SSO with LDAP (HowTo)
Posted: 22 May 2012, 14:31
Hey everyone,
suprisingly, accomplishing a SSO on mantis wasn't that hard. This HowTo is meant for plugin developer with basic knowledge, it's not a finished "just install me and you are done" plugin.
You first need a running LDAP integration, i won't cover that part - there are plenty of guides, second you have to modify your webserver so it challanges you against your ldap, i used mod_auth_sspi with apache2
http://sourceforge.net/projects/mod-auth-sspi/
IIS should have an equivalent NTLM solution, then add a .htaccess into your mantis, with this it will challenge a username and passwort, IE autosends your domain credentials, Firefox needs a little tweak
http://sivel.net/2007/05/firefox-ntlm-sso/
.htaccess
Once all that is set you should have a [REMOTE_USER] in your $_SERVER variable, after that it was rather easy.
I hooked the event EVENT_CORE_READY and did a little check
And that's it, it would basicly work without mantis ldap too but it would fail on users not present yet, if you get your webserver AND mantis into your directory mantis auto creates unknown users that it can find in the directory.
You could further get the ldap fields and grant access level based on the OU, that would move the whole access level part out of mantis into your AD (i'm working on that one ^^)
suprisingly, accomplishing a SSO on mantis wasn't that hard. This HowTo is meant for plugin developer with basic knowledge, it's not a finished "just install me and you are done" plugin.
You first need a running LDAP integration, i won't cover that part - there are plenty of guides, second you have to modify your webserver so it challanges you against your ldap, i used mod_auth_sspi with apache2
http://sourceforge.net/projects/mod-auth-sspi/
IIS should have an equivalent NTLM solution, then add a .htaccess into your mantis, with this it will challenge a username and passwort, IE autosends your domain credentials, Firefox needs a little tweak
http://sivel.net/2007/05/firefox-ntlm-sso/
.htaccess
Code: Select all
AuthName "My Intranet"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
require valid-user
I hooked the event EVENT_CORE_READY and did a little check
Code: Select all
function autoLogin()
{
if (auth_is_user_authenticated())
return;
# REMOTE_USER is domain\username
$username = explode('\\', $_SERVER['REMOTE_USER']);
$t_user_id = user_get_id_by_name($username[1]);
# If user has a vlid id, log in
if ($t_user_id)
{
# Mantis Login
user_increment_login_count( $t_user_id );
user_reset_failed_login_count_to_zero( $t_user_id );
user_reset_lost_password_in_progress_count_to_zero( $t_user_id );
auth_set_cookies($t_user_id, true);
auth_set_tokens($t_user_id);
}
}
You could further get the ldap fields and grant access level based on the OU, that would move the whole access level part out of mantis into your AD (i'm working on that one ^^)
Code: Select all
$ldapFields = explode(",", ldap_get_field_from_username($username[1], "distinguishedname"));
# Wenn Technik dann wird er Admin, Entwickler wird Dev usw TODO: In INI legen
if (array_search("OU=Technik", $ldapFields) !== false)
$this -> changeAccessLevel($t_user_id, ADMINISTRATOR);
elseif (array_search("OU=Entwickler", $ldapFields) !== false)
$this -> changeAccessLevel($t_user_id, DEVELOPER);