tools:<br />
<pre>"C:\Program Files\Support Tools\ktpass.exe"</pre><br />
<br />
If you have issues where you get the error "command not recognized" or similar, you may need to use the full path to the tool. Restarting the server or cycling your login should resolve these issues.<br />
<br />
The Support Tools also include the "ADSI Edit" MSC which is the swiss army knife of manipulating Active Directory's back end.<br />
<br />
'''Note:''' ktpass.exe is a command line utility, you will need to start a command prompt first. kerbtray.exe is a tray icon based application (hides in the tray on launch) and ldp.exe has a full GUI.<br />
<br />
=== Creating the accounts ===<br />
In my sample tree, I have a "Servers" OU that I use to store accounts for servers or service accounts in one location. If you haven't got one already (or something similar), I suggest that now is the time to create one.<br />
<br />
Please note here that it appears important that in the following section these are users and not computers, and there is one user per service (including one for the host). The logic for this appears to be that when using a single 'computer' account that the key version number increases automatically invalidating previously generated keys. There is a work around that I haven't tested available as a [http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/#comment-32694 comment on Scott Lowe's blog]. For those of us less daring, we'll go for the simpler option.<br />
<br />
Within that OU we're going to create two new "users". The first will be for the host itself and the second will be for Apache. <br />
In the new user screen set the:<br />
* first name to be "host" <br />
* last name to be '''SERVERNAME''', in our case "pie".<br />
* logon to be "host-'''SERVERNAME'''", so "host-pie"<br />
* click next and then tick the "password never expires" box and finish<br />
<br />
Repeat this with a second user, replacing instances of "host" with "HTTP". Please note that case is sensitive so ensure host is all lower case and HTTP is all upper case. Please note the password that you gave the users as you will use this again when creating the Kerberos keys.<br />
<br />
=== Creating the keytabs ===<br />
The next step is to create the keytab for both of the users. You will need to create a new command prompt window first, I suggest that using the one under the "Support Tools" menu item is the best way of achieving this goal. This is another find and replace operation, the command in question is:<br />
ktpass -princ <b>SERVICE</b>/<b>FQDN</b>@<b>REALM</b> -mapuser <b>DOMAIN\account</b> -crypto DES-CBC-MD5 +DesOnly -pass <b>password</b> -ptype KRB5_NT_PRINCIPAL -out <b>filename</b><br />
<br />
So we need to replace SERVICE, FQDN, REALM, the username you set the account to be, the password and give the tool a unique filename where it can output the file. Keep in mind that the downlevel version of our site is "SITE3" and that the service is either "host" or "HTTP". You may have other services depending on your setup but this isn't covered here.<br />
<br />
For simplicity I recommend creating a folder on your desktop or in your My Documents folder and navigating to this folder in the terminal and then running the following commands. It places your keytabs in one central location which makes finding them later and updating them if need be easy. I created a "keytabs" folder on the desktop to store the files in.<br />
<br />
The sample commands I used were the following:<br />
ktpass -princ host/<b>pie.digitalpaper.homelinux.net</b>@<b>SITE3.DIGITALPAPER.HOMELINUX.NET</b> -mapuser <b>SITE3\HOST-pie</b> -crypto DES-CBC-MD5 +DesOnly -pass <b>password</b> -ptype KRB5_NT_PRINCIPAL -out <b>host-pie.keytab</b><br />
ktpass -princ HTTP/<b>pie.digitalpaper.homelinux.net</b>@<b>SITE3.DIGITALPAPER.HOMELINUX.NET</b> -mapuser <b>SITE3\HTTP-pie</b> -crypto DES-CBC-MD5 +DesOnly -pass <b>password</b> -ptype KRB5_NT_PRINCIPAL -out <b>http-pie.keytab</b><br />
<br />
This will output a lot of data to the screen but should ultimately result in success presuming that you've fed the accoun the right information. If you do encouter errors check over the command to ensure that you haven't missed something out. <br />
<br />
Once we've created the keytabs we need to shift them to the Linux server. The file "host-pie.keytab" will become /etc/krb5.keytab and the file "http-pie.keytab" should be copied to a new folder, "/etc/apache2/keytab" so that we can use it later. This should be done in a secure manner, so I suggest using SCP or similar to transfer the files.<br />
<br />
=== Testing the keys ===<br />
Once the keys have been transferred to their relevant location on the Linux server, we can test them to see if they are working properly with 'kinit' again on the Linux server. This time the command looks a little different:<br />
kinit -k <b>SERVICE</b>/<b>FQDN</b><br />
This will work for 'host' but will probably fail for the 'HTTP' service, for that we will need to specify a location for the keytab. The commands I used in this case were as follows:<br />
kinit -k host/<b>pie.digitalpaper.homelinux.net</b><br />
kinit -k -t /etc/apache2/keytab/http-<b>SERVERNAME</b>.keytab HTTP/<b>pie.digitalpaper.homelinux.net</b><br />
Note: This assumes that you've copied the files to correct location already. If you have transferred the HTTP key to a different location you may wish to specify a different option for -t. If everything is working properly you should not receive any error from these commands and running 'klist' after each one should show that you have a ticket for either account. If you do have an error check out the [[Kerberos/Troubleshooting|Kerberos troubleshooting]] page for guidance.<br />
<br />
== mod_auth_kerb Configuration ==<br />
The last part of this saga is configuring mod_auth_kerb to work properly in your environment. Presuming you have it installed properly, this is usually straight forward as during installation the module is normally automatically enabled. Resolving the errors resulting from configuration can sometimes be a tad more problematic. If you do have an error check out the [[Kerberos/Troubleshooting|Kerberos troubleshooting]] page for guidance and make sure to check the Apache error log. You may also wish to increase the logging and debugging level of Apache to obtain more information about what is actually happening behind the scenes with Kerberos.<br />
<br />
=== Using a .htaccess file ===<br />
Presuming that the location you want to protect is configured to accept .htaccess files, you can use the following to protect the folder. You will probably need in a directory directive in your main Apache configuration file with either a "AllowOverride All" or "AllowOverride AuthConfig" directive.<br />
AuthType Kerberos<br />
AuthName "Kerberos Login"<br />
KrbMethodNegotiate On<br />
KrbMethodK5Passwd On<br />
KrbAuthRealms <b>REALM</b><br />
Krb5KeyTab /etc/apache2/keytab/http-<b>SERVERNAME</b>.keytab<br />
require valid-user<br />
<br />
=== Within the Apache configuration ===<br />
If you wrap the same command used in your .htaccess file within either a Location directive or a Directory directive and then restart Apache this location should be protected by Kerberos<br />
<br />
=== Set up a test page ===<br />
You may wish to set up a test page in your location. As you are likely to have PHP available, I suggest creating a simple file called 'test.php' and putting in the file:<br />
<pre><?php phpinfo(); ?></pre><br />
This should give you a diagnostic of PHP, which include the server authentication variables that are passed to it. This way we will be able to see if the user is in fact authenticated and who Apache has authenticated them as and which method it used to do so.<br />
<br />
== Browser Configuration ==<br />
With any luck your changes are successful and now its time to test it. Navigate to the directory you decided to protect (in my case I decided to use /kerberos) and you should be either let directly through or prompted for a username and password. Either way you should end up being authenticated and if you created the test.php file you could validate the method. If you were let directly through you should have the Auth Type "Negotiate" however if you needed to type in a password your auth type would be "Basic" (this is "AUTH_TYPE" in the PHP info page if you are looking for it). Just above that field should be "REMOTE_USER" which should be set to your AD UPN, e.g. <b>username</b>@<b>REALM</b>. See the [[Kerberos/Browser Support|browser support]] page for information in relation to browser support issues (not configuration).<br />
<br />
Some browsers (e.g. Safari on Mac; IE on Windows) will automatically work if the underlying layer is configured properly. <br />
<br />
=== IE Configuration ===<br />
There are two issues that may occur with IE. The first is that Integrated Windows Authentication is not enabled (the default for IE6) and the second is that it may think that the site isn't on the intranet.<br />
* The first is easy to solve, to enable the browser to respond to a negotiate challenge and perform Kerberos authentication, select the Enable Integrated Windows Authentication check box in the Security section of the Advanced tab of the Internet Options menu, and then restart the browser.<br />
* The second requires a tad more effort, check on the bottom right hand corner what zone the site is in. If it is in the "Internet" zone then you will likely have issues. Double click on this and click on Local Intranet -> Sites -> Advanced -> Add. Then click close or ok on all dialogues until you return to your browser. It should now identify the site as being in the local intranet. For alternate ways of solving this problem look at [http://support.microsoft.com/kb/303650 Microsoft KB article 303650] about "IE not correctly identifying sites in the intranet".<br />
<br />
If after this has all been done the user is still being prompted for a password, check the Apache logs for any errors that might have occured. Keep in mind that the desktop needs to be joined to the domain for IE to function correctly with SSO.<br />
<br />
=== Firefox configuration ===<br />
Assuming that you have Kerberos set up on your client (e.g. Windows machine joined to the domain, Linux or Mac OS X box set up to obtain a Kerberos ticket) all you should need to do is set "network.negotiate-auth.trusted-uris" in "about:config" to the name of your web server. With this it should work.<br />
<br />
=== Safari ===<br />
Safari has no configuration option and if its working at the lower levels, 'just works' and if not then you've got to dig through the lower levels to work out what is wrong. This applies to both Windows and Mac versions.<br />
<br />
= Sample Files =<br />
== Apache Configuration ==<br />
<pre><br />
<Location /kerberos><br />
AuthType Kerberos<br />
AuthName "Kerberos Login"<br />
KrbMethodNegotiate On<br />
KrbMethodK5Passwd On<br />
KrbAuthRealms SITE3.DIGITALPAPER.HOMELINUX.NET<br />
Krb5KeyTab /etc/apache2/keytab/http-pie.keytab<br />
require valid-user<br />
</Location><br />
</pre><br />
<br />
== .htaccess File ==<br />
<pre><br />
AuthType Kerberos<br />
AuthName "Kerberos Login"<br />
KrbMethodNegotiate On<br />
KrbMethodK5Passwd On<br />
KrbAuthRealms SITE3.DIGITALPAPER.HOMELINUX.NET<br />
Krb5KeyTab /etc/apache2/keytab/http-pie.keytab<br />
require valid-user<br />
</pre><br />
<br />
== resolv.conf ==<br />
<pre><br />
search digitalpaper.homelinux.net site3.digitalpaper.homelinux.net<br />
nameserver 192.168.1.20<br />
</pre><br />
<br />
== krb5.conf ==<br />
<pre><br />
[libdefaults]<br />
default_realm = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
<br />
# The following krb5.conf variables are only for MIT Kerberos.<br />
krb4_config = /etc/krb.conf<br />
krb4_realms = /etc/krb.realms<br />
kdc_timesync = 1<br />
ccache_type = 4<br />
forwardable = true<br />
proxiable = true<br />
<br />
# The following libdefaults parameters are only for Heimdal Kerberos.<br />
v4_instance_resolve = false<br />
v4_name_convert = {<br />
host = {<br />
rcmd = host<br />
ftp = ftp<br />
}<br />
plain = {<br />
something = something-else<br />
}<br />
}<br />
fcc-mit-ticketflags = true<br />
<br />
[realms]<br />
SITE3.DIGITALPAPER.HOMELINUX.NET = {<br />
kdc = 192.168.1.20<br />
admin_server = 192.168.1.20<br />
}<br />
<br />
[domain_realm]<br />
.site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
[login]<br />
krb4_convert = true<br />
krb4_get_tickets = false<br />
</pre><br />
<br />
<br />
<br />
[[Category:Kerberos]] [[Category:MSAD]] [[Category:Guide]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Kerberos/Kerberos_and_DebianKerberos/Kerberos and Debian2009-02-23T05:47:17Z<p>Pasamio: /* Windows configuration */</p>
<hr />
<div>This guide covers Windows Server 2003 and Debian 4.0 configuration. Please note that there are noted issues with 2003 SP1, I suggest upgrading to SP2/R2 where possible to resolve these issues before you start. Alternateively look at the Kerberos page and view the links mentioning 2003 SP1 issues. If you want to continue with 2003 SP1, consult [http://support.microsoft.com/kb/919557 Microsoft KB 919557]. If you have issues you may wish to look at the [[Kerberos/Troubleshooting|Kerberos Troubleshooting]] page to see if your specific error is listed. Active Directory has a habbit of being case sensitive for some interfaces (typically non-MS ones) and being very forgiving of case in others (typically MS tools). Case is always important, so make sure that this is typed appropriately.<br />
<br />
= Before we begin =<br />
== Terminology ==<br />
The following terms are more or less equivalent and may be used interchangeably. Some may also suggest replacements, for reference they are all listed here:<br />
{| border=1<br />
| Kerberos realm || Active Directory Domain, Active Directory Site; typically this means writing the site name in capitals, see below<br />
|-<br />
| REALM || Your AD realm, typically your DNS site name all in capitals; in this case its SITE3.DIGITALPAPER.HOMELINUX.NET<br />
|-<br />
