SSO LemonLDAP::NG authentication - Githubissues

centreon commented 14 years ago

Author Name: clement oudot (clement oudot) Original Redmine Issue: 1654, https://forge.centreon.com/issues/1654 Original Date: 2010-03-19 Original Assignee: Sylvestre Ho

Hi,

I am one of the LemonLDAP::NG developers (http://lemonldap.ow2.org). This is a WebSSO system that send HTTP headers to protected applications to forward user information (login, name, mail, ...)

This would be nice that Centreon can use this authentication type.

To allow this, centreon should be able to open a session by verifying HTTP headers. For example, you can read HTTP_AUTH_USER environment variable to know the login of the user.

If you do that, you should disable all password management functions, since the user is managed by the WebSSO.

To go further, you can also use HTTP headers to auto create accounts.

Tell me if you need any help on this issue.

Thanks,

Clément.

centreon commented 14 years ago

Original Redmine Comment Author Name: Julien Mathis (Julien Mathis) Original Date: 2010-03-19T17:56:24Z

Hi Clément,

It's ok. We will work on this feature for the 2.2.

Best Regards

centreon commented 14 years ago

Original Redmine Comment Author Name: Julien Mathis (Julien Mathis) Original Date: 2010-05-01T14:32:10Z

Hi Clément,

Do you think it's possible to have LemonLDAP or SSO environment for development or a VM appliance ? I haven't one for testing.

Thanks

centreon commented 14 years ago

Original Redmine Comment Author Name: clement oudot (clement oudot) Original Date: 2010-05-01T18:08:44Z

Julien Mathis wrote:

Do you think it's possible to have LemonLDAP or SSO environment for development or a VM appliance ? I haven't one for testing.

I have no prepared test environment, but for a first step, you can just use a header generator (a lot of Firefox plugins do that) and send an HTTP header to your application, for example :

Auth-User: coudot

For a full test, you have to install LemonLDAP::NG. We provide RHEL or Debian packages, so it is very easy to install. Or I can test your developpement on my side.

centreon commented 14 years ago

Original Redmine Comment Author Name: clement oudot (clement oudot) Original Date: 2010-05-06T11:00:01Z

Hi,

I found this link on the web: http://blog.doguet.fr/2010/04/websso-lemonldap-pour-centreon.html

It uses REMOTE_USER env, but it seems very easy to adapt it to check an HTTP header

centreon commented 12 years ago

Original Redmine Comment Author Name: Julien J (Julien J) Original Date: 2012-03-21T12:14:27Z

Hello,

Find attached the patch to add support for LemonLdap.

LemonLdap allows the securing of an application by intercepting all HTTP requests to the secured application. If the user does not have a SSO session, he/she is redirected to the login page of LemonLdap. And if there is a valid session, LemonLdap adds a variable in the HTTP header (the user’s login). The HTTP header is considered to be secure; the user is therefore connected to the application without a password, based upon the HTTP header.

If the SSO secures the application, it intercepts all the HTTP requests and thus, only registered users can access the SSO application. The choice of the SSO authentication mode is therefore global and not per user, as is the case for LDAP or database(So there is no real contact_auth_type for the user).

The following patch enables the following operation:

By default the SSO login is deactivated
The line $conf_centreon['ssoHeaderName'] must be added to the file centreon.conf.php to activate it
Once activated, the login is automatic if the user name in the HTTP header exists in the database
On each page, we control that the user in session is the same as the user in the HTTP header

Note: The “logout” link no longer works since the system automatically reconnects the user through the HTTP header. In fact, this behavior is not a problem since we configured LemonLdap so that it intercepts the request “index.php?disconnect=1” in order to make a global SSO disconnection.

To test quickly (without LemonLdap)

You can simply install the plug-in “Header Hacker” on Google Chrome. The plug-in will allow you to simulate the SSO by performing injections in the HTTP header. Here is how to proceed:

Create the rule:

* Header : HACK_SSO * Append/ replace = Replace With * String : the login of a user found in the database
Switch the rule to permanent for the future
Modify the contreon configuration to add

* $conf_centreon['ssoHeaderName'] = 'HTTP_HACK_SSO'

You are logged automatically with the user injected in the header. When LemonLdap secures the application, it is impossible to force the header via a plug-in (as LemonLdap controls the header)

For a real test, I let you have a look at the documentation of LemonLdap. Find below some information regarding the configuration though:

Rules Logout

* Expression : ^/index.php\?disconnect=1 * Rule : logout_sso http://auth.mondomaine.com Header
Auth-User
$uid

In the centreon configuration: $conf_centreon['ssoHeaderName'] = "REMOTE_USER";

Tested with Centreon 2.3.4 and LemonLdap 1.1

Regards,

Julien

centreon commented 12 years ago

Original Redmine Comment Author Name: Tensibai - Bastien Jove (Tensibai - Bastien Jove) Original Date: 2012-03-21T12:53:30Z

Is it compatible with the key auth in centreon ? ( see #2239, not sure it's integrated or not )

centreon commented 12 years ago

Original Redmine Comment Author Name: Julien J (Julien J) Original Date: 2012-03-21T13:17:20Z

LemonLdap allows the securing of an application by intercepting all HTTP requests to the secured application. If the user does not have a SSO session, he/she is redirected to the login page of LemonLdap.

With simple setup of lemonldap: NO The requests will be redirected to the Lemonldap login page

If you enable the SSO, authentication is delegated to the SSO. It should not be possible to bypass the SSO with keys authentification.

Julien

centreon commented 12 years ago

Original Redmine Comment Author Name: bart van der hall (bart van der hall) Original Date: 2012-07-25T12:38:51Z

The authentication with lemonldap-ng works as described in this patch and the SSO.patch However, when you use lemonldap-ng with mysql authentication. You can only use centreon with lemonldap authentication and normal centreon users are not able to login.

centreon commented 11 years ago

Original Redmine Comment Author Name: Quentin Garnier (Quentin Garnier) Original Date: 2013-06-07T14:40:10Z

Need options in general options.

centreon commented 11 years ago

Original Redmine Comment Author Name: Sylvestre Ho (Sylvestre Ho) Original Date: 2013-07-03T14:07:35Z

Applied in changeset commit:9d999d32b9260ce8d80b7a45b76f94983080204e.

centreon commented 11 years ago

Original Redmine Comment Author Name: Fabrice Bacchella (Fabrice Bacchella) Original Date: 2013-08-09T10:29:09Z

This patch could be improved.

It uses regexp to match remote address : At line 40 of centreonAuth.SSO.class.php: if (preg_match('/' . $_SERVER['REMOTE_ADDR'] . '(\s|,|$)/', $this->options_sso['sso_trusted_clients'])) {

CIDR is 20 years old, regex to match IP should have been dropped 20 years ago.

centreon commented 10 years ago

Original Redmine Comment Author Name: martin lunze (martin lunze) Original Date: 2014-01-07T09:37:28Z

is there a possibility to use SSO (maybe lemonldap or shibboleth) AND normal "local" accounts?

centreon commented 10 years ago

Original Redmine Comment Author Name: Quentin Garnier (Quentin Garnier) Original Date: 2014-01-07T09:42:34Z

Yes you can. You need to use the 'mixed mode' and set reverse proxy IP.

centreon / centreon-archived

SSO LemonLDAP::NG authentication #1389