Single Sign-On, or Dancing Six

This piece of paper was originally written as a reminder for myself, but at the insistent requests of my colleagues, I did, after a year and a half, gather my courage and publish it.

The material is prosaic, but it may be useful to someone, which I will be very happy about. Even more I would appreciate constructive advice and feedback.

So, our topic is “How to implement Single Sign-On for a web application under the conditions of variegatedness and normal shaggy system zoo” .

Single Sign-On. Introductory

Trust someone, so trust in everything.
© Cecilius Statius

For those who do not know (although they are unlikely to read this material), I would say that Single Sign-On (in the further narrative - “SSO”) in the conventional wisdom is not a technology, much less a kind of magic protocol. SSO is an approach, a method that allows AAA (Authentication & Authorization & Accounting) AA connectivity between heterogeneous systems and applications without additional gestures from the end user.

Typical examples of SSO are, for example, solutions built entirely on Microsoft products; in this case, the Active Directory server (s) provide not only the storage of the directory, but also control the behavior of the workstations connected to the domain, the software installed on them and all the rest, up to the hardware (we can all prohibit the same USB policies). The AAA paradigm in this situation is provided almost automatically when using Microsoft products, that is, in a homogeneous environment.

Heterogeneous IT-structure in terms of AAA transparency is somewhat more complicated, however, many methods of implementation have already been developed for this environment and there are no numbers for them.

As examples:

• The well-known company Atlassian has on board the well-proven product Atlassian Crowd , which solves similar problems, but it is sharpened for a specific line of software products of this company.
• Many of us use the State Services Portal , and absolutely all of us, being responsible taxpayers, know that authentication is available on the nalog.ru website through the State Services Portal.
• Paradoxical, but surprisingly frequent authentication option: “I log on to Google, then to Facebook with authentication through Google, and then to AliExpress with authentication through Facebook”.

Two of the three points listed above are not related to SSO .

Guess what? :)

Axiom

In this article, we assume that SSO is implemented and works exclusively within the Intranet (in a corporate environment), and at the same time provides sufficient reliability, resiliency and security.

Task

At the entrance we have:

• A web application built on the InterSystems platform.
• Linux servers on which it is spinning. Servers are located on the customer’s intranet.
• Developed Microsoft Customer infrastructure, including very well-tuned group policies on a competent domain forest and a bunch of controllers.
• Dear Customer, who said the key phrases “It is necessary!” And “To be ready yesterday!”.
• And, fortunately, a full-fledged test server, so we have a place to turn around!

At once I will make a reservation that there are more simple ways to solve this problem, besides the one described below, but we are not looking for them. Well, the requirements of the customer were not the most unambiguous.

So, let's start!

We dance with penguins. Linux

Domain: Eukaryotes, Kingdom: Animals, Submarine: Eumetazoi, Type: Chordates, Subtype: Vertebrates, Infratype: Maxillary, Topclass: Four-legged, Class: Birds, Subclass: Novonybnye, Order: Pingvinochnye, Family: Penguin, Type: Ohter, Newbred, Squad: Pinguinnye 7.2

Installation

We got a fully fledged descendant / clone of RHEL named Oracle Linux Server release 7.2.

Customization

As always, Linux in its server form is simple, carefree and reliable, but it is important for us to make sure that it is properly configured, especially in terms of network settings.

Testing

First, we look at the DNS settings, because This is critical for the health of the entire solution:

[root@my-test-server ~]# cat /etc/resolv.conf # Generated by NetworkManager search my-domain.ru nameserver 172.16.0.1 nameserver 172.16.0.2 

At this stage, you need to check the availability of DNS servers (which, in our case, are also domain controllers). You can do this in different ways, just use your favorite utilities and verification methods (host, dig, telnet, ping, ...). It is important that the ports we need are available and workable, and in the case of DNS, this is primarily TCP / 53. And do not forget about the blasphemy and the greed of network administrators and security guards (I myself am), which can close everything to you, including ICMP, and leave only a couple of requested and agreed ports. What is right.

Dog Waltz. Kerberos

Cerberus, also Kerber (from ancient Greek Κέρβερος, lat. Cerberus), in Greek mythology is the creature of Typhon and Echidna (Tartarus and Gaia), a three-headed dog with a poisonous mixture flowing from the jaws. Cerberus guarded the exit from the realm of the dead of Hades, not allowing the dead to return to the world of the living. However, this amazing creature was defeated by Hercules in one of his exploits.

I am sure that it is not necessary to remind you about the need to properly configure Kerberos for “fruitful cooperation” with MSAD.

Of course, to install and configure you need root rights on the server. Or sudo. Or "Call Saul."

Installation

Installing and configuring the necessary packages is quite simple, if the "evil network admins" gave your server access to the Internet.

Unfortunately, the Internet with access to the repositories is needed at the installation stage, if the good admins have not installed everything you need beforehand.

And everything is sad if there is no access or installed packages.

However, we will be optimistic and, considering that the admins have opened the channel for at least an hour, we are doing the installation:

 [root@my-test-server ~]# yum install krb5-workstation  : ulninfo   -->   --->  krb5-workstation.x86_64 0:1.14.1-26.el7    -->  : libkadm5(x86-64) = 1.14.1-26.el7 : krb5-workstation-1.14.1-26.el7.x86_64 -->  : krb5-libs(x86-64) = 1.14.1-26.el7 : krb5-workstation-1.14.1-26.el7.x86_64 -->  : libkadm5srv_mit.so.10(kadm5srv_mit_10_MIT)(64bit) : krb5-workstation-1.14.1-26.el7.x86_64 -->  : libkadm5srv_mit.so.10()(64bit) : krb5-workstation-1.14.1-26.el7.x86_64 -->   --->  krb5-libs.x86_64 0:1.13.2-10.el7    --->  krb5-libs.x86_64 0:1.14.1-26.el7    --->  libkadm5.x86_64 0:1.14.1-26.el7    -->      ============================================================== Package     ============================================================== : krb5-workstation x86_64 1.14.1-26.el7 ol7_latest 772 k  : libkadm5 x86_64 1.14.1-26.el7 ol7_latest 172 k  : krb5-libs x86_64 1.14.1-26.el7 ol7_latest 741 k    ====+++++=============================================  1  (+1 )  ( 1 )  : 1.6 M Is this ok [y/d/N]: y Downloading packages: No Presto metadata available for ol7_latest (1/3): krb5-libs-1.14.1-26.el7.x86_64.rpm | 741 kB 00:00:00 (2/3): libkadm5-1.14.1-26.el7.x86_64.rpm | 172 kB 00:00:00 (3/3): krb5-workstation-1.14.1-26.el7.x86_64.rpm | 772 kB 00:00:00 --------------------------------------------------------------------------------   3.9 MB/s | 1.6 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction  : krb5-libs-1.14.1-26.el7.x86_64 1/4  : libkadm5-1.14.1-26.el7.x86_64 2/4  : krb5-workstation-1.14.1-26.el7.x86_64 3/4  : krb5-libs-1.13.2-10.el7.x86_64 4/4  : krb5-libs-1.14.1-26.el7.x86_64 1/4  : libkadm5-1.14.1-26.el7.x86_64 2/4  : krb5-workstation-1.14.1-26.el7.x86_64 3/4  : krb5-libs-1.13.2-10.el7.x86_64 4/4 : krb5-workstation.x86_64 0:1.14.1-26.el7  : libkadm5.x86_64 0:1.14.1-26.el7  : krb5-libs.x86_64 0:1.14.1-26.el7 ! 

Of course, you may have different versions of the package manager used and their versions, but this does not change the essence of the matter.

And yes, I promise that more of these most comprehensive listings of a trivial installation will not appear in the article.

Customization

A fully working Kerberos configuration file will initially look something like this:

 [root@my-test-server ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = MY-DOMAIN.RU default_ccache_name = KEYRING:persistent:%{uid} [realms] MY-DOMAIN.RU = { kdc = ad.my-domain.ru admin_server = ad.my-domain.ru } [domain_realm] .my-domain.ru = MY-DOMAIN.RU my-domain.ru = MY-DOMAIN.RU 

where ad.my-domain.ru must be the correct FQDN , allowed and accessible. It is important!

Testing

In the next step, as a rule, everything happens very simply with us.
Just make sure everything is bad:

 [root@my-test-server ~]# klist klist: Credentials cache keyring 'persistent:0:0' not found 

We call specialists in three-headed dogs (AKA sysadmin, who knows the top-secret domain admin login / password), and ask him to enter it like this:

 [root@my-test-server ~]# kinit SuperPuperAdmin Password for SuperPuperAdmin@MY-DOMAIN.RU: ************************ 

After this, the klist should return something already meaningful.
We consider our dog to be finished, though ...

It is well known that the Nissan is a nonsuchable Passat.

Dance of the Great Plains. Apache

Apache is a collective name for several culturally related tribes of North American Indians who speak the Apache languages ​​of the Atabasco branch of the Na-Dene family.

The Apaches have created their own breathtaking masked dance by the name of Gahan, with which they celebrate the coming of age by girls. Also, the Apaches still have dance ceremonies for visions and predictions.

We begin to hunt together with the Apache Indians.

Installation

As before, the packages are our everything (with the exception of the all-powerful shamans-admins, of course):

 [root@my-test-server ~]# yum install httpd  : ulninfo   […skipped…] : httpd.x86_64 0:2.4.6-45.0.1.el7  : httpd-tools.x86_64 0:2.4.6-45.0.1.el7 ! 

Customization

This, of course, is not enough, because the newly-established Indian does not know our language. Configure it like this:

 [root@my-test-server ~]# cat > /etc/httpd/conf.d/ensemble.conf DocumentRoot "/opt/isc/ensemble/csp" CSPModulePath /opt/isc/ensemble/csp/bin/ LoadModule csp_module_sa /opt/isc/ensemble/csp/bin/CSPa24.so User cacheusr Group cacheusr <Location /> CSP On SetHandler csp-handler-sa </Location> ServerName my-test-server.my-domain.ru /> <Directory /> Options MultiViews FollowSymLinks AllowOverride None Require all granted <FilesMatch "\.(log|ini|pid|exe|so)$"> Require all denied </FilesMatch> </Directory> HostnameLookups Off <Location /csp> CSP On SetHandler csp-handler-sa </Location> <Location "/csp/bin/Systems/"> SetHandler cspsys-handler-sa </Location> <Location "/csp/bin/RunTime/"> SetHandler csp-handler-sa </Location> CSPFileTypes csp cls zen cxw Alias /csp/ /opt/isc/ensemble/csp/ <Directory "/opt/isc/ensemble/csp/"> AllowOverride None Options MultiViews FollowSymLinks ExecCGI Require all granted <FilesMatch "\.(log|ini|pid|exe)$"> Require all denied </FilesMatch> </Directory> 

And give the “pinotchek under the cheek”:

 [root@my-test-server ~]# systemctl restart httpd 

We make sure that he learned to speak Russian, by logging into the System Management Portal .

Apaches were once a proud and independent people, they have this in their blood, so with all due respect and courtesy we will ask Apache to start working with our Penguin Soothsayer:

 [root@my-test-server ~]# systemctl is-enabled httpd disabled [root@my-test-server ~]# systemctl enable httpd Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@my-test-server ~]# systemctl is-enabled httpd enabled 

Having listened to “Pioneer Dawn”, having made water procedures, having walked a three-headed dog and having brushed an Indian, we pass to “Production Gymnastics”, which today will be dancing (and even with tambourines).

We are dancing Sambu!

Samba (port. Samba) - Brazilian dance, a symbol of Brazilian national identity. The dance has gained worldwide fame thanks to Brazilian carnivals. One of the varieties of samba entered the compulsory top five Latin American ballroom dancing program. Performed at a pace of 50-52 beats per minute, at a rate of 2/4 or 4/4.

As we all know perfectly well, our beloved Samba in the server version is completely logical divided into three main executable modules: (smb | nmb | winbind) d .

Theoretically, we need only a working winbindd . Yes, this is just one of the demons of Samba. But he, installed separately from the whole package, for some reason did not want to work on the existing platform, but I did not want to understand the reasons for his discontent.

Therefore, we are installed in full.

Installation

The procedure is very simple, especially if your (a) Admin (sha) is dancing with you.

 [root@my-test-server ~]# yum install samba  : ulninfo   -->   --->  samba.x86_64 0:4.4.4-9.el7    -->    […skipped…]  1  (+12 )  : 6.6 M  : 23 M Is this ok [y/d/N]: y […skipped…] : samba.x86_64 0:4.4.4-9.el7  : libaio.x86_64 0:0.3.109-13.el7 libldb.x86_64 0:1.1.26-1.el7 libtalloc.x86_64 0:2.1.6-1.el7 libtdb.x86_64 0:1.3.8-1.el7_2 libtevent.x86_64 0:0.9.28-1.el7 libwbclient.x86_64 0:4.4.4-9.el7 pytalloc.x86_64 0:2.1.6-1.el7 samba-client-libs.x86_64 0:4.4.4-9.el7 samba-common.noarch 0:4.4.4-9.el7 samba-common-libs.x86_64 0:4.4.4-9.el7 samba-common-tools.x86_64 0:4.4.4-9.el7 samba-libs.x86_64 0:4.4.4-9.el7 ! 

The suit is ready, we tighten the tie:

 [root@my-test-server ~]# yum install samba-winbind […skipped…] : samba-winbind.x86_64 0:4.4.4-9.el7  : samba-winbind-modules.x86_64 0:4.4.4-9.el7 ! 

Customization

It's not enough to come to the carnival, you also need to dance a little (already with tambourines):

 [root@my-test-server ~]# cat /etc/samba/smb.conf # See smb.conf.example for a more detailed config file or # read the smb.conf manpage. # Run 'testparm' to verify the config is correct after # you modified it. [global] workgroup = AD security = ads server string = my-test-server netbios name = my-test-server security = ads realm = my-domain.ru password server = * 

We rehearse the first steps (of course, we are mistaken at first):

 [root@my-test-server ~]# systemctl restart winbind Job for winbind.service failed because the control process exited with error code. See "systemctl status winbind.service" and "journalctl -xe" for details. 