| SERVERNAME || Substitute this with the name of your Linux server<br />
|-<br />
| FQDN || The fully qualified domain name; you may need to fill this in for specific commands<br />
|}<br />
<br />
Where possible, items requiring replacement are marked in bold.<br />
<br />
== AD Domain Setup ==<br />
The set up in this case is actually mildly unique. There are two servers, one called "pie" (Debian 4.0) and another called "notpie" (Windows 2003). "notpie" has the AD site "site3.digitalpaper.homelinux.net" assigned to it and its DNS also contains entries for the digitalpaper.homelinux.net domain as well. "pie" is not a member of the domain and not actually in the same subdomain. For reference:<br />
{| border=1<br />
! Server Name !! FQDN !! IP address<br />
|-<br />
| notpie || notpie.site3.digitalpaper.homelinux.net || 192.168.1.20<br />
|-<br />
| pie || pie.digitalpaper.homelinux.net || 192.168.1.10<br />
|}<br />
<br />
We want to authenticate requests to Apache on pie from clients in the Kerberos realm SITE3.DIGITALPAPER.HOMELINUX.NET (the site name all in caps) in a way that doesn't require a password or uses their domain logins. A noble goal, and for bonus mark we're mixing our domains around a bit. The down level (pre 2000) name for the domain is "SITE3".<br />
<br />
From this point, I'm going to assume that the above is setup already and working properly. <br />
<br />
== Linux box setup ==<br />
I'm assumimg you have a working Debian 4.0 machine with Apache 2 up and running. Some of the instructions use Apache 2, if you are using Apache 1 you will likely need to modify them slightly (possibly removing the "2"). The machine should have some form of an IP address and DNS hostname assigned to it within the Active Directory Domain Controller's DNS server or in a DNS server that both machines can acknowledge. For the purposes of this tutorial we are going to assume that your domain controller is your DNS server and that your Linux server exists in its DNS properly. We only have two machines, the Linux box and the domain controller so if your set up is different, some of the values used may not meet this assumption. You will have to change this where necessary. I would also advise installing and configuring NTP to point to your domain controller to ensure that your time is synchronised otherwise clock skew errors may appear.<br />
<br />
No matter where your DNS is located you will need to ensure that forward and reverse lookups for the Linux box are properly working so that you can resolve it appropriately.<br />
<br />
I'm also going to presume that you have Joomla! 1.5 set up and installed with the LDAP plugins configured properly and working. Ideally if you have a base set up with Joomla! site already authenticating to Active Directory this would be a useful point to launch from. Since we're trying to get SSO working, the Joomla! 1.5 site obviously needs to be on the same server.<br />
<br />
= System Configuration =<br />
<br />
== Linux Configuration ==<br />
Our first port of call is to set up the Linux server to look towards the AD domain. You may have done this already, but you may not have. Most of the files referenced exist as full copies at the end of this page for reference.<br />
<br />
=== Installing software ===<br />
Before we begin, we're going to need some tools installed:<br />
<pre>sudo aptitude install krb5-user libapache2-mod-auth-kerb</pre><br />
<br />
Please note that this will also install krb5-config which will request information such as your KDC and similar servers as well as the realm. Depending on your debconf configuration, it may automatically detect the realm from the FQDN of the machine. If this assumption is wrong (as it was for mine) then you will have need to reconfigure the package to work properly and enter the appropriate default realm:<br />
<pre>sudo dpkg-reconfigure krb5-config</pre><br />
And fill in the values properly.<br />
<br />
If you have already got krb5-config installed it may be worthwhile reconfiguring it anyway to validate that the settings it has are correct. If it is wrong it will cause you issues further along.<br />
<br />
<br />
=== /etc/resolv.conf ===<br />
Since we've got two domains we care about (one that "pie" is in and the one for the AD domain and "notpie"). This will configure the Linux machine to search both domains and use AD as the domain controller.<br />
<pre><br />
search site3.digitalpaper.homelinux.net digitalpaper.homelinux.net<br />
nameserver 192.168.1.20<br />
</pre><br />
<br />
=== /etc/hosts ===<br />
One of the useful tidbits I've picked up is ensuring that your local hosts file is set up with the correct external IP address for the DNS domain name and not pointing back to everyone's favourite IP address 127.0.0.1:<br />
<pre><br />
192.168.1.10 pie.digitalpaper.homelinux.net pie<br />
</pre><br />
<br />
The order is also important, make sure that the FQDN is before the shorter name. Using the external interface address instead of local loopback is also important and will help us to avoid other issues later on with Kerberos.<br />
<br />
=== /etc/krb5.conf ===<br />
This is the main Kerberos configuration file, Debian will automatically generate this file for you when you installed the krb5-config package. With any luck, it should look like the sample at the end of this document with your values instead of mine and probably a bit more junk. In my due domain situation, I needed to do one more modification in the [domain_realm] section of the document to add the domain for pie. This enables the server to find the correct realm for itself. There should be some lines already but the looks like this when completed fully:<br />
<pre><br />
[domain_realm]<br />
.site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
</pre><br />
<br />
At this point we should to be authenticate as a Kerberos user and obtain a Kerberos ticket, so lets authenticate as a user with kinit to check if things work:<br />
kinit <b>username</b><br />
Password for <b>username</b>@<b>REALM</b>: (type users password here)<br />
With any luck this will complete without error. If you do encounter an error, check out the [[Kerberos/Troubleshooting|Kerberos troubleshooting]] page to see how you can resolve the issue. You may also optionally specify a realm instead of just the username but the command should default to the correct realm anyway.<br />
<br />
=== Samba Note ===<br />
If you're using Samba, you may wish to check out a comment on Scott Lowe's guide on Kerberos SSO with Apache from [http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/#comment-4003 Emmanuel Gomez]. In theory, this should absolve you from having to do any configuration on the Windows side and your keytab for both the operating system and Apache would be one file. I haven't tried this option, and prefer the method detailed below.<br />
<br />
<br />
== Windows configuration ==<br />
Presuming that this is all done we now need to configure AD with accounts for the Linux box and Apache. <br />
<br />
=== Installing software ===<br />
You will need the Windows 2003 Support Tools otherwise your install won't have ktpass.exe and other useful utilities (ldp.exe and kerbtray.exe are two hidden jewels of the system). You will need this to be installed before you can continue. I would advise that you at least login and log off (or if possible restart) after installing these tools to get the path available otherwise you will need to type commands like the following to get to the tools:<br />
<pre>"C:\Program Files\Support Tools\ktpass.exe"</pre><br />
<br />
If you have issues where you get the error "command not recognized" or similar, you may need to use the full path to the tool. Restarting the server or cycling your login should resolve these issues.<br />
<br />
The Support Tools also include the "ADSI Edit" MSC which is the swiss army knife of manipulating Active Directory's back end.<br />
<br />
'''Note:''' ktpass.exe is a command line utility, you will need to start a command prompt first. kerbtray.exe is a tray icon based application (hides in the tray on launch) and ldp.exe has a full GUI.<br />
<br />
=== Creating the accounts ===<br />
In my sample tree, I have a "Servers" OU that I use to store accounts for servers or service accounts in one location. If you haven't got one already (or something similar), I suggest that now is the time to create one.<br />
<br />
Please note here that it appears important that in the following section these are users and not computers, and there is one user per service (including one for the host). The logic for this appears to be that when using a single 'computer' account that the key version number increases automatically invalidating previously generated keys. There is a work around that I haven't tested available as a [http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/#comment-32694 comment on Scott Lowe's blog]. For those of us less daring, we'll go for the simpler option.<br />
<br />
Within that OU we're going to create two new "users". The first will be for the host itself and the second will be for Apache. <br />
In the new user screen set the:<br />
* first name to be "host" <br />
* last name to be '''SERVERNAME''', in our case "pie".<br />
* logon to be "host-'''SERVERNAME'''", so "host-pie"<br />
* click next and then tick the "password never expires" box and finish<br />
<br />
Repeat this with a second user, replacing instances of "host" with "HTTP". Please note that case is sensitive so ensure host is all lower case and HTTP is all upper case. Please note the password that you gave the users as you will use this again when creating the Kerberos keys.<br />
<br />
=== Creating the keytabs ===<br />
The next step is to create the keytab for both of the users. You will need to create a new command prompt window first, I suggest that using the one under the "Support Tools" menu item is the best way of achieving this goal. This is another find and replace operation, the command in question is:<br />
ktpass -princ <b>SERVICE</b>/<b>FQDN</b>@<b>REALM</b> -mapuser <b>DOMAIN\account</b> -crypto DES-CBC-MD5 +DesOnly -pass <b>password</b> -ptype KRB5_NT_PRINCIPAL -out <b>filename</b><br />
<br />
So we need to replace SERVICE, FQDN, REALM, the username you set the account to be, the password and give the tool a unique filename where it can output the file. Keep in mind that the downlevel version of our site is "SITE3" and that the service is either "host" or "HTTP". You may have other services depending on your setup but this isn't covered here.<br />
<br />
For simplicity I recommend creating a folder on your desktop or in your My Documents folder and navigating to this folder in the terminal and then running the following commands. It places your keytabs in one central location which makes finding them later and updating them if need be easy. I created a "keytabs" folder on the desktop to store the files in.<br />
<br />
The sample commands I used were the following:<br />
ktpass -princ host/<b>pie.digitalpaper.homelinux.net</b>@<b>SITE3.DIGITALPAPER.HOMELINUX.NET</b> -mapuser <b>SITE3\HOST-pie</b> -crypto DES-CBC-MD5 +DesOnly -pass <b>password</b> -ptype KRB5_NT_PRINCIPAL -out <b>host-pie.keytab</b><br />
ktpass -princ HTTP/<b>pie.digitalpaper.homelinux.net</b>@<b>SITE3.DIGITALPAPER.HOMELINUX.NET</b> -mapuser <b>SITE3\HTTP-pie</b> -crypto DES-CBC-MD5 +DesOnly -pass <b>password</b> -ptype KRB5_NT_PRINCIPAL -out <b>http-pie.keytab</b><br />
<br />
This will output a lot of data to the screen but should ultimately result in success presuming that you've fed the accoun the right information. If you do encouter errors check over the command to ensure that you haven't missed something out. <br />
<br />
Once we've created the keytabs we need to shift them to the Linux server. The file "host-pie.keytab" will become /etc/krb5.keytab and the file "http-pie.keytab" should be copied to a new folder, "/etc/apache2/keytab" so that we can use it later. This should be done in a secure manner, so I suggest using SCP or similar to transfer the files.<br />
<br />
=== Testing the keys ===<br />
Once the keys have been transferred to their relevant location on the Linux server, we can test them to see if they are working properly with 'kinit' again on the Linux server. This time the command looks a little different:<br />
kinit -k <b>SERVICE</b>/<b>FQDN</b><br />
This will work for 'host' but will probably fail for the 'HTTP' service, for that we will need to specify a location for the keytab. The commands I used in this case were as follows:<br />
kinit -k host/<b>pie.digitalpaper.homelinux.net</b><br />
kinit -k -t /etc/apache2/keytab/http-<b>SERVERNAME</b>.keytab HTTP/<b>pie.digitalpaper.homelinux.net</b><br />
Note: This assumes that you've copied the files to correct location already. If you have transferred the HTTP key to a different location you may wish to specify a different option for -t. If everything is working properly you should not receive any error from these commands and running 'klist' after each one should show that you have a ticket for either account. If you do have an error check out the [[Kerberos/Troubleshooting|Kerberos troubleshooting]] page for guidance.<br />
<br />
== mod_auth_kerb Configuration ==<br />
The last part of this saga is configuring mod_auth_kerb to work properly in your environment. Presuming you have it installed properly, this is usually straight forward as during installation the module is normally automatically enabled. Resolving the errors resulting from configuration can sometimes be a tad more problematic. If you do have an error check out the [[Kerberos/Troubleshooting|Kerberos troubleshooting]] page for guidance and make sure to check the Apache error log. You may also wish to increase the logging and debugging level of Apache to obtain more information about what is actually happening behind the scenes with Kerberos.<br />
<br />
=== Using a .htaccess file ===<br />
Presuming that the location you want to protect is configured to accept .htaccess files, you can use the following to protect the folder. You will probably need in a directory directive in your main Apache configuration file with either a "AllowOverride All" or "AllowOverride AuthConfig" directive.<br />
