Kerberos / SPNEGO Login

Started by glenlivet, August 28, 2015, 07:10:19 AM

Previous topic - Next topic

glenlivet

Hi all,

I searched around, but found only one old mod/plugin that's no longer supportet.

The goal is, not to log into the board again, since the user is already authenticated by the leading system, in my case the windows domain.
I've setup the Apache Server to do a SPNEGO authentication, so any user that gets a page is a valid authenticated user.

in PHP terms:
_SERVER["REMOTE_USER"]="user@domain"
_SERVER["AUTH_TYPE"]="Negotiate"
_SERVER["PHP_AUTH_USER"]="user@domain"

Instead of showing a loginbox I would like to use this variables to go through the authorization process.
Yes I'll need to add a user with the same name to the SMF users and I have to configure the rights of the user. All registrations are done by the admin.

As a probable solution I found the Integration hooks, e.g integrate_verify_user.
Would this be the right point to hook in ?

Thanks for any hints
glenlivet

Kindred

nope...   hooks are for use when SMF is the primary system and needs to trigger something to run within SMF or trigger an external script at that point in the code.

You should probably be looking to use the API functions.
http://wiki.simplemachines.org/smf/Category:Integrating_SMF
http://wiki.simplemachines.org/smf/SMF_API
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

glenlivet

#2
Well not sure what's wrong in my text, but http://wiki.simplemachines.org/smf/SMF_API .. smf_2_integration_hooks.php' is exactly what I meant.

A first quick hack gave me a almost working solution:


/**
* Verify user
*
* This hook is started before checking the SMF cookie for a valid user. A valid
* SMF $ID_MEMBER is expected back from the hook function, or SMF will assume
* it should check the SMF cookie instead.
*
* Example of use: User is logged into a CMS, but not into SMF, so we want to
* auto-login to SMF without the SMF cookie.
*
* @access       public
* @return       int $id_member a valid SMF member id
* @link         http://www.r2bconcepts.com Red2Black Concepts
* @since        0.1.0
*/
function smf_verify_user_function()
{
//return 0;
    if ($_SERVER["AUTH_TYPE"] == 'Negotiate') {
                $query = sprintf("SELECT id_member FROM smf_members WHERE member_name='%s'",$_SERVER["PHP_AUTH_USER"]);
        $result = mysql_query($query);
    if (!$result) {
      return 0;
    } else {
        $row = mysql_fetch_assoc($result);
        return $row['id_member'];
    }
        }
        else {
                return 0;
        }
}


The only thing to solve, is that I don't have a password, so I cant pass the action=admin password check.
A login as Admin is no longer useable because the user is set.

Kindred

APIs are different from hooks.

However, SMF is set up very specifically that you CAN NOT log in as a user without a password... EVER!
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

margarett

IMO the hook you mention is suitable and can perfectly be used how you want ;)
http://wiki.simplemachines.org/smf/Integration_hooks#integrate_verify_user

QuotePurpose: To attempt to log in from external app first, by reusing login credentials; this is taken in preference to either cookie or session details.
The drawback: your authentication server is contacted every single page load, which forces you to expose the login details (probably in session)
Anyway you need to have a valid SMF user (because the hook returns the user ID of the authenticated user) so you might as well deploy the SMF cookie and keep the user authenticated.
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

glenlivet

Hi margarett,
sorry for the long delay, I've been on vacation.
As I exposed in the short sample, it really works. The hook is the correct way to handle pre authentication session. Since the SPNEGO handshake is handled by the webserver, it doesn't matter at all, if every page load needs to be checked. The User credentials are set, at any time.
And yes you are right, I need to create a SMF User for each user who need access. That can be done by the admins of the forum. We also have to setup the windows user, so it's just one step more when adding a new user.

The problem I still have to solve, is the Admin password check. The SMF admin is validated in the same way as all other users. This double check of the password, if the admin goes to the permissions pages.. it should also call the (a)  hook. IMHO this is a inconsitency in the SMF authentication module.
In a preauthenticated szenario, there will never be a password in the SMF database.
I'll dig a little bit deeper into the code, maybe there is reasonable way to solve this.

Thanks for the feedback!

PS:
@Kindred: Yes, we can !

glenlivet

Ok, finally I found the option "Disable administration security" which solves my remaining problem.
Everything fine, I've SSO with SPNEGO on Windows running.

It's somewhat tricky to setup,

- You first have to configure the forum,
- give the admin rights to a user that's known by windows
- disable administration security
- enable SPNEGO on the server
- add the smf_2_integration_hooks.php to the sources
- enable the integration_hooks by adding it to the index.php

Done and working

So long...

Kindred

that is partially incorrect.

Hooks are enabled by adding them to the database, not to index.php
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

margarett

Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Oldiesmann

Quote from: Kindred on September 17, 2015, 07:33:31 AM
that is partially incorrect.

Hooks are enabled by adding them to the database, not to index.php

He's not referring to regular integration hooks. He's referring to a file mentioned on the API page in the wiki. Two different things.
Michael Eshom
Christian Metal Fans

Kindred

oh... my bad then... I wish people would use the correct terms for things. :P
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Advertisement: