SSO with LDAP (HowTo)

Post about your customizations to share with others.

Moderators: Developer, Contributor

Post Reply
simon.k
Posts: 13
Joined: Apr 27, 2012 1:26 am
Location: Germany

SSO with LDAP (HowTo)

Post by simon.k » May 22, 2012 9:31 am

Hey everyone,

suprisingly, accomplishing a SSO on mantis wasn't that hard. This HowTo is meant for plugin developer with basic knowledge, it's not a finished "just install me and you are done" plugin.

You first need a running LDAP integration, i won't cover that part - there are plenty of guides, second you have to modify your webserver so it challanges you against your ldap, i used mod_auth_sspi with apache2
http://sourceforge.net/projects/mod-auth-sspi/

IIS should have an equivalent NTLM solution, then add a .htaccess into your mantis, with this it will challenge a username and passwort, IE autosends your domain credentials, Firefox needs a little tweak
http://sivel.net/2007/05/firefox-ntlm-sso/

.htaccess

Code: Select all

AuthName "My Intranet"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
require valid-user
Once all that is set you should have a [REMOTE_USER] in your $_SERVER variable, after that it was rather easy.

I hooked the event EVENT_CORE_READY and did a little check

Code: Select all

function autoLogin()
	{
		if (auth_is_user_authenticated())
				return;
		
		# REMOTE_USER is domain\username
		$username = explode('\\', $_SERVER['REMOTE_USER']);
		$t_user_id = user_get_id_by_name($username[1]);
		
		# If user has a vlid id, log in
		if ($t_user_id)	
		{
			# Mantis Login
			user_increment_login_count( $t_user_id );

			user_reset_failed_login_count_to_zero( $t_user_id );
			user_reset_lost_password_in_progress_count_to_zero( $t_user_id );

			auth_set_cookies($t_user_id, true);
			auth_set_tokens($t_user_id);
		}
	}
And that's it, it would basicly work without mantis ldap too but it would fail on users not present yet, if you get your webserver AND mantis into your directory mantis auto creates unknown users that it can find in the directory.

You could further get the ldap fields and grant access level based on the OU, that would move the whole access level part out of mantis into your AD (i'm working on that one ^^)

Code: Select all

$ldapFields = explode(",", ldap_get_field_from_username($username[1], "distinguishedname"));
			
			# Wenn Technik dann wird er Admin, Entwickler wird Dev usw TODO: In INI legen
			if (array_search("OU=Technik", $ldapFields) !== false)
				$this -> changeAccessLevel($t_user_id, ADMINISTRATOR);
			elseif (array_search("OU=Entwickler", $ldapFields) !== false)
				$this -> changeAccessLevel($t_user_id, DEVELOPER);

Lapinkiller
Posts: 408
Joined: Jan 28, 2011 1:47 pm
Location: France
Contact:

Re: SSO with LDAP (HowTo)

Post by Lapinkiller » May 24, 2012 4:53 am

Hello,
have you tried on a "Unix" serveur with apache2 ?
Lapinkiller,
French PHP developer
New look for your mantis : http://www.mantisbt.org/forums/viewtopi ... =4&t=20055

simon.k
Posts: 13
Joined: Apr 27, 2012 1:26 am
Location: Germany

Re: SSO with LDAP (HowTo)

Post by simon.k » May 24, 2012 5:45 am

Not on a linux box, no, you need the webserver inside your domain for sspi to work.

I ran it on windows xampp + sspi and windows 2008 sbs iis + windows auth - working as intended.

raporu78
Posts: 1
Joined: Sep 07, 2012 5:23 am

Re: SSO with LDAP (HowTo)

Post by raporu78 » Sep 07, 2012 5:30 am

Hi simon

can you please pointed out where you put the auto_login function.

Thx ralf

simon.k
Posts: 13
Joined: Apr 27, 2012 1:26 am
Location: Germany

Re: SSO with LDAP (HowTo)

Post by simon.k » Sep 10, 2012 1:40 am

Check the documentation for plugins and events...you don't modify the core.

JeromyK
Posts: 22
Joined: Mar 01, 2012 3:12 am

Re: SSO with LDAP (HowTo)

Post by JeromyK » Jan 23, 2014 7:01 am

Hello erverybody

For me, this implementation looks simple and I' am wondering, why it's not part of standard mantis already. I couldn't find a project about SSO-authentification. Is there one? To build a plugin or so?

Jeromy

davewood
Posts: 1
Joined: Feb 04, 2016 2:42 pm

Re: SSO with LDAP (HowTo)

Post by davewood » Feb 04, 2016 2:45 pm

I used the information in this thread to create a plugin.

feedback very much welcome.

https://github.com/davewood/mantis-basic-auth

supportGuy
Posts: 2
Joined: Nov 17, 2018 7:10 pm

Re: SSO with LDAP (HowTo)

Post by supportGuy » Nov 17, 2018 7:17 pm

Hi davewood
Since you welcome feedback...
I have tried your plugin, but I am getting
APPLICATION ERROR #805
The username is invalid. Usernames may only contain Latin letters, numbers, spaces, hyphens, dots, plus signs and underscores.
Not sure if I am missing something here since my php knowledge is poor.
I have activated the plugin and made the changes in the config_inc.php, not sure what else I need to do. Help is welcome :)

Post Reply