SSO with LDAP (HowTo)

Post about your customizations to share with others.

Moderators: Developer, Contributor

Post Reply
simon.k
Posts: 13
Joined: 27 Apr 2012, 06:26
Location: Germany

SSO with LDAP (HowTo)

Post by simon.k »

Hey everyone,

suprisingly, accomplishing a SSO on mantis wasn't that hard. This HowTo is meant for plugin developer with basic knowledge, it's not a finished "just install me and you are done" plugin.

You first need a running LDAP integration, i won't cover that part - there are plenty of guides, second you have to modify your webserver so it challanges you against your ldap, i used mod_auth_sspi with apache2
http://sourceforge.net/projects/mod-auth-sspi/

IIS should have an equivalent NTLM solution, then add a .htaccess into your mantis, with this it will challenge a username and passwort, IE autosends your domain credentials, Firefox needs a little tweak
http://sivel.net/2007/05/firefox-ntlm-sso/

.htaccess

Code: Select all

AuthName "My Intranet"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
require valid-user
Once all that is set you should have a [REMOTE_USER] in your $_SERVER variable, after that it was rather easy.

I hooked the event EVENT_CORE_READY and did a little check

Code: Select all

function autoLogin()
	{
		if (auth_is_user_authenticated())
				return;
		
		# REMOTE_USER is domain\username
		$username = explode('\\', $_SERVER['REMOTE_USER']);
		$t_user_id = user_get_id_by_name($username[1]);
		
		# If user has a vlid id, log in
		if ($t_user_id)	
		{
			# Mantis Login
			user_increment_login_count( $t_user_id );

			user_reset_failed_login_count_to_zero( $t_user_id );
			user_reset_lost_password_in_progress_count_to_zero( $t_user_id );

			auth_set_cookies($t_user_id, true);
			auth_set_tokens($t_user_id);
		}
	}
And that's it, it would basicly work without mantis ldap too but it would fail on users not present yet, if you get your webserver AND mantis into your directory mantis auto creates unknown users that it can find in the directory.

You could further get the ldap fields and grant access level based on the OU, that would move the whole access level part out of mantis into your AD (i'm working on that one ^^)

Code: Select all

$ldapFields = explode(",", ldap_get_field_from_username($username[1], "distinguishedname"));
			
			# Wenn Technik dann wird er Admin, Entwickler wird Dev usw TODO: In INI legen
			if (array_search("OU=Technik", $ldapFields) !== false)
				$this -> changeAccessLevel($t_user_id, ADMINISTRATOR);
			elseif (array_search("OU=Entwickler", $ldapFields) !== false)
				$this -> changeAccessLevel($t_user_id, DEVELOPER);
Lapinkiller
Posts: 408
Joined: 28 Jan 2011, 18:47
Location: France
Contact:

Re: SSO with LDAP (HowTo)

Post by Lapinkiller »

Hello,
have you tried on a "Unix" serveur with apache2 ?
Lapinkiller,
French PHP developer
New look for your mantis : http://www.mantisbt.org/forums/viewtopi ... =4&t=20055
simon.k
Posts: 13
Joined: 27 Apr 2012, 06:26
Location: Germany

Re: SSO with LDAP (HowTo)

Post by simon.k »

Not on a linux box, no, you need the webserver inside your domain for sspi to work.

I ran it on windows xampp + sspi and windows 2008 sbs iis + windows auth - working as intended.
raporu78
Posts: 1
Joined: 07 Sep 2012, 10:23

Re: SSO with LDAP (HowTo)

Post by raporu78 »

Hi simon

can you please pointed out where you put the auto_login function.

Thx ralf
simon.k
Posts: 13
Joined: 27 Apr 2012, 06:26
Location: Germany

Re: SSO with LDAP (HowTo)

Post by simon.k »

Check the documentation for plugins and events...you don't modify the core.
JeromyK
Posts: 22
Joined: 01 Mar 2012, 08:12

Re: SSO with LDAP (HowTo)

Post by JeromyK »

Hello erverybody

For me, this implementation looks simple and I' am wondering, why it's not part of standard mantis already. I couldn't find a project about SSO-authentification. Is there one? To build a plugin or so?

Jeromy
davewood
Posts: 1
Joined: 04 Feb 2016, 19:42

Re: SSO with LDAP (HowTo)

Post by davewood »

I used the information in this thread to create a plugin.

feedback very much welcome.

https://github.com/davewood/mantis-basic-auth
supportGuy
Posts: 2
Joined: 18 Nov 2018, 00:10

Re: SSO with LDAP (HowTo)

Post by supportGuy »

Hi davewood
Since you welcome feedback...
I have tried your plugin, but I am getting
APPLICATION ERROR #805
The username is invalid. Usernames may only contain Latin letters, numbers, spaces, hyphens, dots, plus signs and underscores.
Not sure if I am missing something here since my php knowledge is poor.
I have activated the plugin and made the changes in the config_inc.php, not sure what else I need to do. Help is welcome :)
Post Reply