AuthType Kerberos<br />
AuthName "Kerberos Login"<br />
KrbMethodNegotiate On<br />
KrbMethodK5Passwd On<br />
KrbAuthRealms <b>REALM</b><br />
Krb5KeyTab /etc/apache2/keytab/http-<b>SERVERNAME</b>.keytab<br />
require valid-user<br />
<br />
=== Within the Apache configuration ===<br />
If you wrap the same command used in your .htaccess file within either a Location directive or a Directory directive and then restart Apache this location should be protected by Kerberos<br />
<br />
=== Set up a test page ===<br />
You may wish to set up a test page in your location. As you are likely to have PHP available, I suggest creating a simple file called 'test.php' and putting in the file:<br />
<pre><?php phpinfo(); ?></pre><br />
This should give you a diagnostic of PHP, which include the server authentication variables that are passed to it. This way we will be able to see if the user is in fact authenticated and who Apache has authenticated them as and which method it used to do so.<br />
<br />
== Browser Configuration ==<br />
With any luck your changes are successful and now its time to test it. Navigate to the directory you decided to protect (in my case I decided to use /kerberos) and you should be either let directly through or prompted for a username and password. Either way you should end up being authenticated and if you created the test.php file you could validate the method. If you were let directly through you should have the Auth Type "Negotiate" however if you needed to type in a password your auth type would be "Basic" (this is "AUTH_TYPE" in the PHP info page if you are looking for it). Just above that field should be "REMOTE_USER" which should be set to your AD UPN, e.g. <b>username</b>@<b>REALM</b>. See the [[Kerberos/Browser Support|browser support]] page for information in relation to browser support issues (not configuration).<br />
<br />
Some browsers (e.g. Safari on Mac; IE on Windows) will automatically work if the underlying layer is configured properly. <br />
<br />
=== IE Configuration ===<br />
There are two issues that may occur with IE. The first is that Integrated Windows Authentication is not enabled (the default for IE6) and the second is that it may think that the site isn't on the intranet.<br />
* The first is easy to solve, to enable the browser to respond to a negotiate challenge and perform Kerberos authentication, select the Enable Integrated Windows Authentication check box in the Security section of the Advanced tab of the Internet Options menu, and then restart the browser.<br />
* The second requires a tad more effort, check on the bottom right hand corner what zone the site is in. If it is in the "Internet" zone then you will likely have issues. Double click on this and click on Local Intranet -> Sites -> Advanced -> Add. Then click close or ok on all dialogues until you return to your browser. It should now identify the site as being in the local intranet. For alternate ways of solving this problem look at [http://support.microsoft.com/kb/303650 Microsoft KB article 303650] about "IE not correctly identifying sites in the intranet".<br />
<br />
If after this has all been done the user is still being prompted for a password, check the Apache logs for any errors that might have occured. Keep in mind that the desktop needs to be joined to the domain for IE to function correctly with SSO.<br />
<br />
=== Firefox configuration ===<br />
Assuming that you have Kerberos set up on your client (e.g. Windows machine joined to the domain, Linux or Mac OS X box set up to obtain a Kerberos ticket) all you should need to do is set "network.negotiate-auth.trusted-uris" to the name of your web server. With this it should work.<br />
<br />
=== Safari ===<br />
Safari has no configuration option and if its working at the lower levels, 'just works' and if not then you've got to dig through the lower levels to work out what is wrong. This applies to both Windows and Mac versions.<br />
<br />
= Sample Files =<br />
== Apache Configuration ==<br />
<pre><br />
<Location /kerberos><br />
AuthType Kerberos<br />
AuthName "Kerberos Login"<br />
KrbMethodNegotiate On<br />
KrbMethodK5Passwd On<br />
KrbAuthRealms SITE3.DIGITALPAPER.HOMELINUX.NET<br />
Krb5KeyTab /etc/apache2/keytab/http-pie.keytab<br />
require valid-user<br />
</Location><br />
</pre><br />
<br />
== .htaccess File ==<br />
<pre><br />
AuthType Kerberos<br />
AuthName "Kerberos Login"<br />
KrbMethodNegotiate On<br />
KrbMethodK5Passwd On<br />
KrbAuthRealms SITE3.DIGITALPAPER.HOMELINUX.NET<br />
Krb5KeyTab /etc/apache2/keytab/http-pie.keytab<br />
require valid-user<br />
</pre><br />
<br />
== resolv.conf ==<br />
<pre><br />
search digitalpaper.homelinux.net site3.digitalpaper.homelinux.net<br />
nameserver 192.168.1.20<br />
</pre><br />
<br />
== krb5.conf ==<br />
<pre><br />
[libdefaults]<br />
default_realm = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
<br />
# The following krb5.conf variables are only for MIT Kerberos.<br />
krb4_config = /etc/krb.conf<br />
krb4_realms = /etc/krb.realms<br />
kdc_timesync = 1<br />
ccache_type = 4<br />
forwardable = true<br />
proxiable = true<br />
<br />
# The following libdefaults parameters are only for Heimdal Kerberos.<br />
v4_instance_resolve = false<br />
v4_name_convert = {<br />
host = {<br />
rcmd = host<br />
ftp = ftp<br />
}<br />
plain = {<br />
something = something-else<br />
}<br />
}<br />
fcc-mit-ticketflags = true<br />
<br />
[realms]<br />
SITE3.DIGITALPAPER.HOMELINUX.NET = {<br />
kdc = 192.168.1.20<br />
admin_server = 192.168.1.20<br />
}<br />
<br />
[domain_realm]<br />
.site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
[login]<br />
krb4_convert = true<br />
krb4_get_tickets = false<br />
</pre><br />
<br />
<br />
<br />
[[Category:Kerberos]] [[Category:MSAD]] [[Category:Guide]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Quickstart_for_1.5Quickstart for 1.52009-02-22T07:48:19Z<p>Pasamio: /* SSO */</p>
<hr />
<div>This document contains a quickstart guide to getting things started with Joomla! 1.5<br />
<br />
= Out of the Box =<br />
By default Joomla! 1.5 provides the ability to use LDAP as an option for authentication within Joomla!. For most purposes this should suffice. However this extension does not provide all of the features that the JAuthTools LDAP SSI bot does for Joomla! 1.0 such as group mapping.<br />
<br />
If you want your Joomla! instance to authenticate across to an LDAP directory (MSAD/Microsoft Active Directory, eDirectory, etc) then all you need to do is configure this plugin. If you are having issues configuring the plugin (especially for MSAD) then you might wish to look at the JDiagnostic tool (http://joomlacode.org/gf/project/pasamioprojects/frs) which will give you a wizard to configure MSAD based authentication.<br />
<br />
= Getting Started =<br />
Joomla! 1.5 has some new features that make installing the JAuthTools services in 1.5 different to the 1.0 method. This page is currently a draft.<br />
<br />
The easiest way to get started is to install the Advanced Tools for 1.5 extension. This provides your Joomla! 1.5 site with the ability to install both packages and libraries, which makes your life easier along the line. Before you install Advanced Tools however, you need to ensure that the /libraries/joomla/installer/adapters folder is writeable by Joomla! so that the installer can put files there, in addition to the normal locations for files. Once you've done that, you can use the URL based installer to install the package straight off JoomlaCode or download and install the package by upload. At the time of writing the latest version of Advanced Tools was 1.5.1, you can check for updates at Pasamio's Projects FRS Site or directly download from the following: http://joomlacode.org/gf/download/frsrelease/6797/22390/com_advancedtools.tgz<br />
<br />
Once the Advanced Tools has installed successfully (Screenshot) you can continue to install the JAuthTools package. If some folders aren't writeable, the Advanced Tools installer might request that you copy files into /libraries/joomla/installer/adpaters manually. For JAuthTools you will need to ensure the 'libraries' folder is writeable as it will create a new 'jauthtools' folder there. <br />
<br />
<br />
== Libraries ==<br />
In Joomla! 1.5, libraries are available via a new interface designed to make the system more manageable. In 1.0 this system did not exist which meant that typically libraries were installed with an extension or using a mambot. JAuthTools in 1.0 used the mambot method of installing new classes which meant that the LDAP library was available for all extensions when the mambot was published. The new interface exposes libraries in a way similar to Java.<br />
<br />
=== Install the JAuthTools Libraries ===<br />
JAuthTools has two major libraries. The first is SSO, or Single Sign On, library which is used to handle the SSO system, namely for Kerberos integration. The second is the User Source library. The user source library is aimed at providing details on a given username, such as email address. There libraries are available from the JAuthTools FRS site. The SSO system is dependent upon the User Source library, so to use SSO you will need to install the User Source library.<br />
<br />
Increasingly JAuthTools extensions are becoming reliant on a third library, the helper library. The helper library is a dependency for the eDirLDAP SSO plugin, the LDAP User Source plugin as well as the Advanced LDAP and Advanced GMail authentication plugins.<br />
<br />
All three of these libraries are available individually or in a pack called "pkg_jauthtools_core.tgz" for ease of installation.<br />
<br />
The other two libraries available from JAuthTools are the Token Login library and the OpenID library. Both of these are distributed on their own as well as within their own packages (OpenID and Token Login respectively).<br />
<br />
== Packages ==<br />
JAuthTools is comprised of a number of packages in addition to the Core JAuthTools packages<br />
<br />
=== SSO ===<br />
The SSO system consists of a system plugin that bootstraps the SSO plugins. This package contains the SSO Manager Component, the SSO Module and the System SSO plugin.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9528 (Includes SSO Plugins below)<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36174/pkg_jauthtools_sso.tgz<br />
<br />
=== SSO Plugins ===<br />
SSO is a new type of plugin created for the system and there are a few SSO plugins available by default. This means that SSO plugins can be controlled using the normal plugin manager interface. Additionally since 1.5.4, there is a SSO manager and SSO module.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9528 (General SSO section)<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36175/pkg_jauthtools_ssoplugins.tgz<br />
<br />
=== User Sources ===<br />
The User Sources system consists of three major plugins: the Sync System plugin and the LDAP and Session user source plugins. The sync plugin is designed to ensure a user is set to the appropriate group and the LDAP user source is designed to provide user information.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9531<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36177/pkg_jauthtools_usersource.tgz<br />
<br />
=== Extras ===<br />
There are two authentication plugins, Advanced GMail and Advanced LDAP, that are distributed with JAuthTools. There is also a LDAP user plugin that is available and the [[Context Login|context login module]]. This package is dependent upon the helper library (part of the Core package).<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9532<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36195/pkg_jauthtools_extras.tgz<br />
<br />
=== OpenID ===<br />
JAuthTools ships one of its own OpenID plugins. It was contributed by Ian MacLennan and hasn't undergone extensive testing yet. We're releasing OpenID in 1.5.4 as a beta release looking towards doing some more work.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9533<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36173/pkg_jauthtools_openid.tgz<br />
<br />
=== Token Login ===<br />
Token Login is a new feature for 1.5.4 that allows you to easily integrating token logins into your Joomla! site. It ships with a token library for issuing tokens, a component that handles token issuing as well as editing and revocation and a token login SSO plugin that can be used to log the user in.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9529<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36176/pkg_jauthtools_tokenlogin.tgz<br />
<br />
<br />
<br />
[[Category:Guide]] [[Category:Quickstart]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/DonationsDonations2009-02-17T12:28:29Z<p>Pasamio: /* For Money */</p>
<hr />
<div>I figured I should put up a donations page because there are some who have donated. Well lets make it one.<br />
<br />
= Charitable Entities =<br />
* [http://www.microsoft.com.au Microsoft Australia] - Windows Server 2003 Enterprise Edition Evaluation (6 months); Shipped free of charge.<br />
<br />
= Requests =<br />
<br />
== For Software ==<br />
If you are from:<br />
* Apple<br />
* Novell<br />
* Sun<br />
<br />
And are interested in donating evaluation software (VM image works nicely) to ensure your product is tested against Joomla! please feel free to email me.<br />
<br />
== For Money ==<br />
If you are unable to donate software but would like to donate money I would happily request that you donate to my personal PayPal account. If you don't want to be acknowledged, please do so in the notes otherwise note down details under which you would like to be acknowledged with.</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Quickstart_for_1.5Quickstart for 1.52009-02-08T12:19:28Z<p>Pasamio: /* Extras */</p>
<hr />
<div>This document contains a quickstart guide to getting things started with Joomla! 1.5<br />
