Comprehension Question about LDAP and SSO

Hello All

I have an Comprehensive Question about SSO in Relation to LDAP

Is it possible with LDAP to get Access on an sso client with an Computer in
a Network ( e.g RT) by start the Computer with an network windows logon
…?

Or i have to do this with ntlm?

best Regards skyerjoe

best regards john
View this message in context: http://old.nabble.com/Comprehension-Question-about-LDAP-and-SSO-tp30995959p30995959.html

I have an Comprehensive Question about SSO in Relation to LDAP

Is it possible with LDAP to get Access on an sso client with an Computer in
a Network ( e.g RT) by start the Computer with an network windows logon
…?

Or i have to do this with ntlm?

You can use Kerberos to do this. From memory, you need to make sure that DNS
is working perfectly (including reverse lookups), and you will need to ensure
that the browser is prepared to use Kerberos to authenticate against your RT
server. For IE, this means designating the RT server as part of the
"Intranet" zone; for Firefox you can use about:config and add the RT server to
network.negotiate-auth.trusted-uris.

On the server side, you want something like this in .htaccess:

AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms
Krb5KeyTab /etc/httpd/conf/keytab
Require valid-user

and you’ll need to populate the keytab file with the appropriate keys.

That will get you as far as having Windows transparently authenticate to the
web server, which will expose the user name to RT via the REMOTE_USER
environment variable. You should then be able to add

Set($WebExternalAuth, 1);
Set($WebExternalAuto, 1);

to your RT_SiteConfig.pm file to instruct RT to trust this authentication.

Hope that helps.

Michael

I have an Comprehensive Question about SSO in Relation to LDAP

Is it possible with LDAP to get Access on an sso client with an Computer
in
a Network ( e.g RT) by start the Computer with an network windows logon
…?

Or i have to do this with ntlm?

You can use Kerberos to do this. From memory, you need to make sure that
DNS
is working perfectly (including reverse lookups), and you will need to
ensure
that the browser is prepared to use Kerberos to authenticate against your
RT
server. For IE, this means designating the RT server as part of the
"Intranet" zone; for Firefox you can use about:config and add the RT server
to
network.negotiate-auth.trusted-uris.

On the server side, you want something like this in .htaccess:

AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms
Krb5KeyTab /etc/httpd/conf/keytab
Require valid-user

You may also need to set AllowOverride in your Apache config to allow some
of these directives to be placed in .htaccess–some configurations have this
set to “none” by default.

* http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride

First of all thnx for these Infos

Okay it won’t be bad if this is working in a good way

So recap aggain :

  • Apache Server with an kerberos module ( which?)
  • configure RT for kerberosmodule for apache
  • and an entry in htacess for athentification with the AD
  • an browser entry to get access to rt-server ( work ip’s adresses also?)

is it correct?

How is this procedure called?.. if i searching in the the net i only found
methods to authentificate via kerberos without the windows logon.
*confusing

best regards john

best regards john
View this message in context: http://old.nabble.com/Comprehension-Question-about-LDAP-and-SSO-tp30995959p31001291.html

So recap aggain :

  • Apache Server with an kerberos module ( which?)

mod_auth_kerb

  • configure RT for kerberosmodule for apache
  • and an entry in htacess for athentification with the AD
  • an browser entry to get access to rt-server ( work ip’s adresses also?)

Kerberos will attempt a reverse DNS lookup on the IP address to determine
which principal name it should use for authenticating the server. (Kerberos
provides mutual authentication; it insists on verifying that the server is the
correct server as well as providing the users own credentials.) In practice,
you either need fully working forward and reverse DNS, or you need a fairly
deep understanding of how Kerberos works so you can figure out which bits of
DNS you could safely omit.

How is this procedure called?.. if i searching in the the net i only found
methods to authentificate via kerberos without the windows logon.
*confusing

A Windows Active Directory logon is a Kerberos logon, since AD uses
Kerberos. By logging on to an Active Directory domain, you already have
Kerberos credentials.

By configuring your web server and browser as I outlined previously, you can
instruct Windows to pass on these credentials to the web server transparently.
Everything will (eventually) appear to work magically. :slight_smile:

Michael

Hm… sounds good and important

But what I just don’t see.

How is the relationship between ldap and kerberos or ntlm?

In the Wiki Directory there is is an How to which describes the
implemantation from LDAP into RT


so if i do this below…

should i need keberos or ntlm configs anymore??

sorry i dont get it

best regards john
View this message in context: http://old.nabble.com/Comprehension-Question-about-LDAP-and-SSO-tp30995959p31013131.html

john s. wrote:

Hm… sounds good and important

But what I just don’t see.

