Forums / Developer / Single Sign On Active Directory

Single Sign On Active Directory

« 
Previous topic
|
Developer
|
Next topic
 »
Author Message

Michael Hall

Monday 03 March 2008 4:47:00 am

We're considering implementing an eZpublish intranet built on a RedHat server, located on a Windows 2003 Network. Current intranet solution is IIS/VBscript/.NET.

Management have made it clear that single sign on has to stay. Meaning that once a user logs on to a computer, no further logins are required to access the intranet.

Just as importantly, we need to be able to build a profile of that user (eg name, groups, email address, preferences) out of AD, probably using a Kerberos UPN or similar as user ID.

Also, we don't want to have to replicate and maintain a user database/directory separate from Active Directory.

I'm aware of the various technologies and HTTP server requirements involved (Kerberos, LDAP, mod_auth_kerb etc).

I'm wondering if the SPNEGO Integrated Windows Authentication described here ...

http://ez.no/developer/open_funding/suggestions_for_new_functionality/signal_sign_on_active_directory/we_ve_done_something_similar

... does this, or comes close? Has anyone had any experience with it?

Gaetano Giunta

Monday 03 March 2008 10:43:15 am

The most annoying drawback of using sso with apache auth and spnego is the fact that auth is not controlled by php anymore but directly by apache.

This means eg. that it is quite hard to have an intranet site that can be browsed at the same time by authenticated users or by anonymous ones. If apache sends the kerberous auth challenge to the browser and the browser does not have an ad ticket, it will pop up the password dialog to the end user without php ever having had a chance to intercept any request.
If otoh all your clients are authenticated, this is not a big problem.

The spnego extension you mention can be of use (in fact it is a very general mechanism that can be used with any apache based auth, not only with spnego or ad), but it only tackles the 'recognizing an authenticated user' part. You should add extra effort in eg:
- disabling user/logout and user/login views
- either importing your ad users into ezpublish via batch processes or making sure they are imported on-demand at the time of their first login (it is quite hard right now to have eZ Publish working with a 100% external user base. Most of the external auth solutions rely on still having a user object inside eZ for every external user)
- mapping permissions/group membership from AD into eZ Publish. The ldap user php class that is provided in the standard eZ distribution is probably more interesting in that aspect

Principal Consultant International Business
Member of the Community Project Board

eZ debug

Timing: Jan 19 2025 06:23:37
Script start
Timing: Jan 19 2025 06:23:37
Module start 'content'
Timing: Jan 19 2025 06:23:37
Module end 'content'
Timing: Jan 19 2025 06:23:38
Script end

Main resources:

Total runtime0.9977 sec
Peak memory usage4,096.0000 KB
Database Queries191

Timing points:

CheckpointStart (sec)Duration (sec)Memory at start (KB)Memory used (KB)
Script start 0.00000.0080 588.9531180.8359
Module start 'content' 0.00800.8454 769.7891532.7344
Module end 'content' 0.85340.1443 1,302.5234332.7500
Script end 0.9976  1,635.2734 

Time accumulators:

 Accumulator Duration (sec) Duration (%) Count Average (sec)
Ini load
Load cache0.00420.4180210.0002
Check MTime0.00160.1556210.0001
Mysql Total
Database connection0.00070.071510.0007
Mysqli_queries0.931293.33491910.0049
Looping result0.00190.19091890.0000
Template Total0.968397.120.4842
Template load0.00180.181420.0009
Template processing0.966596.871820.4833
Template load and register function0.00010.012310.0001
states
state_id_array0.00070.072210.0007
state_identifier_array0.00100.103720.0005
Override
Cache load0.00150.1492200.0001
Sytem overhead
Fetch class attribute can translate value0.00100.096130.0003
Fetch class attribute name0.00080.085130.0003
XML
Image XML parsing0.00090.091530.0003
class_abstraction
Instantiating content class attribute0.00000.000830.0000
General
dbfile0.00220.2234270.0001
String conversion0.00000.000930.0000
Note: percentages do not add up to 100% because some accumulators overlap

CSS/JS files loaded with "ezjscPacker" during request:

CacheTypePacklevelSourceFiles
CSS0extension/community/design/community/stylesheets/ext/jquery.autocomplete.css
extension/community_design/design/suncana/stylesheets/scrollbars.css
extension/community_design/design/suncana/stylesheets/tabs.css
extension/community_design/design/suncana/stylesheets/roadmap.css
extension/community_design/design/suncana/stylesheets/content.css
extension/community_design/design/suncana/stylesheets/star-rating.css
extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css
extension/community_design/design/suncana/stylesheets/buttons.css
extension/community_design/design/suncana/stylesheets/tweetbox.css
extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css
extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css
extension/sevenx/design/simple/stylesheets/star_rating.css
extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css
extension/sevenx/design/simple/stylesheets/main.v02.css
extension/sevenx/design/simple/stylesheets/main.v02.res.css
JS0extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js
extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js
extension/community_design/design/suncana/javascript/jquery.ui.core.min.js
extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js
extension/community_design/design/suncana/javascript/jquery.easing.1.3.js
extension/community_design/design/suncana/javascript/jquery.ui.tabs.js
extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js
extension/community_design/design/suncana/javascript/jquery.popmenu.js
extension/community_design/design/suncana/javascript/jScrollPane.js
extension/community_design/design/suncana/javascript/jquery.mousewheel.js
extension/community_design/design/suncana/javascript/jquery.cycle.all.js
extension/sevenx/design/simple/javascript/jquery.scrollTo.js
extension/community_design/design/suncana/javascript/jquery.cookie.js
extension/community_design/design/suncana/javascript/ezstarrating_jquery.js
extension/community_design/design/suncana/javascript/jquery.initboxes.js
extension/community_design/design/suncana/javascript/app.js
extension/community_design/design/suncana/javascript/twitterwidget.js
extension/community_design/design/suncana/javascript/community.js
extension/community_design/design/suncana/javascript/roadmap.js
extension/community_design/design/suncana/javascript/ez.js
extension/community_design/design/suncana/javascript/ezshareevents.js
extension/sevenx/design/simple/javascript/main.js

Templates used to render the page:

UsageRequested templateTemplateTemplate loadedEditOverride
1node/view/full.tplfull/forum_topic.tplextension/sevenx/design/simple/override/templates/full/forum_topic.tplEdit templateOverride template
2content/datatype/view/ezxmltext.tpl<No override>extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tplEdit templateOverride template
4content/datatype/view/ezxmltags/paragraph.tpl<No override>extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tplEdit templateOverride template
1content/datatype/view/ezimage.tpl<No override>extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tplEdit templateOverride template
2content/datatype/view/ezxmltags/line.tpl<No override>design/standard/templates/content/datatype/view/ezxmltags/line.tplEdit templateOverride template
1pagelayout.tpl<No override>extension/sevenx/design/simple/templates/pagelayout.tplEdit templateOverride template
 Number of times templates used: 11
 Number of unique templates used: 6

Time used to render debug report: 0.0001 secs