Single Sign-On with Apache and Active Directory on Ubuntu Linux
Hello Guys,
Simple tutorial how to setup SSO on Ubuntu with Active Directory
Tested with: Ubuntu 10.10 AD running on Server 2003 R2, users running windows 7/XP, IE7/8
1. So, first of all you must install Apache and Php.
run:
apt-get install libapache2-authenntlm-perl
3. To configure apache module, modify apache config:
Add text below to /etc/apache2/apache2.conf
<Directory "/var/www/">
PerlSetVar debug ntlmdebug
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName Basic
require valid-user
PerlAddVar ntdomain "YOUR.DOMAIN.FQDN DomainControllerHostname DomainControllerHostname"
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmsemtimeout 2
</Directory>
4. Check /etc/apache2/apache2.conf for ‘KeepAlive Off’ and change it to ‘KeepAlive On’
5. Now we need to modify /etc/resolv.conf
Where test.local.com is your Active Directory domain name and the nameservers are the name servers for your Active Directory.
Restart Apache
/etc/init.d/apache2 restart
6. Now we need to test how everything working :)
Create php info page
Create directory with name - secure in /var/www
In this directory/var/www/secure create file with nameindex.php
Open this file with your favorite redactor, paste text below:
lats say with vi:
vi /var/www/secure/index.php
Thats it.
Start Internet explorer, and enter http://hostname/secure.php
Search for the _SERVER["REMOTE_USER"] line, and if you see your windows logon name, everything is fine.
7. ATTENTION: Windows 7/Vista/Server2008/R2 users. You must change LAN manager authentication level to LM & NTLM from NTLM2
To do this press start gpedit.msc
Go to Computer Configuration -> Windows Settings -> Security Settings-> Local Policies -> Security Options -> Network Security: LAN Manager authentication level.
Set it to : Send LM & NTLM - use NTLMv2 session security if negotiated.
For troubleshooting uncomment #PerlSetVar ntlmdebug 2 Line in step 3.
Check /var/ log/apache2/error.log
Good luck
Hello Guys,
Simple tutorial how to setup SSO on Ubuntu with Active Directory
Tested with: Ubuntu 10.10 AD running on Server 2003 R2, users running windows 7/XP, IE7/8
1. So, first of all you must install Apache and Php.
sudo apt-get install apache22. Next we need to install the Apache2:AuthenNTLM module
sudo apt-get install php5
sudo apt-get install libapache2-mod-php5
sudo /etc/init.d/apache2 restart
run:
apt-get install libapache2-authenntlm-perl
3. To configure apache module, modify apache config:
Add text below to /etc/apache2/apache2.conf
PerlSetVar debug ntlmdebug
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName Basic
require valid-user
PerlAddVar ntdomain "YOUR.DOMAIN.FQDN DomainControllerHostname DomainControllerHostname"
PerlSetVar defaultdomain YOUR.DOMAIN.FQDN# ChangeYOUR.DOMAIN.FQDNto the netbios name of your domain. ChangeDomainControllerHostnameto the hostnames of the domain controllers for your domain. secondDomainControllerHostnameis not required if your setup does not have a second domain controller.
#PerlSetVar ntlmdebug 2# ChangeYOUR.DOMAIN.FQDNto the netbios name of your domain Exmpl: test.local.com
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmsemtimeout 2
</Directory>
4. Check /etc/apache2/apache2.conf for ‘KeepAlive Off’ and change it to ‘KeepAlive On’
5. Now we need to modify /etc/resolv.conf
vi /etc/resolv.conf
Example how it should look:
nameserver 192.168.0.2
nameserver 192.168.0.3
domain test.local.com
search test.local.com
Where test.local.com is your Active Directory domain name and the nameservers are the name servers for your Active Directory.
Restart Apache
/etc/init.d/apache2 restart
6. Now we need to test how everything working :)
Create php info page
Create directory with name - secure in /var/www
In this directory/var/www/secure create file with nameindex.php
Open this file with your favorite redactor, paste text below:
lats say with vi:
vi /var/www/secure/index.php
<?phpphpinfo();?>;Thats it.
Start Internet explorer, and enter http://hostname/secure.php
Search for the _SERVER["REMOTE_USER"] line, and if you see your windows logon name, everything is fine.
7. ATTENTION: Windows 7/Vista/Server2008/R2 users. You must change LAN manager authentication level to LM & NTLM from NTLM2
To do this press start gpedit.msc
Go to Computer Configuration -> Windows Settings -> Security Settings-> Local Policies -> Security Options -> Network Security: LAN Manager authentication level.
Set it to : Send LM & NTLM - use NTLMv2 session security if negotiated.
For troubleshooting uncomment #PerlSetVar ntlmdebug 2 Line in step 3.
Check /var/ log/apache2/error.log
Good luck