How is the relationship between ldap and kerberos or ntlm?

In the Wiki Directory there is is an How to which describes the
implemantation from LDAP into RT

http://requesttracker.wikia.com/wiki/LdapSiteConfigSettingsForActiveDirectory
http://requesttracker.wikia.com/wiki/LdapSiteConfigSettingsForActiveDirectory

so if i do this below…

should i need keberos or ntlm configs anymore??

sorry i dont get it

Edit:

For my point of view if i use ldap to athentificate via ssl it should be
sufficient enough to get a proper authentifiaction with RT or not. I these
option able to provide negotiation authentification at all.?

best regards john
View this message in context: http://old.nabble.com/Comprehension-Question-about-LDAP-and-SSO-tp30995959p31013169.html

john s. wrote:
Hm… sounds good and important

But what I just don’t see.

How is the relationship between ldap and kerberos or ntlm?

In the Wiki Directory there is is an How to which describes the
implemantation from LDAP into RT

so if i do this below…

should i need keberos or ntlm configs anymore??

For my point of view if i use ldap to athentificate via ssl it should be
sufficient enough to get a proper authentifiaction with RT or not. If these
option able to provide negotiation authentification at all.?

sorry i dont get it

mcb30 wrote:

So recap aggain :

  • Apache Server with an kerberos module ( which?)

mod_auth_kerb

  • configure RT for kerberosmodule for apache
  • and an entry in htacess for athentification with the AD
  • an browser entry to get access to rt-server ( work ip’s adresses
    also?)

Kerberos will attempt a reverse DNS lookup on the IP address to determine
which principal name it should use for authenticating the server.
(Kerberos
provides mutual authentication; it insists on verifying that the server is
the
correct server as well as providing the users own credentials.) In
practice,
you either need fully working forward and reverse DNS, or you need a
fairly
deep understanding of how Kerberos works so you can figure out which bits
of
DNS you could safely omit.

How is this procedure called?.. if i searching in the the net i only
found
methods to authentificate via kerberos without the windows logon.
*confusing

A Windows Active Directory logon is a Kerberos logon, since AD uses
Kerberos. By logging on to an Active Directory domain, you already have
Kerberos credentials.

By configuring your web server and browser as I outlined previously, you
can
instruct Windows to pass on these credentials to the web server
transparently.
Everything will (eventually) appear to work magically. :slight_smile:

Michael

best regards john
View this message in context: http://old.nabble.com/Comprehension-Question-about-LDAP-and-SSO-tp30995959p31013192.html

Hm… sounds good and important

But what I just don’t see.

How is the relationship between ldap and kerberos or ntlm?

In the Wiki Directory there is is an How to which describes the
implemantation from LDAP into RT

http://requesttracker.wikia.com/wiki/LdapSiteConfigSettingsForActiveDirecto
ry
http://requesttracker.wikia.com/wiki/LdapSiteConfigSettingsForActiveDirect
ory

so if i do this below…

should i need keberos or ntlm configs anymore??

sorry i dont get it

As far as authentication goes: LDAP gives you the ability to log in to RT
using the same username and password that you would use for logging in to
Active Directory. Kerberos gives you the ability to be transparently
authenticated to RT without having to re-enter your username and password.

Michael

mcb30 wrote:

Hm… sounds good and important

But what I just don’t see.

How is the relationship between ldap and kerberos or ntlm?

In the Wiki Directory there is is an How to which describes the
implemantation from LDAP into RT

http://requesttracker.wikia.com/wiki/LdapSiteConfigSettingsForActiveDirecto
ry

http://requesttracker.wikia.com/wiki/LdapSiteConfigSettingsForActiveDirect
ory

so if i do this below…

should i need keberos or ntlm configs anymore??

sorry i dont get it

As far as authentication goes: LDAP gives you the ability to log in to RT
using the same username and password that you would use for logging in to
Active Directory. Kerberos gives you the ability to be transparently
authenticated to RT without having to re-enter your username and password.

Michael

Okay now i got it :slight_smile:

thnnx michael

best regards john
View this message in context: http://old.nabble.com/Comprehension-Question-about-LDAP-and-SSO-tp30995959p31013357.html

Good morning all

I have on more Question in Relation to Authentification with Kerberos

I would like to use an windows 2008 server with AD, and an Web Application
( RT) on a linux sever with Apache and Kerberos Module system.

And the Kerberos Stuff is handeld by the Win2008 AD…

So … so far so good. But it is possible to make an Authentification with
the AD Login Names from the Whole Network, not only the Kerberos Login
Account?

For Example if i go through an log file i would like to see that a certain
user from the network has logged in on the apache server and not only the
kerberos account should be appeard in the log file.

is this possible??

best regards john

john s. wrote:

mcb30 wrote:

Hm… sounds good and important

But what I just don’t see.

How is the relationship between ldap and kerberos or ntlm?

In the Wiki Directory there is is an How to which describes the
implemantation from LDAP into RT

http://requesttracker.wikia.com/wiki/LdapSiteConfigSettingsForActiveDirecto
ry

http://requesttracker.wikia.com/wiki/LdapSiteConfigSettingsForActiveDirect
ory

so if i do this below…

should i need keberos or ntlm configs anymore??

sorry i dont get it

As far as authentication goes: LDAP gives you the ability to log in to RT
using the same username and password that you would use for logging in to
Active Directory. Kerberos gives you the ability to be transparently
authenticated to RT without having to re-enter your username and
password.

Michael

Okay now i got it :slight_smile:

Edit: once again …sorry
. is it possible to integrate kerberos directly in rt or can the
authentification process only handled by apache or another webserver ?

thnnx michael

best regards john
View this message in context: http://old.nabble.com/Comprehension-Question-about-LDAP-and-SSO-tp30995959p31056833.html

I have on more Question in Relation to Authentification with Kerberos

I would like to use an windows 2008 server with AD, and an Web Application
( RT) on a linux sever with Apache and Kerberos Module system.

And the Kerberos Stuff is handeld by the Win2008 AD…

So … so far so good. But it is possible to make an Authentification with
the AD Login Names from the Whole Network, not only the Kerberos Login
Account?

For Example if i go through an log file i would like to see that a certain
user from the network has logged in on the apache server and not only the
kerberos account should be appeard in the log file.

is this possible??

Not sure what you’re asking. The Kerberos user account is the Active
Directory user account. If you log in to the AD domain “ad.example.com” as
user “johns”, then when you connect to a properly-configured Apache server it
will authenticate you as the Kerberos principal "johns@AD.EXAMPLE.COM".

This string "johns@AD.EXAMPLE.COM" is what will show up as the "remote user"
in Apache logs (assuming that your LogFormat includes a “%u”).

Michael

And if i use another name like martin from the database the kerberos
prinicipal changes also martin@…

so it is possible to know which user from the AD is logged in or out into
the application which is authentificated with kerberos.

is that right?

best regards john

mcb30 wrote:

I have on more Question in Relation to Authentification with Kerberos

I would like to use an windows 2008 server with AD, and an Web
Application
( RT) on a linux sever with Apache and Kerberos Module system.

And the Kerberos Stuff is handeld by the Win2008 AD…

So … so far so good. But it is possible to make an Authentification
with
the AD Login Names from the Whole Network, not only the Kerberos Login
Account?

For Example if i go through an log file i would like to see that a
certain
user from the network has logged in on the apache server and not only the
kerberos account should be appeard in the log file.

is this possible??

Not sure what you’re asking. The Kerberos user account is the Active
Directory user account. If you log in to the AD domain “ad.example.com"
as
user “johns”, then when you connect to a properly-configured Apache server
it
will authenticate you as the Kerberos principal "johns@AD.EXAMPLE.COM”.

This string "johns@AD.EXAMPLE.COM" is what will show up as the "remote
user"
in Apache logs (assuming that your LogFormat includes a “%u”).

Michael

View this message in context: http://old.nabble.com/Comprehension-Question-about-LDAP-and-SSO-tp30995959p31058175.html

And if i use another name like martin from the database the kerberos
prinicipal changes also martin@…

Yes. The Kerberos principal will always be the name of the currently-logged-
in user.

so it is possible to know which user from the AD is logged in or out into
the application which is authentificated with kerberos.

is that right?

Yes.

Michael

Thnx michael

best regards john

mcb30 wrote:

And if i use another name like martin from the database the kerberos
prinicipal changes also martin@…

Yes. The Kerberos principal will always be the name of the
currently-logged-
in user.

so it is possible to know which user from the AD is logged in or out
into
the application which is authentificated with kerberos.

is that right?

Yes.

Michael

View this message in context: http://old.nabble.com/Comprehension-Question-about-LDAP-and-SSO-tp30995959p31058360.html