How do I...Enable single sign on with Active Directory?
This method uses Winbind, the Samba method for allowing NT groups to show up as if they were local. It's very easy.
Note: this guide assumes your wiki is installed in /var/www/dekiwiki: it might be in /var/www/deki-hayes if you have upgraded an older VM.
Upgrade your wiki to 8.05.1 or greater
Start by ensuring you're at the latest code level (8.05.2 at time of writing). Update your wiki with:
/usr/bin/updateWiki.sh
Install Winbind and the Apache module
Attached to this page is a version of the NTLM authentication module built for Debian Etch. There are versions available for Ubuntu also.
# Install winbind and libapache2-mod-auth-ntlm-winbind
apt-get install winbind
wget http://wiki.opengarden.org/@api/deki/files/2921/=libapache2-mod-auth-ntlm-winbind_0.1%252bgit20080610-0.1_i386.deb \
-O libapache2-mod-auth-ntlm-winbind_0.1+git20080610-0.1_i386.deb
dpkg -i libapache2-mod-auth-ntlm-winbind_0.1+git20080610-0.1_i386.deb
# Enable the module
a2enmod auth_ntlm_winbind
# Allow Apache to connect to Winbind
usermod -a -G winbindd_priv www-data
Configuring Winbind
Change, uncomment or add the following six options in the [global] section of /etc/samba/smb.conf:
workgroup = SHORTDOMAINNAME security = domain password server = * idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = yes
Note: Samba does not need to be running for Winbind to work. Replace SHORTDOMAINNAME with the domain name (as in DOMAIN\user), but the * gets entered as-is.
Now, you must join this machine to your domain, and restart Winbind:
# you will be prompted for a password after this: net join DOMAINNAME -U username /etc/init.d/winbind restart wbinfo -u
If you see a list of users (without a DOMAINNAME\ prefix), then congratulations, you have successfully configured Winbind.
Configuring the beta LDAP service
First, you need a copy of the new DLL:
cd /var/www/dekiwiki/bin/services wget http://wiki.opengarden.org/@api/deki/files/2344/=mindtouch.deki.ldap.dll -O mindtouch.deki.ldap.dll # restart the service so the SID of the LDAP provider will be accepted /etc/init.d/dekiwiki restart
Now, configure it in Deki.
Service management
Log into your wiki. You first need to set up your LDAP service. (under Control Panel, Service Management). You can edit an existing one if you have one, or create a new LDAP service. NOTE: If you've already had an LDAP service setup with users already existing, be sure to edit the service rather than creating a new one.
- Type: Authentication
- SID: sid://mindtouch.com/2007/05/BETA/ldap-authentication
- Config:
- userquery sAMAccountName=$1
- hostname myADserver
- bindingdn ldapuser@domain.com
- searchbase DC=domain,DC=com
- bindingpw ldappassword
- Status: enabled
Save this service. Note the number it is allocated, as you will use this below. (On a new VM, it will probably be '10').
If you were previously using Active Directory integration. please note in particular that bindingdn and bindingpw change from variables to a single hardcoded username and password, and that the SID changes too.
Configuration
Under Control Panel/Configuration, add two new values:
- security/allow-trusted-auth: true
- security/trusted-auth-provider-id: (the number of your LDAP service)
Log out of the wiki, and restart Dekihost again:
/etc/init.d/dekiwiki restart
(At this point it might be a good idea to log into your wiki and grant your LDAP user 'admin' rights, as it is difficult to log in as a local user once your browser is automatically authenticating you.)
Configuring Apache
In /var/www/dekiwiki, create a file named .htaccess. Add this content:
AuthName "NTLM Authentication" NTLMAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on AuthType NTLM require valid-user
You can set AuthName to anything you want.
This will force Apache to ask require NTLM credentials before serving any content, and also pass the username to Deki for single sign on.
Restart Apache:
/etc/init.d/apache2 force-reload
You are now good to go!
Hit http://mywiki/, and as long as your browser is set up for NTLM, you will automatically be logged in.
Feels good!
Configuring your web browser
If your URL is in the Local Intranet site in IE, then the browser will present your credentials automatically. You can add the site manually if it doesn't automatically get detected.
Firefox users can set the property network.automatic-ntlm.trusted-uris in about.config.
Troubleshooting
Try browsing to http://mywiki/@api/deki/services/def...users/username (where 10 is the number of your LDAP service) to see if the LDAP service is returning correct results.
- Tag page
-
- What links here
Files 1
| File | Size | Date | Attached by | |||
|---|---|---|---|---|---|---|
 | libapache2-mod-auth-ntlm-winbind_0.1+git20080610-0.1_i386.deb Apache2 Winbind module for the Deki Wiki VM | 9.37 kB | 15:40, 11 Jun 2008 | crb | Actions | |
Images 1
There is talk from other systems (moodle, etc) of creating a sub-page that automatically forces ntlm authentication, with some code on the main page that decides whether or not to go there. Is this type of thing feasible? Could we use the deki api to make a different ntlm service? (Brainstorming)
net join DOMAINNAME -U username
what username should I be entering, my own? When I try my own, I enter my password, but then I get this error:
[(current date time)] utils/net_ads.c:ads_startup(289)
ads_connect: Invalid or incomplete multibyte or wide character
ADS join did not work, fallig back to RPC...
Unabled to find suitable server
Unabled to find suitable server
Any ideas? Thanks
in smb.com set workgroup = domain_name WITHOUT the .com
Using this command to join the domain:
"net join domain_name.com -U admin_username"
I have a question, how is the service number determined? edited 20:41, 28 Jul 2008
I'm using a virtal machine and i'm using my DOMAINNAME.com. In the smb.conf, i used the DOMAINNAME without .com.
1. When the user connects to http://wiki the initial NTLM authentication gets passed from the browser. But it does not pass them to Deki.
I get the dreaded "We could not authenticate you."
2. When creating an AD user manually it wants me to enter ONLY the users correct AD Username/Password. If the user logs in manually the account is created automatically.
I checked the API log and it seems that the samAccountName is getting passed but the bindDN is not.. It is showing up as false..
Any suggestions?
-Mike
I erased the /etc/samba/smb.conf and replaced with this config and it allowed me to join the machine to Active directory
unix charset = LOCALE
workgroup = enterYourDomainNameHere
server string = enterServerDescriptionHereButNotRequired
security = DOMAIN
password server = enterTheIPofYourDomainControllerHere
username map = /etc/samba/smbusers
log level = 1
log file = /var/log/samba/%m.log
max log size = 50
server signing = auto
client use spnego = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
allow from "ip address of revproxy"
satisfy any
Now my problem is figuring out how to serve 2 separate SSL certificates from one reverse proxy with 1 IP. Damn activesync not supporting wildcard certificates!