ldapsingle-sign-onocs

OCS Inventory NG LDAP + SSO

OCS Inventory NG version : 2.12.1

Active Directory 2012

Hello,

I have installed OCS Inventory NG server, and try to setup LDAP with SSO on it, but it doen't work.

On my OCS server I setup ldap and everything works fine. Then I get my Apache2 server is able to authenticate users with mod_auth_gssapi (AD backend). Then i set this option in /usr/share/ocsinventory-reports/ocsreports/var.php:

define('AUTH_TYPE', 4);

And then I restart my Apache2 webserver. I expected that my users can login to the server using SSO.

But I get blank page instead of it.

Blank page

Does anyone know how to solve this problem and is it possible to configure LDAP+SSO in OCS Inventory NG?

Solution

  • This is a small instruction, how to setup OCS Inventory NG LDAP SSO.

    We have:

    Ubuntu 22.04 for OCS Inventory NG

    Active Directory 2012

    Domain Name: example.com

    Steps:

    1. Setup OCS Inventory Server.

    2. Setup LDAP Configuration.

    3. Install Kerberos client and Apache2 mod_auth_gssapi.

    apt-get install krb5-user libapache2-mod-auth-gssapi

    4. Create user "ocs_sso" for OCS Inventory NG SSO in Active Directory.

    5. Create keytab file.

    ktpass -princ HTTP/ocs.example.com@EXAMPLE.COM -mapuser ocs_sso@EXAMPLE.COM -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass * -out D:\krb5.keytab

    6. Copy keytab file to OCS Inventory NG server, for example in /etc/krb5.keytab.

    7. Edit krb5.conf file:

    [libdefaults]
        default_realm = EXAMPLE.COM
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        default_tgs_enctypes = AES256-SHA1
        default_tkt_enctypes = AES256-SHA1
        preferred_enctypes = AES256-SHA1
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                        }
                plain = {
                        something = something-else
                        }
                }
        fcc-mit-ticketflags = true
[realms]
        EXAMPLE.COM = {
        kdc = example.com
        admin_server = example.com
        default_domain = EXAMPLE.COM
        }
[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM
[login]
        krb4_convert = true
        krb4_get_tickets = false

    8. Check, if you can authentificate form your OCS Inventory NG server with your keytab file in Active Directory:

    kinit -V -k -t /etc/krb5.keytab HTTP/ocs.example.com@EXAMPLE.COM

    Must be somthing like that:

    Using default cache: /tmp/krb5cc_0
Using principal: HTTP/ocs.example.com@EXAMPLE.COM
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5

    9. Edit your Apache2 000-default.conf file.

    Add into <VirtualHost *:80> section:

        <Directory /usr/share/ocsinventory-reports/ocsreports>
      AuthName "OCS Inventory NG"
      AuthType GSSAPI
      #GssapiAllowedMech krb5
      #GssapiBasicAuth On
      GssapiLocalName On
      GssapiCredStore keytab:/etc/krb5.keytab
      require valid-user
    </Directory>

    10. Restart Apache2 service:

    service apache2 restart

    11 .If you have blank page after login into OCS Inventory NG server you can try this solution:

    https://github.com/OCSInventory-NG/OCSInventory-ocsreports/issues/1570