[Solved] SSO fallback

[jjurkus]

I have SSO working via mod_auth_kerb, which took some time, but this works great now.
This website helped me a lot: http://www.grolmsnet.de/kerbtut/

Anyway, I have the same problem as I noticed in a few old topics, such as these: viewtopic.php?f=62&t=28515

Basically, when trying to login from a computer in the domain, everything works great. From my home machine I get this window:

sso-fallback.PNG

If I fill in a domain account correctly, I get logged on. Without correct credentials I get a 401 unauthorised error, just like in that other topic.
It would be nice if would show the normal logon screen when SSO fails.
Before I started with SSO, I had the LDAP authentication working.

A part of Config.pm

Code: Select all

    my @ldaphosts = ('ldap-001.gcecad-service.local','ldap-002.gcecad-service.local');
    
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
    $Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@GCECAD-SERVICE.LOCAL';
    $Self->{CustomerPanelLoginURL} = 'https://helpdesk.gcecad-service.nl/not-authorised-for-otrs.html';
    $Self->{CustomerPanelLogoutURL} = 'https://helpdesk.gcecad-service.nl/thanks-for-using-otrs.html';
    
    $Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host2'} = \@ldaphosts;
    $Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'ou=gebruikers,ou=gcecad-service,dc=gcecad-service,dc=local';
    $Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';

In Firefox ESR 38.6.0 I have set these preferences to ".gcecad-service.nl"
network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.trusted-uris
network.negotiate-auth.delegation-uris
My home machine has the same browser, but with or without these settings it gives the window in the screenshot.

I would expect I would get a 404 error, because I would be sent to the not-authorised-for-otrs.html page, but alas.

Is there anybody who can give me a clue why the fallback doesn't seem to work?

[jjurkus]

Oh, just bloody great.. After typing this post I searched again, and I found a few topics:

viewtopic.php?t=15422
viewtopic.php?t=24786

Can someone with working SSO and fallback to LDAP show their apache config?

[jjurkus]

I finally got it working!

I first had an apache location set like this:

Code: Select all

<Location /otrs>
Kerbstuff blah
</Location>

I finally saw others with this configuration, which is using a directory directive:

Code: Select all

<Directory "/opt/otrs/bin/cgi-bin/">
    AllowOverride None
    AuthName "OTRS login"
    AuthType Kerberos
    KrbAuthRealms MYREALM
    KrbServiceName HTTP
    Krb5Keytab /etc/httpd/conf.d/keytab-file
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    KrbAuthoritative on
    KrbSaveCredentials  off
    Require valid-user
    Options +ExecCGI -Includes
    Order allow,deny
    Allow from all
</Directory>

This fixed the Apache part, it didn't keep asking for a Kerberos password and didn't give me an 'unauthorised' error from Apache.

The 'fallback' part in Config.pm is the thing I don't get:

Code: Select all

$Self->{CustomerPanelLoginURL} = 'http://host.example.com/not-authorised-for-otrs.html';
$Self->{CustomerPanelLogoutURL} = 'http://host.example.com/thanks-for-using-otrs.html';

This is mentioned here: https://otrs.github.io/doc/manual/admin ... kends.html

When not using these, it finally worked for users not logged on onto a domain machine.

Things that helped me are the topics mentioned before, and a few of these links:
http://mbechler.eenterphace.org/blog/in ... d-PHP.html
http://www.grolmsnet.de/kerbtut/index.html
https://help.ubuntu.com/community/Kerberos

[jjurkus]

Well, that almost made it work..
When the Kerberos tickets expired half of it didn't work any more.

I've replaced mod_auth_kerb with mod_auth_gssapi, which aims to be "a replacement for the aging mod_auth_kerb."
https://github.com/modauthgssapi/mod_auth_gssapi

Apache config:

Code: Select all

<Location /otrs/customer.pl>
    AuthType GSSAPI
    AuthName "Helpdesk login"
    GssapiCredStore keytab:/etc/httpd/conf.d/otrs.keytab
    Require valid-user
    ErrorDocument 401 /otrs/customer2.pl?Action=PreLogin
</Location>

Code: Select all

# cp /opt/otrs/bin/cgi-bin/customer.pl /opt/otrs/bin/cgi-bin/customer2.pl
# cp /opt/otrs/bin/fcgi-bin/customer.pl /opt/otrs/bin/fcgi-bin/customer2.pl

Yes, I had to copy customer.pl to customer2.pl, otherwise the redirection for the sso fallback would continue in a loop. Any ideas for that? This probably isn't the most correct solution, after an update you might have to copy customer.pl again, but it works!

[root]

I've done it with another application running under Apache httpd and I had also to copy the ErrorDocument to an exitsing file. A simple Alias won't work.