We call on the help of the dance teachers, and (“How many wonderful discoveries are to us ...”) it turns out to be the very same dog trainers who helped us in taming our three-headed puppy!

 [root@my-test-server ~]# net ads join --U SuperPuperAdmin@my-domain.ru Enter root's password: ************************ 

And we hope for a miracle ... It all depends on the hands and on the place from which they grow ...

"There are so many on the ground.
And different destinies,
Hope gives dawn.
Ferryman people
© Prodigy & Rammstein, 2048

If then we see something like this:

 [root@my-test-server]# net ads info LDAP server: 172.16.0.123 LDAP server name: AD.my-domain.ru Realm: MY-DOMAIN.RU Bind Path: dc=MYDOMAiN,dc=RU LDAP port: 389 Server time: , 33  2049 17:48:12 ATL KDC server: 172.16.0.123 Server time offset: 0 

then Happiness is almost There!

Testing

Check it (Happiness) availability:

 [root@my-test-server /]# wbinfo -g MYDOMAIN\proverka MYDOMAIN\ MYDOMAIN\ MYDOMAIN\ MYDOMAIN\ MYDOMAIN\ MYDOMAIN\  MYDOMAIN\  MYDOMAIN\ windows MYDOMAIN\ 1c MYDOMAIN\ MYDOMAIN\ 

There is a contact!

Ballad mod_auth_ntlm_winbind

Before you dance a slow dance, you will have to invite someone to it, because it is not considered acceptable to move under it alone. Seize the moment and approach the girl you like. If you are going to dance a slow dance, announce your intention to a potential partner directly, without unnecessary wordiness. Do not be too cheeky and pushy, leave the decision for her to agree or not. In the latter case, she refuses, but thanks you.

Installation

Find a live repository on the Web with mod_auth_ntlm_winbind .
Yes, there are few of them alive (I took it from some svn).
Yes, the versions are not new at all.
Yes, you will need to assemble them "manually."
Yes, not everyone will gather.
Yes, even after patches and edits manually.
Yes, the build will require a fully configured environment (gcc + glib + apxs + headers + * -dev + ...).
And YES, this is the only option I know that works stably.

Customization

With the configuration, everything is more or less elementary, add Apache to your config-file (to the main one, or to conf.d / xyz.conf, if desired):

 <Directory "/opt/isc/ensemble/csp/myapp/"> AuthName "NTLM my-domain.ru" NegotiateAuth on NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego" NTLMBasicAuthoritative on AuthType Negotiate require valid-user #LogLevel debug ##    </Directory> 

Of course, the paths must be specified correctly for your installation, like all other parameters.

For initial debugging, I advise you to uncomment the line LogLevel , then additional and sometimes very useful messages will be written to the Apache protocol files.

White dance. Who will win?..

Leicht versprochen, leicht gebrochen.

I would like to answer a very natural and very timely (by the end of the article!) Question: “What the hell are we doing all this?” I’ll answer that it’s all just for one line in the HTTP server response! ..

A barrel of honey

We need the correct REMOTE_USER automatically transferred by the web server (or HTTP_REMOTE_USER is not important) in order to:

1. a user who successfully logged in to Windows under his domain account,
2. Having passed all the checks in MSAD,
3. then went to the application developed on one of the InterSystems products by a web browser,
4. installed on a Linux server, which is also included in the domain,
5. where the Apache web server with the necessary module is installed and configured,
6. returned us the name of the domain user account (sAMAccountName).

And we get it!

After that, we can easily from the server side using, for example, LDAP access to AD, to request other details of this user (group membership, etc.).
There is a separate article about this mechanic, it has its own subtleties.

A couple of spoons of tar

• So far, only browsers from MS (IE, Edge) work natively with NTLM (and we use NTML). However, in both FireFox and Chrome, there is the possibility of donation, moreover, in a corporate environment, both their centralized configuration and distribution of pre-configured packages by means of group policies is possible.
• Not everyone immediately becomes clear what to do with the received REMOTE_USER on the side of InterSystems Caché . There is no consensus on this matter yet, and there are many different options, ranging from setting all users to one super-secret password and then calling % session.Login () to creating their own user-role security model. There is a topic for discussion!

Single Sign-On. Pinout

I would be very grateful if you tell me in the comments a better configuration; I even admit that a new AAA interaction mechanic has appeared for the Linux + Apache + MSAD bundle, which I don’t know about.

Thank!