Closed centreon closed 9 years ago
Original Redmine Comment Author Name: Julien Mathis (Julien Mathis) Original Date: 2010-03-19T17:56:24Z
Hi Clément,
It's ok. We will work on this feature for the 2.2.
Best Regards
Original Redmine Comment Author Name: Julien Mathis (Julien Mathis) Original Date: 2010-05-01T14:32:10Z
Hi Clément,
Do you think it's possible to have LemonLDAP or SSO environment for development or a VM appliance ? I haven't one for testing.
Thanks
Original Redmine Comment Author Name: clement oudot (clement oudot) Original Date: 2010-05-01T18:08:44Z
Julien Mathis wrote:
Do you think it's possible to have LemonLDAP or SSO environment for development or a VM appliance ? I haven't one for testing.
I have no prepared test environment, but for a first step, you can just use a header generator (a lot of Firefox plugins do that) and send an HTTP header to your application, for example :
Auth-User: coudot
For a full test, you have to install LemonLDAP::NG. We provide RHEL or Debian packages, so it is very easy to install. Or I can test your developpement on my side.
Original Redmine Comment Author Name: clement oudot (clement oudot) Original Date: 2010-05-06T11:00:01Z
Hi,
I found this link on the web: http://blog.doguet.fr/2010/04/websso-lemonldap-pour-centreon.html
It uses REMOTE_USER env, but it seems very easy to adapt it to check an HTTP header
Original Redmine Comment Author Name: Julien J (Julien J) Original Date: 2012-03-21T12:14:27Z
Hello,
Find attached the patch to add support for LemonLdap.
LemonLdap allows the securing of an application by intercepting all HTTP requests to the secured application. If the user does not have a SSO session, he/she is redirected to the login page of LemonLdap. And if there is a valid session, LemonLdap adds a variable in the HTTP header (the user’s login). The HTTP header is considered to be secure; the user is therefore connected to the application without a password, based upon the HTTP header.
If the SSO secures the application, it intercepts all the HTTP requests and thus, only registered users can access the SSO application. The choice of the SSO authentication mode is therefore global and not per user, as is the case for LDAP or database(So there is no real contact_auth_type for the user).
The following patch enables the following operation:
Note: The “logout” link no longer works since the system automatically reconnects the user through the HTTP header. In fact, this behavior is not a problem since we configured LemonLdap so that it intercepts the request “index.php?disconnect=1” in order to make a global SSO disconnection.
To test quickly (without LemonLdap)
You can simply install the plug-in “Header Hacker” on Google Chrome. The plug-in will allow you to simulate the SSO by performing injections in the HTTP header. Here is how to proceed:
* Header : HACK_SSO * Append/ replace = Replace With * String : the login of a user found in the database
* $conf_centreon['ssoHeaderName'] = 'HTTP_HACK_SSO'
You are logged automatically with the user injected in the header. When LemonLdap secures the application, it is impossible to force the header via a plug-in (as LemonLdap controls the header)
For a real test, I let you have a look at the documentation of LemonLdap. Find below some information regarding the configuration though:
* Expression : ^/index.php\?disconnect=1 * Rule : logout_sso http://auth.mondomaine.com Header
In the centreon configuration: $conf_centreon['ssoHeaderName'] = "REMOTE_USER";
Tested with Centreon 2.3.4 and LemonLdap 1.1
Regards,
Julien
Original Redmine Comment Author Name: Tensibai - Bastien Jove (Tensibai - Bastien Jove) Original Date: 2012-03-21T12:53:30Z
Is it compatible with the key auth in centreon ? ( see #2239, not sure it's integrated or not )
Original Redmine Comment Author Name: Julien J (Julien J) Original Date: 2012-03-21T13:17:20Z
LemonLdap allows the securing of an application by intercepting all HTTP requests to the secured application. If the user does not have a SSO session, he/she is redirected to the login page of LemonLdap.
With simple setup of lemonldap: NO The requests will be redirected to the Lemonldap login page
If you enable the SSO, authentication is delegated to the SSO. It should not be possible to bypass the SSO with keys authentification.
Julien
Original Redmine Comment Author Name: bart van der hall (bart van der hall) Original Date: 2012-07-25T12:38:51Z
The authentication with lemonldap-ng works as described in this patch and the SSO.patch However, when you use lemonldap-ng with mysql authentication. You can only use centreon with lemonldap authentication and normal centreon users are not able to login.
Original Redmine Comment Author Name: Quentin Garnier (Quentin Garnier) Original Date: 2013-06-07T14:40:10Z
Need options in general options.
Original Redmine Comment Author Name: Sylvestre Ho (Sylvestre Ho) Original Date: 2013-07-03T14:07:35Z
Applied in changeset commit:9d999d32b9260ce8d80b7a45b76f94983080204e.
Original Redmine Comment Author Name: Fabrice Bacchella (Fabrice Bacchella) Original Date: 2013-08-09T10:29:09Z
This patch could be improved.
It uses regexp to match remote address : At line 40 of centreonAuth.SSO.class.php: if (preg_match('/' . $_SERVER['REMOTE_ADDR'] . '(\s|,|$)/', $this->options_sso['sso_trusted_clients'])) {
CIDR is 20 years old, regex to match IP should have been dropped 20 years ago.
Original Redmine Comment Author Name: martin lunze (martin lunze) Original Date: 2014-01-07T09:37:28Z
is there a possibility to use SSO (maybe lemonldap or shibboleth) AND normal "local" accounts?
Original Redmine Comment Author Name: Quentin Garnier (Quentin Garnier) Original Date: 2014-01-07T09:42:34Z
Yes you can. You need to use the 'mixed mode' and set reverse proxy IP.
Author Name: clement oudot (clement oudot) Original Redmine Issue: 1654, https://forge.centreon.com/issues/1654 Original Date: 2010-03-19 Original Assignee: Sylvestre Ho
Hi,
I am one of the LemonLDAP::NG developers (http://lemonldap.ow2.org). This is a WebSSO system that send HTTP headers to protected applications to forward user information (login, name, mail, ...)
This would be nice that Centreon can use this authentication type.
To allow this, centreon should be able to open a session by verifying HTTP headers. For example, you can read HTTP_AUTH_USER environment variable to know the login of the user.
If you do that, you should disable all password management functions, since the user is managed by the WebSSO.
To go further, you can also use HTTP headers to auto create accounts.
Tell me if you need any help on this issue.
Thanks,
Clément.