<br />
= Out of the Box =<br />
By default Joomla! 1.5 provides the ability to use LDAP as an option for authentication within Joomla!. For most purposes this should suffice. However this extension does not provide all of the features that the JAuthTools LDAP SSI bot does for Joomla! 1.0 such as group mapping.<br />
<br />
If you want your Joomla! instance to authenticate across to an LDAP directory (MSAD/Microsoft Active Directory, eDirectory, etc) then all you need to do is configure this plugin. If you are having issues configuring the plugin (especially for MSAD) then you might wish to look at the JDiagnostic tool (http://joomlacode.org/gf/project/pasamioprojects/frs) which will give you a wizard to configure MSAD based authentication.<br />
<br />
= Getting Started =<br />
Joomla! 1.5 has some new features that make installing the JAuthTools services in 1.5 different to the 1.0 method. This page is currently a draft.<br />
<br />
The easiest way to get started is to install the Advanced Tools for 1.5 extension. This provides your Joomla! 1.5 site with the ability to install both packages and libraries, which makes your life easier along the line. Before you install Advanced Tools however, you need to ensure that the /libraries/joomla/installer/adapters folder is writeable by Joomla! so that the installer can put files there, in addition to the normal locations for files. Once you've done that, you can use the URL based installer to install the package straight off JoomlaCode or download and install the package by upload. At the time of writing the latest version of Advanced Tools was 1.5.1, you can check for updates at Pasamio's Projects FRS Site or directly download from the following: http://joomlacode.org/gf/download/frsrelease/6797/22390/com_advancedtools.tgz<br />
<br />
Once the Advanced Tools has installed successfully (Screenshot) you can continue to install the JAuthTools package. If some folders aren't writeable, the Advanced Tools installer might request that you copy files into /libraries/joomla/installer/adpaters manually. For JAuthTools you will need to ensure the 'libraries' folder is writeable as it will create a new 'jauthtools' folder there. <br />
<br />
<br />
== Libraries ==<br />
In Joomla! 1.5, libraries are available via a new interface designed to make the system more manageable. In 1.0 this system did not exist which meant that typically libraries were installed with an extension or using a mambot. JAuthTools in 1.0 used the mambot method of installing new classes which meant that the LDAP library was available for all extensions when the mambot was published. The new interface exposes libraries in a way similar to Java.<br />
<br />
=== Install the JAuthTools Libraries ===<br />
JAuthTools has two major libraries. The first is SSO, or Single Sign On, library which is used to handle the SSO system, namely for Kerberos integration. The second is the User Source library. The user source library is aimed at providing details on a given username, such as email address. There libraries are available from the JAuthTools FRS site. The SSO system is dependent upon the User Source library, so to use SSO you will need to install the User Source library.<br />
<br />
Increasingly JAuthTools extensions are becoming reliant on a third library, the helper library. The helper library is a dependency for the eDirLDAP SSO plugin, the LDAP User Source plugin as well as the Advanced LDAP and Advanced GMail authentication plugins.<br />
<br />
All three of these libraries are available individually or in a pack called "pkg_jauthtools_core.tgz" for ease of installation.<br />
<br />
The other two libraries available from JAuthTools are the Token Login library and the OpenID library. Both of these are distributed on their own as well as within their own packages (OpenID and Token Login respectively).<br />
<br />
== Packages ==<br />
JAuthTools is comprised of a number of packages in addition to the Core JAuthTools packages<br />
<br />
=== SSO ===<br />
The SSO system consists of a system plugin that bootstraps the SSO plugins. This package contains the SSO Manager Component, the SSO Module and the SSO module.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9528 (Includes SSO Plugins below)<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36174/pkg_jauthtools_sso.tgz<br />
<br />
=== SSO Plugins ===<br />
SSO is a new type of plugin created for the system and there are a few SSO plugins available by default. This means that SSO plugins can be controlled using the normal plugin manager interface. Additionally since 1.5.4, there is a SSO manager and SSO module.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9528 (General SSO section)<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36175/pkg_jauthtools_ssoplugins.tgz<br />
<br />
=== User Sources ===<br />
The User Sources system consists of three major plugins: the Sync System plugin and the LDAP and Session user source plugins. The sync plugin is designed to ensure a user is set to the appropriate group and the LDAP user source is designed to provide user information.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9531<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36177/pkg_jauthtools_usersource.tgz<br />
<br />
=== Extras ===<br />
There are two authentication plugins, Advanced GMail and Advanced LDAP, that are distributed with JAuthTools. There is also a LDAP user plugin that is available and the [[Context Login|context login module]]. This package is dependent upon the helper library (part of the Core package).<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9532<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36195/pkg_jauthtools_extras.tgz<br />
<br />
=== OpenID ===<br />
JAuthTools ships one of its own OpenID plugins. It was contributed by Ian MacLennan and hasn't undergone extensive testing yet. We're releasing OpenID in 1.5.4 as a beta release looking towards doing some more work.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9533<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36173/pkg_jauthtools_openid.tgz<br />
<br />
=== Token Login ===<br />
Token Login is a new feature for 1.5.4 that allows you to easily integrating token logins into your Joomla! site. It ships with a token library for issuing tokens, a component that handles token issuing as well as editing and revocation and a token login SSO plugin that can be used to log the user in.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9529<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36176/pkg_jauthtools_tokenlogin.tgz<br />
<br />
<br />
<br />
[[Category:Guide]] [[Category:Quickstart]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Quickstart_for_1.5Quickstart for 1.52009-02-08T05:42:52Z<p>Pasamio: /* Extras */</p>
<hr />
<div>This document contains a quickstart guide to getting things started with Joomla! 1.5<br />
<br />
= Out of the Box =<br />
By default Joomla! 1.5 provides the ability to use LDAP as an option for authentication within Joomla!. For most purposes this should suffice. However this extension does not provide all of the features that the JAuthTools LDAP SSI bot does for Joomla! 1.0 such as group mapping.<br />
<br />
If you want your Joomla! instance to authenticate across to an LDAP directory (MSAD/Microsoft Active Directory, eDirectory, etc) then all you need to do is configure this plugin. If you are having issues configuring the plugin (especially for MSAD) then you might wish to look at the JDiagnostic tool (http://joomlacode.org/gf/project/pasamioprojects/frs) which will give you a wizard to configure MSAD based authentication.<br />
<br />
= Getting Started =<br />
Joomla! 1.5 has some new features that make installing the JAuthTools services in 1.5 different to the 1.0 method. This page is currently a draft.<br />
<br />
The easiest way to get started is to install the Advanced Tools for 1.5 extension. This provides your Joomla! 1.5 site with the ability to install both packages and libraries, which makes your life easier along the line. Before you install Advanced Tools however, you need to ensure that the /libraries/joomla/installer/adapters folder is writeable by Joomla! so that the installer can put files there, in addition to the normal locations for files. Once you've done that, you can use the URL based installer to install the package straight off JoomlaCode or download and install the package by upload. At the time of writing the latest version of Advanced Tools was 1.5.1, you can check for updates at Pasamio's Projects FRS Site or directly download from the following: http://joomlacode.org/gf/download/frsrelease/6797/22390/com_advancedtools.tgz<br />
<br />
Once the Advanced Tools has installed successfully (Screenshot) you can continue to install the JAuthTools package. If some folders aren't writeable, the Advanced Tools installer might request that you copy files into /libraries/joomla/installer/adpaters manually. For JAuthTools you will need to ensure the 'libraries' folder is writeable as it will create a new 'jauthtools' folder there. <br />
<br />
<br />
== Libraries ==<br />
In Joomla! 1.5, libraries are available via a new interface designed to make the system more manageable. In 1.0 this system did not exist which meant that typically libraries were installed with an extension or using a mambot. JAuthTools in 1.0 used the mambot method of installing new classes which meant that the LDAP library was available for all extensions when the mambot was published. The new interface exposes libraries in a way similar to Java.<br />
<br />
=== Install the JAuthTools Libraries ===<br />
JAuthTools has two major libraries. The first is SSO, or Single Sign On, library which is used to handle the SSO system, namely for Kerberos integration. The second is the User Source library. The user source library is aimed at providing details on a given username, such as email address. There libraries are available from the JAuthTools FRS site. The SSO system is dependent upon the User Source library, so to use SSO you will need to install the User Source library.<br />
<br />
Increasingly JAuthTools extensions are becoming reliant on a third library, the helper library. The helper library is a dependency for the eDirLDAP SSO plugin, the LDAP User Source plugin as well as the Advanced LDAP and Advanced GMail authentication plugins.<br />
<br />
All three of these libraries are available individually or in a pack called "pkg_jauthtools_core.tgz" for ease of installation.<br />
<br />
The other two libraries available from JAuthTools are the Token Login library and the OpenID library. Both of these are distributed on their own as well as within their own packages (OpenID and Token Login respectively).<br />
<br />
== Packages ==<br />
JAuthTools is comprised of a number of packages in addition to the Core JAuthTools packages<br />
<br />
=== SSO ===<br />
The SSO system consists of a system plugin that bootstraps the SSO plugins. This package contains the SSO Manager Component, the SSO Module and the SSO module.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9528 (Includes SSO Plugins below)<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36174/pkg_jauthtools_sso.tgz<br />
<br />
=== SSO Plugins ===<br />
SSO is a new type of plugin created for the system and there are a few SSO plugins available by default. This means that SSO plugins can be controlled using the normal plugin manager interface. Additionally since 1.5.4, there is a SSO manager and SSO module.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9528 (General SSO section)<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36175/pkg_jauthtools_ssoplugins.tgz<br />
<br />
=== User Sources ===<br />
The User Sources system consists of three major plugins: the Sync System plugin and the LDAP and Session user source plugins. The sync plugin is designed to ensure a user is set to the appropriate group and the LDAP user source is designed to provide user information.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9531<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36177/pkg_jauthtools_usersource.tgz<br />
<br />
=== Extras ===<br />
There are two authentication plugins, Advanced GMail and Advanced LDAP, that are distributed with JAuthTools. There is also a LDAP user plugin that is available and the [[Context Login|context login module]]. This package is dependent upon the helper library (part of the Core package).<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9532<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36192/pkg_jauthtools_extras.tgz<br />
<br />
=== OpenID ===<br />
JAuthTools ships one of its own OpenID plugins. It was contributed by Ian MacLennan and hasn't undergone extensive testing yet. We're releasing OpenID in 1.5.4 as a beta release looking towards doing some more work.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9533<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36173/pkg_jauthtools_openid.tgz<br />
<br />
=== Token Login ===<br />
Token Login is a new feature for 1.5.4 that allows you to easily integrating token logins into your Joomla! site. It ships with a token library for issuing tokens, a component that handles token issuing as well as editing and revocation and a token login SSO plugin that can be used to log the user in.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9529<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36176/pkg_jauthtools_tokenlogin.tgz<br />
<br />
<br />
<br />
[[Category:Guide]] [[Category:Quickstart]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Quickstart_for_1.5Quickstart for 1.52009-02-08T05:38:40Z<p>Pasamio: /* Extras */</p>
<hr />
<div>This document contains a quickstart guide to getting things started with Joomla! 1.5<br />
<br />
= Out of the Box =<br />
By default Joomla! 1.5 provides the ability to use LDAP as an option for authentication within Joomla!. For most purposes this should suffice. However this extension does not provide all of the features that the JAuthTools LDAP SSI bot does for Joomla! 1.0 such as group mapping.<br />
<br />
If you want your Joomla! instance to authenticate across to an LDAP directory (MSAD/Microsoft Active Directory, eDirectory, etc) then all you need to do is configure this plugin. If you are having issues configuring the plugin (especially for MSAD) then you might wish to look at the JDiagnostic tool (http://joomlacode.org/gf/project/pasamioprojects/frs) which will give you a wizard to configure MSAD based authentication.<br />
<br />
= Getting Started =<br />
Joomla! 1.5 has some new features that make installing the JAuthTools services in 1.5 different to the 1.0 method. This page is currently a draft.<br />
<br />
The easiest way to get started is to install the Advanced Tools for 1.5 extension. This provides your Joomla! 1.5 site with the ability to install both packages and libraries, which makes your life easier along the line. Before you install Advanced Tools however, you need to ensure that the /libraries/joomla/installer/adapters folder is writeable by Joomla! so that the installer can put files there, in addition to the normal locations for files. Once you've done that, you can use the URL based installer to install the package straight off JoomlaCode or download and install the package by upload. At the time of writing the latest version of Advanced Tools was 1.5.1, you can check for updates at Pasamio's Projects FRS Site or directly download from the following: http://joomlacode.org/gf/download/frsrelease/6797/22390/com_advancedtools.tgz<br />
<br />
Once the Advanced Tools has installed successfully (Screenshot) you can continue to install the JAuthTools package. If some folders aren't writeable, the Advanced Tools installer might request that you copy files into /libraries/joomla/installer/adpaters manually. For JAuthTools you will need to ensure the 'libraries' folder is writeable as it will create a new 'jauthtools' folder there. <br />
<br />
<br />
== Libraries ==<br />
In Joomla! 1.5, libraries are available via a new interface designed to make the system more manageable. In 1.0 this system did not exist which meant that typically libraries were installed with an extension or using a mambot. JAuthTools in 1.0 used the mambot method of installing new classes which meant that the LDAP library was available for all extensions when the mambot was published. The new interface exposes libraries in a way similar to Java.<br />
<br />
=== Install the JAuthTools Libraries ===<br />
JAuthTools has two major libraries. The first is SSO, or Single Sign On, library which is used to handle the SSO system, namely for Kerberos integration. The second is the User Source library. The user source library is aimed at providing details on a given username, such as email address. There libraries are available from the JAuthTools FRS site. The SSO system is dependent upon the User Source library, so to use SSO you will need to install the User Source library.<br />
<br />
Increasingly JAuthTools extensions are becoming reliant on a third library, the helper library. The helper library is a dependency for the eDirLDAP SSO plugin, the LDAP User Source plugin as well as the Advanced LDAP and Advanced GMail authentication plugins.<br />
<br />
All three of these libraries are available individually or in a pack called "pkg_jauthtools_core.tgz" for ease of installation.<br />
<br />
The other two libraries available from JAuthTools are the Token Login library and the OpenID library. Both of these are distributed on their own as well as within their own packages (OpenID and Token Login respectively).<br />
<br />
== Packages ==<br />
JAuthTools is comprised of a number of packages in addition to the Core JAuthTools packages<br />
<br />
=== SSO ===<br />
The SSO system consists of a system plugin that bootstraps the SSO plugins. This package contains the SSO Manager Component, the SSO Module and the SSO module.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9528 (Includes SSO Plugins below)<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36174/pkg_jauthtools_sso.tgz<br />
<br />
=== SSO Plugins ===<br />
SSO is a new type of plugin created for the system and there are a few SSO plugins available by default. This means that SSO plugins can be controlled using the normal plugin manager interface. Additionally since 1.5.4, there is a SSO manager and SSO module.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9528 (General SSO section)<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36175/pkg_jauthtools_ssoplugins.tgz<br />
<br />
=== User Sources ===<br />
The User Sources system consists of three major plugins: the Sync System plugin and the LDAP and Session user source plugins. The sync plugin is designed to ensure a user is set to the appropriate group and the LDAP user source is designed to provide user information.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9531<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36177/pkg_jauthtools_usersource.tgz<br />
<br />
=== Extras ===<br />
There are two authentication plugins, Advanced GMail and Advanced LDAP, that are distributed with JAuthTools. There is also a LDAP user plugin that is available, the JAuthTools helper library to support it and the [[Context Login|context login module]].<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9532<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36192/pkg_jauthtools_extras.tgz<br />
<br />
=== OpenID ===<br />
JAuthTools ships one of its own OpenID plugins. It was contributed by Ian MacLennan and hasn't undergone extensive testing yet. We're releasing OpenID in 1.5.4 as a beta release looking towards doing some more work.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9533<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36173/pkg_jauthtools_openid.tgz<br />
<br />
=== Token Login ===<br />
Token Login is a new feature for 1.5.4 that allows you to easily integrating token logins into your Joomla! site. It ships with a token library for issuing tokens, a component that handles token issuing as well as editing and revocation and a token login SSO plugin that can be used to log the user in.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9529<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36176/pkg_jauthtools_tokenlogin.tgz<br />
<br />
<br />
<br />
[[Category:Guide]] [[Category:Quickstart]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Quickstart_for_1.5Quickstart for 1.52009-02-08T04:17:57Z<p>Pasamio: </p>
<hr />
<div>This document contains a quickstart guide to getting things started with Joomla! 1.5<br />
<br />
= Out of the Box =<br />
By default Joomla! 1.5 provides the ability to use LDAP as an option for authentication within Joomla!. For most purposes this should suffice. However this extension does not provide all of the features that the JAuthTools LDAP SSI bot does for Joomla! 1.0 such as group mapping.<br />
<br />
If you want your Joomla! instance to authenticate across to an LDAP directory (MSAD/Microsoft Active Directory, eDirectory, etc) then all you need to do is configure this plugin. If you are having issues configuring the plugin (especially for MSAD) then you might wish to look at the JDiagnostic tool (http://joomlacode.org/gf/project/pasamioprojects/frs) which will give you a wizard to configure MSAD based authentication.<br />
<br />
= Getting Started =<br />
Joomla! 1.5 has some new features that make installing the JAuthTools services in 1.5 different to the 1.0 method. This page is currently a draft.<br />
<br />
The easiest way to get started is to install the Advanced Tools for 1.5 extension. This provides your Joomla! 1.5 site with the ability to install both packages and libraries, which makes your life easier along the line. Before you install Advanced Tools however, you need to ensure that the /libraries/joomla/installer/adapters folder is writeable by Joomla! so that the installer can put files there, in addition to the normal locations for files. Once you've done that, you can use the URL based installer to install the package straight off JoomlaCode or download and install the package by upload. At the time of writing the latest version of Advanced Tools was 1.5.1, you can check for updates at Pasamio's Projects FRS Site or directly download from the following: http://joomlacode.org/gf/download/frsrelease/6797/22390/com_advancedtools.tgz<br />
<br />
Once the Advanced Tools has installed successfully (Screenshot) you can continue to install the JAuthTools package. If some folders aren't writeable, the Advanced Tools installer might request that you copy files into /libraries/joomla/installer/adpaters manually. For JAuthTools you will need to ensure the 'libraries' folder is writeable as it will create a new 'jauthtools' folder there. <br />
<br />
<br />
== Libraries ==<br />
In Joomla! 1.5, libraries are available via a new interface designed to make the system more manageable. In 1.0 this system did not exist which meant that typically libraries were installed with an extension or using a mambot. JAuthTools in 1.0 used the mambot method of installing new classes which meant that the LDAP library was available for all extensions when the mambot was published. The new interface exposes libraries in a way similar to Java.<br />
<br />
=== Install the JAuthTools Libraries ===<br />
JAuthTools has two major libraries. The first is SSO, or Single Sign On, library which is used to handle the SSO system, namely for Kerberos integration. The second is the User Source library. The user source library is aimed at providing details on a given username, such as email address. There libraries are available from the JAuthTools FRS site. The SSO system is dependent upon the User Source library, so to use SSO you will need to install the User Source library.<br />
<br />
Increasingly JAuthTools extensions are becoming reliant on a third library, the helper library. The helper library is a dependency for the eDirLDAP SSO plugin, the LDAP User Source plugin as well as the Advanced LDAP and Advanced GMail authentication plugins.<br />
<br />
All three of these libraries are available individually or in a pack called "pkg_jauthtools_core.tgz" for ease of installation.<br />
<br />
The other two libraries available from JAuthTools are the Token Login library and the OpenID library. Both of these are distributed on their own as well as within their own packages (OpenID and Token Login respectively).<br />
<br />
== Packages ==<br />
JAuthTools is comprised of a number of packages in addition to the Core JAuthTools packages<br />
<br />
=== SSO ===<br />
The SSO system consists of a system plugin that bootstraps the SSO plugins. This package contains the SSO Manager Component, the SSO Module and the SSO module.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9528 (Includes SSO Plugins below)<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36174/pkg_jauthtools_sso.tgz<br />
<br />
=== SSO Plugins ===<br />
SSO is a new type of plugin created for the system and there are a few SSO plugins available by default. This means that SSO plugins can be controlled using the normal plugin manager interface. Additionally since 1.5.4, there is a SSO manager and SSO module.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9528 (General SSO section)<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36175/pkg_jauthtools_ssoplugins.tgz<br />
<br />
=== User Sources ===<br />
The User Sources system consists of three major plugins: the Sync System plugin and the LDAP and Session user source plugins. The sync plugin is designed to ensure a user is set to the appropriate group and the LDAP user source is designed to provide user information.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9531<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36177/pkg_jauthtools_usersource.tgz<br />
<br />
=== Extras ===<br />
There are two authentication plugins, Advanced GMail and Advanced LDAP, that are distributed with JAuthTools. There is also a LDAP user plugin that is available, the JAuthTools helper library to support it and the [[Context Login|context login module]].<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9532<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36172/pkg_jauthtools_extras.tgz<br />
<br />
=== OpenID ===<br />
JAuthTools ships one of its own OpenID plugins. It was contributed by Ian MacLennan and hasn't undergone extensive testing yet. We're releasing OpenID in 1.5.4 as a beta release looking towards doing some more work.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9533<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36173/pkg_jauthtools_openid.tgz<br />
<br />
=== Token Login ===<br />
Token Login is a new feature for 1.5.4 that allows you to easily integrating token logins into your Joomla! site. It ships with a token library for issuing tokens, a component that handles token issuing as well as editing and revocation and a token login SSO plugin that can be used to log the user in.<br />
<br />
* Check them out here: http://joomlacode.org/gf/project/jauthtools/frs/?action=FrsReleaseView&release_id=9529<br />
* All-in-One Package: http://joomlacode.org/gf/download/frsrelease/9530/36176/pkg_jauthtools_tokenlogin.tgz<br />
<br />
<br />
<br />
[[Category:Guide]] [[Category:Quickstart]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/LDAP_Tools/Sun_OneLDAP Tools/Sun One2009-02-02T04:21:31Z<p>Pasamio: New page: Whilst SunOne has been tested, there are no specific configuration issues noted.</p>
<hr />
<div>Whilst SunOne has been tested, there are no specific configuration issues noted.</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Kerberos/Kerberos_and_DebianKerberos/Kerberos and Debian2009-01-20T18:07:17Z<p>Pasamio: /* Linux box setup */</p>
<hr />
<div>This guide covers Windows Server 2003 and Debian 4.0 configuration. Please note that there are noted issues with 2003 SP1, I suggest upgrading to SP2/R2 where possible to resolve these issues before you start. Alternateively look at the Kerberos page and view the links mentioning 2003 SP1 issues. If you want to continue with 2003 SP1, consult [http://support.microsoft.com/kb/919557 Microsoft KB 919557]. If you have issues you may wish to look at the [[Kerberos/Troubleshooting|Kerberos Troubleshooting]] page to see if your specific error is listed. Active Directory has a habbit of being case sensitive for some interfaces (typically non-MS ones) and being very forgiving of case in others (typically MS tools). Case is always important, so make sure that this is typed appropriately.<br />
<br />
= Before we begin =<br />
== Terminology ==<br />
The following terms are more or less equivalent and may be used interchangeably. Some may also suggest replacements, for reference they are all listed here:<br />
{| border=1<br />
| Kerberos realm || Active Directory Domain, Active Directory Site; typically this means writing the site name in capitals, see below<br />
|-<br />
| REALM || Your AD realm, typically your DNS site name all in capitals; in this case its SITE3.DIGITALPAPER.HOMELINUX.NET<br />
|-<br />
| SERVERNAME || Substitute this with the name of your Linux server<br />
|-<br />
| FQDN || The fully qualified domain name; you may need to fill this in for specific commands<br />
|}<br />
<br />
Where possible, items requiring replacement are marked in bold.<br />
<br />
== AD Domain Setup ==<br />
The set up in this case is actually mildly unique. There are two servers, one called "pie" (Debian 4.0) and another called "notpie" (Windows 2003). "notpie" has the AD site "site3.digitalpaper.homelinux.net" assigned to it and its DNS also contains entries for the digitalpaper.homelinux.net domain as well. "pie" is not a member of the domain and not actually in the same subdomain. For reference:<br />
{| border=1<br />
! Server Name !! FQDN !! IP address<br />
|-<br />
| notpie || notpie.site3.digitalpaper.homelinux.net || 192.168.1.20<br />
|-<br />
| pie || pie.digitalpaper.homelinux.net || 192.168.1.10<br />
|}<br />
<br />
We want to authenticate requests to Apache on pie from clients in the Kerberos realm SITE3.DIGITALPAPER.HOMELINUX.NET (the site name all in caps) in a way that doesn't require a password or uses their domain logins. A noble goal, and for bonus mark we're mixing our domains around a bit. The down level (pre 2000) name for the domain is "SITE3".<br />
<br />
From this point, I'm going to assume that the above is setup already and working properly. <br />
<br />
== Linux box setup ==<br />
I'm assumimg you have a working Debian 4.0 machine with Apache 2 up and running. Some of the instructions use Apache 2, if you are using Apache 1 you will likely need to modify them slightly (possibly removing the "2"). The machine should have some form of an IP address and DNS hostname assigned to it within the Active Directory Domain Controller's DNS server or in a DNS server that both machines can acknowledge. For the purposes of this tutorial we are going to assume that your domain controller is your DNS server and that your Linux server exists in its DNS properly. We only have two machines, the Linux box and the domain controller so if your set up is different, some of the values used may not meet this assumption. You will have to change this where necessary. I would also advise installing and configuring NTP to point to your domain controller to ensure that your time is synchronised otherwise clock skew errors may appear.<br />
<br />
No matter where your DNS is located you will need to ensure that forward and reverse lookups for the Linux box are properly working so that you can resolve it appropriately.<br />
<br />
I'm also going to presume that you have Joomla! 1.5 set up and installed with the LDAP plugins configured properly and working. Ideally if you have a base set up with Joomla! site already authenticating to Active Directory this would be a useful point to launch from. Since we're trying to get SSO working, the Joomla! 1.5 site obviously needs to be on the same server.<br />
<br />
= System Configuration =<br />
<br />
== Linux Configuration ==<br />
Our first port of call is to set up the Linux server to look towards the AD domain. You may have done this already, but you may not have. Most of the files referenced exist as full copies at the end of this page for reference.<br />
<br />
=== Installing software ===<br />
Before we begin, we're going to need some tools installed:<br />
<pre>sudo aptitude install krb5-user libapache2-mod-auth-kerb</pre><br />
<br />
Please note that this will also install krb5-config which will request information such as your KDC and similar servers as well as the realm. Depending on your debconf configuration, it may automatically detect the realm from the FQDN of the machine. If this assumption is wrong (as it was for mine) then you will have need to reconfigure the package to work properly and enter the appropriate default realm:<br />
<pre>sudo dpkg-reconfigure krb5-config</pre><br />
And fill in the values properly.<br />
<br />
If you have already got krb5-config installed it may be worthwhile reconfiguring it anyway to validate that the settings it has are correct. If it is wrong it will cause you issues further along.<br />
<br />
<br />
=== /etc/resolv.conf ===<br />
Since we've got two domains we care about (one that "pie" is in and the one for the AD domain and "notpie"). This will configure the Linux machine to search both domains and use AD as the domain controller.<br />
<pre><br />
search site3.digitalpaper.homelinux.net digitalpaper.homelinux.net<br />
nameserver 192.168.1.20<br />
</pre><br />
<br />
=== /etc/hosts ===<br />
One of the useful tidbits I've picked up is ensuring that your local hosts file is set up with the correct external IP address for the DNS domain name and not pointing back to everyone's favourite IP address 127.0.0.1:<br />
<pre><br />
192.168.1.10 pie.digitalpaper.homelinux.net pie<br />
</pre><br />
<br />
The order is also important, make sure that the FQDN is before the shorter name. Using the external interface address instead of local loopback is also important and will help us to avoid other issues later on with Kerberos.<br />
<br />
=== /etc/krb5.conf ===<br />
This is the main Kerberos configuration file, Debian will automatically generate this file for you when you installed the krb5-config package. With any luck, it should look like the sample at the end of this document with your values instead of mine and probably a bit more junk. In my due domain situation, I needed to do one more modification in the [domain_realm] section of the document to add the domain for pie. This enables the server to find the correct realm for itself. There should be some lines already but the looks like this when completed fully:<br />
<pre><br />
[domain_realm]<br />
.site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
</pre><br />
<br />
At this point we should to be authenticate as a Kerberos user and obtain a Kerberos ticket, so lets authenticate as a user with kinit to check if things work:<br />
kinit <b>username</b><br />
Password for <b>username</b>@<b>REALM</b>: (type users password here)<br />
With any luck this will complete without error. If you do encounter an error, check out the [[Kerberos/Troubleshooting|Kerberos troubleshooting]] page to see how you can resolve the issue. You may also optionally specify a realm instead of just the username but the command should default to the correct realm anyway.<br />
<br />
=== Samba Note ===<br />
If you're using Samba, you may wish to check out a comment on Scott Lowe's guide on Kerberos SSO with Apache from [http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/#comment-4003 Emmanuel Gomez]. In theory, this should absolve you from having to do any configuration on the Windows side and your keytab for both the operating system and Apache would be one file. I haven't tried this option, and prefer the method detailed below.<br />
<br />
<br />
== Windows configuration ==<br />
Presuming that this is all done we now need to configure AD with accounts for the Linux box and Apache. <br />
<br />
=== Installing software ===<br />
You will need the Windows 2003 Support Tools otherwise your install won't have ktpass.exe and other useful utilities (ldp.exe and kerbtray.exe are two hidden jewels of the system). You will need this to be installed before you can continue. I would advise that you at least login and log off (or if possible restart) after installing these tools to get the path available otherwise you will need to type commands like the following to get to the tools:<br />
<pre>"C:\Program Files\Support Tools\ktpass.exe"</pre><br />
<br />
If you have issues where you get the error "command not recognized" or similar, you may need to use the full path to the tool. Restarting the server or cycling your login should resolve these issues.<br />
<br />
The Support Tools also include the "ADSI Edit" MSC which is the swiss army knife of manipulating Active Directory's back end.<br />
<br />
=== Creating the accounts ===<br />
In my sample tree, I have a "Servers" OU that I use to store accounts for servers or service accounts in one location. If you haven't got one already (or something similar), I suggest that now is the time to create one.<br />
<br />
Please note here that it appears important that in the following section these are users and not computers, and there is one user per service (including one for the host). The logic for this appears to be that when using a single 'computer' account that the key version number increases automatically invalidating previously generated keys. There is a work around that I haven't tested available as a [http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/#comment-32694 comment on Scott Lowe's blog]. For those of us less daring, we'll go for the simpler option.<br />
<br />
Within that OU we're going to create two new "users". The first will be for the host itself and the second will be for Apache. <br />
In the new user screen set the:<br />
* first name to be "host" <br />
* last name to be '''SERVERNAME''', in our case "pie".<br />
* logon to be "host-'''SERVERNAME'''", so "host-pie"<br />
* click next and then tick the "password never expires" box and finish<br />
<br />
Repeat this with a second user, replacing instances of "host" with "HTTP". Please note that case is sensitive so ensure host is all lower case and HTTP is all upper case. Please note the password that you gave the users as you will use this again when creating the Kerberos keys.<br />
<br />
=== Creating the keytabs ===<br />
The next step is to create the keytab for both of the users. This is another find and replace operation, the command in question is:<br />
ktpass -princ <b>SERVICE</b>/<b>FQDN</b>@<b>REALM</b> -mapuser <b>DOMAIN\account</b> -crypto DES-CBC-MD5 +DesOnly -pass <b>password</b> -ptype KRB5_NT_PRINCIPAL -out <b>filename</b><br />
<br />
So we need to replace SERVICE, FQDN, REALM, the username you set the account to be, the password and give the tool a unique filename where it can output the file. Keep in mind that the downlevel version of our site is "SITE3" and that the service is either "host" or "HTTP". You may have other services depending on your setup but this isn't covered here.<br />
<br />
For simplicity I recommend creating a folder on your desktop or in your My Documents folder and navigating to this folder in the terminal and then running the following commands. It places your keytabs in one central location which makes finding them later and updating them if need be easy. I created a "keytabs" folder on the desktop to store the files in.<br />
<br />
The sample commands I used were the following:<br />
ktpass -princ host/<b>pie.digitalpaper.homelinux.net</b>@<b>SITE3.DIGITALPAPER.HOMELINUX.NET</b> -mapuser <b>SITE3\HOST-pie</b> -crypto DES-CBC-MD5 +DesOnly -pass <b>password</b> -ptype KRB5_NT_PRINCIPAL -out <b>host-pie.keytab</b><br />
ktpass -princ HTTP/<b>pie.digitalpaper.homelinux.net</b>@<b>SITE3.DIGITALPAPER.HOMELINUX.NET</b> -mapuser <b>SITE3\HTTP-pie</b> -crypto DES-CBC-MD5 +DesOnly -pass <b>password</b> -ptype KRB5_NT_PRINCIPAL -out <b>http-pie.keytab</b><br />
<br />
This will output a lot of data to the screen but should ultimately result in success presuming that you've fed the accoun the right information. If you do encouter errors check over the command to ensure that you haven't missed something out. <br />
<br />
Once we've created the keytabs we need to shift them to the Linux server. The file "host-pie.keytab" will become /etc/krb5.keytab and the file "http-pie.keytab" should be copied to a new folder, "/etc/apache2/keytab" so that we can use it later. This should be done in a secure manner, so I suggest using SCP or similar to transfer the files.<br />
<br />
=== Testing the keys ===<br />
Once the keys have been transferred to their relevant location on the Linux server, we can test them to see if they are working properly with 'kinit' again on the Linux server. This time the command looks a little different:<br />
kinit -k <b>SERVICE</b>/<b>FQDN</b><br />
This will work for 'host' but will probably fail for the 'HTTP' service, for that we will need to specify a location for the keytab. The commands I used in this case were as follows:<br />
kinit -k host/<b>pie.digitalpaper.homelinux.net</b><br />
kinit -k -t /etc/apache2/keytab/http-<b>SERVERNAME</b>.keytab HTTP/<b>pie.digitalpaper.homelinux.net</b><br />
Note: This assumes that you've copied the files to correct location already. If you have transferred the HTTP key to a different location you may wish to specify a different option for -t. If everything is working properly you should not receive any error from these commands and running 'klist' after each one should show that you have a ticket for either account. If you do have an error check out the [[Kerberos/Troubleshooting|Kerberos troubleshooting]] page for guidance.<br />
<br />
== mod_auth_kerb Configuration ==<br />
The last part of this saga is configuring mod_auth_kerb to work properly in your environment. Presuming you have it installed properly, this is usually straight forward as during installation the module is normally automatically enabled. Resolving the errors resulting from configuration can sometimes be a tad more problematic. If you do have an error check out the [[Kerberos/Troubleshooting|Kerberos troubleshooting]] page for guidance and make sure to check the Apache error log. You may also wish to increase the logging and debugging level of Apache to obtain more information about what is actually happening behind the scenes with Kerberos.<br />
<br />
=== Using a .htaccess file ===<br />
Presuming that the location you want to protect is configured to accept .htaccess files, you can use the following to protect the folder. You will probably need in a directory directive in your main Apache configuration file with either a "AllowOverride All" or "AllowOverride AuthConfig" directive.<br />
AuthType Kerberos<br />
AuthName "Kerberos Login"<br />
KrbMethodNegotiate On<br />
KrbMethodK5Passwd On<br />
KrbAuthRealms <b>REALM</b><br />
Krb5KeyTab /etc/apache2/keytab/http-<b>SERVERNAME</b>.keytab<br />
require valid-user<br />
<br />
=== Within the Apache configuration ===<br />
If you wrap the same command used in your .htaccess file within either a Location directive or a Directory directive and then restart Apache this location should be protected by Kerberos<br />
<br />
=== Set up a test page ===<br />
You may wish to set up a test page in your location. As you are likely to have PHP available, I suggest creating a simple file called 'test.php' and putting in the file:<br />
<pre><?php phpinfo(); ?></pre><br />
This should give you a diagnostic of PHP, which include the server authentication variables that are passed to it. This way we will be able to see if the user is in fact authenticated and who Apache has authenticated them as and which method it used to do so.<br />
<br />
== Browser Configuration ==<br />
With any luck your changes are successful and now its time to test it. Navigate to the directory you decided to protect (in my case I decided to use /kerberos) and you should be either let directly through or prompted for a username and password. Either way you should end up being authenticated and if you created the test.php file you could validate the method. If you were let directly through you should have the Auth Type "Negotiate" however if you needed to type in a password your auth type would be "Basic" (this is "AUTH_TYPE" in the PHP info page if you are looking for it). Just above that field should be "REMOTE_USER" which should be set to your AD UPN, e.g. <b>username</b>@<b>REALM</b>. See the [[Kerberos/Browser Support|browser support]] page for information in relation to browser support issues (not configuration).<br />
<br />
Some browsers (e.g. Safari on Mac; IE on Windows) will automatically work if the underlying layer is configured properly. <br />
<br />
=== IE Configuration ===<br />
There are two issues that may occur with IE. The first is that Integrated Windows Authentication is not enabled (the default for IE6) and the second is that it may think that the site isn't on the intranet.<br />
* The first is easy to solve, to enable the browser to respond to a negotiate challenge and perform Kerberos authentication, select the Enable Integrated Windows Authentication check box in the Security section of the Advanced tab of the Internet Options menu, and then restart the browser.<br />
* The second requires a tad more effort, check on the bottom right hand corner what zone the site is in. If it is in the "Internet" zone then you will likely have issues. Double click on this and click on Local Intranet -> Sites -> Advanced -> Add. Then click close or ok on all dialogues until you return to your browser. It should now identify the site as being in the local intranet. For alternate ways of solving this problem look at [http://support.microsoft.com/kb/303650 Microsoft KB article 303650] about "IE not correctly identifying sites in the intranet".<br />
<br />
If after this has all been done the user is still being prompted for a password, check the Apache logs for any errors that might have occured. Keep in mind that the desktop needs to be joined to the domain for IE to function correctly with SSO.<br />
<br />
=== Firefox configuration ===<br />
Assuming that you have Kerberos set up on your client (e.g. Windows machine joined to the domain, Linux or Mac OS X box set up to obtain a Kerberos ticket) all you should need to do is set "network.negotiate-auth.trusted-uris" to the name of your web server. With this it should work.<br />
<br />
=== Safari ===<br />
Safari has no configuration option and if its working at the lower levels, 'just works' and if not then you've got to dig through the lower levels to work out what is wrong. This applies to both Windows and Mac versions.<br />
<br />
= Sample Files =<br />
== Apache Configuration ==<br />
<pre><br />
<Location /kerberos><br />
AuthType Kerberos<br />
AuthName "Kerberos Login"<br />
KrbMethodNegotiate On<br />
KrbMethodK5Passwd On<br />
KrbAuthRealms SITE3.DIGITALPAPER.HOMELINUX.NET<br />
Krb5KeyTab /etc/apache2/keytab/http-pie.keytab<br />
require valid-user<br />
</Location><br />
</pre><br />
<br />
== .htaccess File ==<br />
<pre><br />
AuthType Kerberos<br />
AuthName "Kerberos Login"<br />
KrbMethodNegotiate On<br />
KrbMethodK5Passwd On<br />
KrbAuthRealms SITE3.DIGITALPAPER.HOMELINUX.NET<br />
Krb5KeyTab /etc/apache2/keytab/http-pie.keytab<br />
require valid-user<br />
</pre><br />
<br />
== resolv.conf ==<br />
<pre><br />
search digitalpaper.homelinux.net site3.digitalpaper.homelinux.net<br />
nameserver 192.168.1.20<br />
</pre><br />
<br />
== krb5.conf ==<br />
<pre><br />
[libdefaults]<br />
default_realm = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
<br />
# The following krb5.conf variables are only for MIT Kerberos.<br />
krb4_config = /etc/krb.conf<br />
krb4_realms = /etc/krb.realms<br />
kdc_timesync = 1<br />
ccache_type = 4<br />
forwardable = true<br />
proxiable = true<br />
<br />
# The following libdefaults parameters are only for Heimdal Kerberos.<br />
v4_instance_resolve = false<br />
v4_name_convert = {<br />
host = {<br />
rcmd = host<br />
ftp = ftp<br />
}<br />
plain = {<br />
something = something-else<br />
}<br />
}<br />
fcc-mit-ticketflags = true<br />
<br />
[realms]<br />
SITE3.DIGITALPAPER.HOMELINUX.NET = {<br />
kdc = 192.168.1.20<br />
admin_server = 192.168.1.20<br />
}<br />
<br />
[domain_realm]<br />
.site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET<br />
[login]<br />
krb4_convert = true<br />
krb4_get_tickets = false<br />
</pre><br />
<br />
<br />
<br />
[[Category:Kerberos]] [[Category:MSAD]] [[Category:Guide]]</div>Pasamiohttp://sammoffatt.com.au/jauthtools/PackagesPackages2009-01-19T05:20:27Z<p>Pasamio: /* Extras Pack */</p>
<hr />
<div>JAuthTools has a combination of packages depending on your needs. Please note that prior to 1.5.4 and older form of packaging was used.<br />
<br />
= Current Packages =<br />
With the release of 1.5.4, it was decided to split that packages up in a different way. Thus the new system was born that splits up packages into different categories. All packages require some, or all, of the 'Core' packages to operate properly. Some packages may rely on other packages to work properly.<br />
<br />
== Core ==<br />
The Core package ships with the following libraries:<br />
* User Source Library<br />
* SSO Library<br />
* Helper Libraries (Helper and MutableTable)<br />
<br />
== SSO ==<br />
The SSO package adds the following plugins:<br />
* SSO Module<br />
* SSO System Plugin<br />
* SSO Component<br />
<br />
<br />
== SSO Plugins ==<br />
SSO Plugins includes a selection of SSO plugins:<br />
* eDir LDAP<br />
* HTTP<br />
* IP<br />
* SimpleSSO<br />
<br />
== SSO Plugin Samples ==<br />
The SSO Samples pack are the SSO plugin samples available from the [SSO/Writing an SSO Plugin|writing an SSO plugin] page. It has:<br />
* Type A Plugin<br />
* Type B Plugin<br />
* Type C Plugin<br />
<br />
== Token Login ==<br />
The Token Login pack provides the Token Login system for your site, it includes:<br />
* Token Login Library<br />
* Token Login Component<br />
* Token Login SSO Plugin<br />
<br />
'''Note: Token Login requires the SSO package to operate properly. Without this Token Login won't work.'''<br />
<br />
== User Source ==<br />
User Source includes various user source related items. It includes:<br />
* System - Sync plugin<br />
* User Source - LDAP and Session plugins<br />
<br />
== Extras Pack ==<br />
The Extras Pack ships some LDAP specific extensions not available in other packs, the Advanced GMail plugin and the context login module:<br />
* Advanced LDAP Authentication Plugin<br />
* Advanced GMail Authentication Plugin<br />
* LDAP User Plugin<br />
* Context Login Module<br />
* LDAP Advanced Synchronisation Plugin (not shipping yet)<br />
<br />
== Base ==<br />
Base combines the Core, SSO and User Source packages into one. Depending on your individual needs you can then install packages relevant to you.<br />
<br />
= Older Packages =<br />
Prior to JAuthTools 1.5.3, JAuthTools had three main packages:<br />
* SSO<br />
* User Sources<br />
* JAuthTools (both SSO and User Sources)<br />
<br />
The SSO package contained the SSO library, the System - SSO plugin and all available SSO plugins at the time. The User Surces package contained the User Sources library, the System - Synchronisation plugin and all available user source plugins at the time (usually only the LDAP plugin).</div>Pasamiohttp://sammoffatt.com.au/jauthtools/PackagesPackages2009-01-19T01:50:34Z<p>Pasamio: /* Extras Pack */</p>
<hr />
<div>JAuthTools has a combination of packages depending on your needs. Please note that prior to 1.5.4 and older form of packaging was used.<br />
<br />
= Current Packages =<br />
With the release of 1.5.4, it was decided to split that packages up in a different way. Thus the new system was born that splits up packages into different categories. All packages require some, or all, of the 'Core' packages to operate properly. Some packages may rely on other packages to work properly.<br />
<br />
== Core ==<br />
The Core package ships with the following libraries:<br />
* User Source Library<br />
* SSO Library<br />
* Helper Libraries (Helper and MutableTable)<br />
<br />
== SSO ==<br />
The SSO package adds the following plugins:<br />
* SSO Module<br />
* SSO System Plugin<br />
* SSO Component<br />
<br />
<br />
== SSO Plugins ==<br />
SSO Plugins includes a selection of SSO plugins:<br />
* eDir LDAP<br />
* HTTP<br />
* IP<br />
* SimpleSSO<br />
<br />
== SSO Plugin Samples ==<br />
The SSO Samples pack are the SSO plugin samples available from the [SSO/Writing an SSO Plugin|writing an SSO plugin] page. It has:<br />
* Type A Plugin<br />
* Type B Plugin<br />
* Type C Plugin<br />
<br />
== Token Login ==<br />
The Token Login pack provides the Token Login system for your site, it includes:<br />
* Token Login Library<br />
* Token Login Component<br />
* Token Login SSO Plugin<br />
<br />
'''Note: Token Login requires the SSO package to operate properly. Without this Token Login won't work.'''<br />
<br />
== User Source ==<br />
User Source includes various user source related items. It includes:<br />
* System - Sync plugin<br />
* User Source - LDAP and Session plugins<br />
<br />
== Extras Pack ==<br />
The Extras Pack ships some LDAP specific extensions not available in other packs, the Advanced GMail plugin and the context login module:<br />
* Advanced LDAP Authentication Plugin<br />
* Advanced GMail Authentication Plugin<br />
* LDAP User Plugin<br />
* LDAP Advanced Synchronisation Plugin (not shipping yet)<br />
<br />
== Base ==<br />
Base combines the Core, SSO and User Source packages into one. Depending on your individual needs you can then install packages relevant to you.<br />
<br />
= Older Packages =<br />
Prior to JAuthTools 1.5.3, JAuthTools had three main packages:<br />
* SSO<br />
* User Sources<br />
* JAuthTools (both SSO and User Sources)<br />
<br />
The SSO package contained the SSO library, the System - SSO plugin and all available SSO plugins at the time. The User Surces package contained the User Sources library, the System - Synchronisation plugin and all available user source plugins at the time (usually only the LDAP plugin).</div>Pasamiohttp://sammoffatt.com.au/jauthtools/PackagesPackages2009-01-19T01:46:11Z<p>Pasamio: /* LDAP Pack */</p>
<hr />
<div>JAuthTools has a combination of packages depending on your needs. Please note that prior to 1.5.4 and older form of packaging was used.<br />
<br />
= Current Packages =<br />
With the release of 1.5.4, it was decided to split that packages up in a different way. Thus the new system was born that splits up packages into different categories. All packages require some, or all, of the 'Core' packages to operate properly. Some packages may rely on other packages to work properly.<br />
<br />
== Core ==<br />
The Core package ships with the following libraries:<br />
* User Source Library<br />
* SSO Library<br />
* Helper Libraries (Helper and MutableTable)<br />
<br />
== SSO ==<br />
The SSO package adds the following plugins:<br />
* SSO Module<br />
* SSO System Plugin<br />
* SSO Component<br />
<br />
<br />
== SSO Plugins ==<br />
SSO Plugins includes a selection of SSO plugins:<br />
* eDir LDAP<br />
* HTTP<br />
* IP<br />
* SimpleSSO<br />
<br />
== SSO Plugin Samples ==<br />
The SSO Samples pack are the SSO plugin samples available from the [SSO/Writing an SSO Plugin|writing an SSO plugin] page. It has:<br />
* Type A Plugin<br />
* Type B Plugin<br />
* Type C Plugin<br />
<br />
== Token Login ==<br />
The Token Login pack provides the Token Login system for your site, it includes:<br />
* Token Login Library<br />
* Token Login Component<br />
* Token Login SSO Plugin<br />
<br />
'''Note: Token Login requires the SSO package to operate properly. Without this Token Login won't work.'''<br />
<br />
== User Source ==<br />
User Source includes various user source related items. It includes:<br />
* System - Sync plugin<br />
* User Source - LDAP and Session plugins<br />
<br />
== Extras Pack ==<br />
The Extras Pack ships some LDAP specific extensions not available in other packs, the Advanced GMail plugin and the context login module:<br />
* Advanced LDAP Authentication Plugin<br />
* Advanced GMail Authentication Plugin<br />
* LDAP User Plugin<br />
* LDAP Advanced Synchronisation Plugin<br />
<br />
== Base ==<br />
Base combines the Core, SSO and User Source packages into one. Depending on your individual needs you can then install packages relevant to you.<br />
<br />
= Older Packages =<br />
Prior to JAuthTools 1.5.3, JAuthTools had three main packages:<br />
* SSO<br />
* User Sources<br />
* JAuthTools (both SSO and User Sources)<br />
<br />
The SSO package contained the SSO library, the System - SSO plugin and all available SSO plugins at the time. The User Surces package contained the User Sources library, the System - Synchronisation plugin and all available user source plugins at the time (usually only the LDAP plugin).</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Plugin_FoldersPlugin Folders2009-01-16T02:32:27Z<p>Pasamio: /* Joomla! Folders */</p>
<hr />
<div>This page lists common and interesting plugin folders in the JAuthTools sphere. Some folders are shipped with Joomla! (User and Authentication) however others have been added by JAuthTools.<br />
<br />
= Joomla! Folders =<br />
Joomla! provides two folders that are interesting to JAuthTools.<br />
<br />
== Authentication ==<br />
The authentication folder contains all of the authentication plugins that are available to a Joomla! site. Authentication plugins are loaded when someone attempts to log in to attempt to validate their credentials (a username and password).<br />
<br />
== User ==<br />
User plugins are fired when a user gets edited and when a user has successfully authenticated. The Joomla! User plugin is responsible for setting up the session but User plugins are used within JAuthTools to provide integration with other directory services such as LDAP.<br />
<br />
= JAuthTools Folders =<br />
JAuthTools defines sets of plugin folders itself that it handles for various tasks within the system.<br />
<br />
== Single Sign On ==<br />
JAuthTools Single Sign On plugins are designed to handle situations where the users identity is determined from just the request (Type A) or from an identity provider of some variety that is provided by the user (Type C) or marked as a source by the site (Type B). Type B plugins define "service providers" to handle authentication for them.<br />
<br />
== User Source ==<br />
User Source plugins are designed to accept a username and determine information about that user sufficient to meet the base Joomla! requirements for creating a new user.<br />
<br />
== Identity Providers ==<br />
Identity Provider plugins are designed to enable Joomla! to act as an IDP (Identity Provider) for different services, such as OpenID.</div>Pasamiohttp://sammoffatt.com.au/jauthtools/Plugin_FoldersPlugin Folders2009-01-14T07:01:31Z<p>Pasamio: New page: This page lists common and interesting plugin folders in the JAuthTools sphere. Some folders are shipped with Joomla! (User and Authentication) however others have been added by JAuthTools...</p>
<hr />
<div>This page lists common and interesting plugin folders in the JAuthTools sphere. Some folders are shipped with Joomla! (User and Authentication) however others have been added by JAuthTools.<br />
<br />
= Joomla! Folders =<br />
Joomla! provides two foldes that are interesting to JAuthTools.<br />
<br />
== Authentication ==<br />
The authentication folder contains all of the authentication plugins that are available to a Joomla! site. Authentication plugins are loaded when someone attempts to log in to attempt to validate their credentials (a username and password).<br />
<br />
== User ==<br />
User plugins are fired when a user gets edited and when a user has successfully authenticated. The Joomla! User plugin is responsible for setting up the session but User plugins are used within JAuthTools to provide integration with other directory services such as LDAP.<br />
<br />
= JAuthTools Folders =<br />
JAuthTools defines sets of plugin folders itself that it handles for various tasks within the system.<br />
<br />
== Single Sign On ==<br />
JAuthTools Single Sign On plugins are designed to handle situations where the users identity is determined from just the request (Type A) or from an identity provider of some variety that is provided by the user (Type C) or marked as a source by the site (Type B). Type B plugins define "service providers" to handle authentication for them.<br />
<br />
== User Source ==<br />
User Source plugins are designed to accept a username and determine information about that user sufficient to meet the base Joomla! requirements for creating a new user.<br />
<br />
== Identity Providers ==<br />
Identity Provider plugins are designed to enable Joomla! to act as an IDP (Identity Provider) for different services, such as OpenID.</div>Pasamiohttp://sammoffatt.com.au/jauthtools/PackagesPackages2009-01-07T13:07:55Z<p>Pasamio: </p>
<hr />
<div>JAuthTools has a combination of packages depending on your needs. Please note that prior to 1.5.4 and older form of packaging was used.<br />
<br />
= Current Packages =<br />
With the release of 1.5.4, it was decided to split that packages up in a different way. Thus the new system was born that splits up packages into different categories. All packages require some, or all, of the 'Core' packages to operate properly. Some packages may rely on other packages to work properly.<br />
<br />
== Core ==<br />
The Core package ships with the following libraries:<br />
* User Source Library<br />
* SSO Library<br />
* Helper Libraries (Helper and MutableTable)<br />
<br />
== SSO ==<br />
The SSO package adds the following plugins:<br />
* SSO Module<br />
* SSO System Plugin<br />
* SSO Component<br />
<br />
<br />
== SSO Plugins ==<br />
SSO Plugins includes a selection of SSO plugins:<br />
* eDir LDAP<br />
* HTTP<br />
* IP<br />
* SimpleSSO<br />
<br />
== SSO Plugin Samples ==<br />
The SSO Samples pack are the SSO plugin samples available from the [SSO/Writing an SSO Plugin|writing an SSO plugin] page. It has:<br />
* Type A Plugin<br />
* Type B Plugin<br />
* Type C Plugin<br />
<br />
== Token Login ==<br />
The Token Login pack provides the Token Login system for your site, it includes:<br />
* Token Login Library<br />
* Token Login Component<br />
* Token Login SSO Plugin<br />
<br />
'''Note: Token Login requires the SSO package to operate properly. Without this Token Login won't work.'''<br />
<br />
== User Source ==<br />
User Source includes various user source related items. It includes:<br />
* System - Sync plugin<br />
* User Source - LDAP and Session plugins<br />
<br />
== LDAP Pack ==<br />
The LDAP Pack ships some LDAP specific extensions not available in other packs:<br />
* Advanced LDAP Authentication Plugin<br />
* LDAP User Plugin<br />
* LDAP Advanced Synchronisation Plugin<br />
<br />
== Base ==<br />
Base combines the Core, SSO and User Source packages into one. Depending on your individual needs you can then install packages relevant to you.<br />
<br />
= Older Packages =<br />
Prior to JAuthTools 1.5.3, JAuthTools had three main packages:<br />
* SSO<br />
* User Sources<br />
* JAuthTools (both SSO and User Sources)<br />
<br />
The SSO package contained the SSO library, the System - SSO plugin and all available SSO plugins at the time. The User Surces package contained the User Sources library, the System - Synchronisation plugin and all available user source plugins at the time (usually only the LDAP plugin).</div>Pasamiohttp://sammoffatt.com.au/jauthtools/PackagesPackages2009-01-07T12:59:53Z<p>Pasamio: New page: JAuthTools has a combination of packages depending on your needs. = Core = The Core package ships with the following extensions: * User Source Library * SSO Library * Helper Libraries (He...</p>
<hr />
<div>JAuthTools has a combination of packages depending on your needs.<br />
<br />
= Core =<br />
The Core package ships with the following extensions:<br />
* User Source Library<br />
* SSO Library<br />
* Helper Libraries (Helper and MutableTable)<br />
<br />
= SSO =<br />
The SSO package adds the following plugins:<br />
* SSO Module<br />
* SSO System Plugin<br />
* SSO Component<br />
<br />
<br />
= SSO Plugins =<br />
SSO Plugins includes a selection of SSO plugins:<br />
* eDir LDAP<br />
* HTTP<br />
* IP<br />
* SimpleSSO<br />
<br />
= SSO Plugin Samples =<br />
The SSO Samples pack are the SSO plugin samples available from the [SSO/Writing an SSO Plugin|writing an SSO plugin] page. It has:<br />
* Type A Plugin<br />
* Type B Plugin<br />
* Type C Plugin<br />
<br />
= Token Login =<br />
The Token Login pack provides the Token Login system for your site, it includes:<br />
* Token Login Library<br />
* Token Login Component<br />
* Token Login SSO Plugin<br />
<br />
<br />
= User Source =<br />
User Source includes various user source related items. It includes:<br />
* System - Sync plugin<br />
* User Source - LDAP and Session plugins<br />
<br />
= LDAP Pack =<br />
The LDAP Pack ships some LDAP specific extensions not available in other packs:<br />
* Advanced LDAP Authentication Plugin<br />
* LDAP User Plugin<br />
* LDAP Advanced Synchronisation Plugin<br />
<br />
= Base =<br />
Base combines the Core, SSO and User Source packages into one. Depending on your individual needs you can then install packages relevant to you.</div>Pasamiohttp://sammoffatt.com.au/jauthtools/SSO/InfrastructureSSO/Infrastructure2009-01-07T09:15:40Z<p>Pasamio: </p>
<hr />
<div>This page documents the various parts of the JAuthTools SSO Infrastructure<br />
<br />
= Components =<br />
There are two components in the SSO area: the SSO component which handles generic SSO configuration and the token login component which handles managing the token login process.<br />
<br />
== SSO ==<br />
The SSO Component provides the ability to in one location configure most plugins relating to a users authentication experience. Its unique feature is that it provides a point to configure instances of Type B plugins (called service providers), however it also provides quick access to other types of plugins such as identity providers, SSO, authentication, user source, service provider and user plugins.<br />
<br />
== Token Login ==<br />
Token Login is a system that enables users to use tokens to log into their account. The Token Login Component provides an interface to enable administrators to issue, alter and revoke tokens.<br />
<br />
= Modules =<br />
== SSO Helper ==<br />
The SSO Helper is a module that can be used to trigger SSO events on particular pages. It works similar to the "System - SSO" plugin by calling the 'detectRemoteUser' function on all plugins.<br />
<br />
== SSO ==<br />
The SSO module handles displaying service provider links (Type B plugins) and forms (Type C plugins).<br />
<br />
= Plugins =<br />
== System - SSO ==<br />
There is one system plugin used in SSO that handles bootstrapping the authentication process and calling the 'detectRemoteUser' function for all plugins.<br />
<br />
== SSO Plugins ==<br />
SSO plugins come in three varieties: type A, B and C. Type A are the original SSO plugin type and only provide the ability to detect the remote user from the request, type B plugins are often referred to as 'service providers' and have multiple instances associated with them for each service provider and type C plugins provide the ability to display a form to the user for authentication or gathering required information. An SSO plugin may also be called a 'relying party', or RP, in some situations. The key function, 'detectRemoteUser', is expected to return a username of the identified user. SSO plugins may also optionally populate the session with a 'UserSourceDetails' object to enable autocreation via the Session User Source plugin.<br />
<br />
== Identity Provider Plugins ==<br />
Identity Provider plugins, or IDP plugins, are designed to expose the local users of a site for remote authentication. Whilst not a part of authenticating a local request, IDP's can provide centralised authentication.<br />
<br />
== User Source Plugins ==<br />
User Source plugins provide information required for Joomla! to create or update users. User Source plugins are relied upon in the SSO system to provide autocreation functionality in situations where a new user is attempting to log in via SSO.</div>Pasamiohttp://sammoffatt.com.au/jauthtools/SSO/InfrastructureSSO/Infrastructure2009-01-07T08:55:44Z<p>Pasamio: </p>
<hr />
<div>This page documents the various parts of the JAuthTools SSO Infrastructure<br />
<br />
= Components =<br />
There are two components in the SSO area: the SSO component which handles generic SSO configuration and the token login component which handles managing the token login process.<br />
<br />
== SSO ==<br />
The SSO Component provides the ability to in one location configure most plugins relating to a users authentication experience. Its unique feature is that it provides a point to configure instances of Type B plugins (called service providers), however it also provides quick access to other types of plugins such as identity providers, other SSO plugins, user plugins, etc.<br />
<br />
== Token Login ==<br />
Token Login is a system that enables users to use tokens to log into their account. The Token Login Component provides an interface to enable administrators to issue, alter and revoke tokens.<br />
<br />
= Modules =<br />
== SSO Helper ==<br />
The SSO Helper is a module that can be used to trigger SSO events on particular pages. It works similar to the "System - SSO" plugin by calling the 'detectRemoteUser' function on all plugins.<br />
<br />
== SSO ==<br />
The SSO module handles displaying service provider links (Type B plugins) and forms (Type C plugins).<br />
<br />
= Plugins =<br />
== System - SSO ==<br />
There is one system plugin used in SSO that handles bootstrapping the authentication process and calling the 'detectRemoteUser' function for all plugins.</div>Pasamio