Seamless SSO

[Tim Ritberg]

Hi!

How to develop a S-SSO for a PHP-page?
We are using Apache with PHP 5.5 and the Internet Explorer in a MS AD
network.

We tried to use www-authenticate with NTLM but we can't check against
LDAP, because AD does not provide the user password hash.

Any ideas to solve this problem?

TIm

[Peter H. Coffin]

Are you maybe overthinking this? Shouldn't you just be passing the
submitted credentials along to the LDAP connection bind, and if it
works, you say "Hooray, you're logged in" and if it doesn't, you say
"Sorry, bad user/password combination"? That is, you don't do any hash
comparisons on your own, the LDAP service does it for you. Your only
responsibility is to pass off the submitted password as rapidly as
possible and forget about it.

--
46. If an advisor says to me "My liege, he is but one man. What can one
man possibly do?", I will reply "This." and kill the advisor.
--Peter Anspach's list of things to do as an Evil Overlord

[Tim Ritberg]

Am 04.10.2016 um 19:44 schrieb Peter H. Coffin:

>
> Are you maybe overthinking this? Shouldn't you just be passing the
> submitted credentials along to the LDAP connection bind, and if it
> works, you say "Hooray, you're logged in" and if it doesn't, you say
> "Sorry, bad user/password combination"? That is, you don't do any hash
> comparisons on your own, the LDAP service does it for you. Your only
> responsibility is to pass off the submitted password as rapidly as
> possible and forget about it.
>

The submitted password is a hash. LDAP does not support login in with
hashes.

Tim

[Arno Welzel]

Tim Ritberg schrieb am 2016-10-02 um 11:37:

> How to develop a S-SSO for a PHP-page?
> We are using Apache with PHP 5.5 and the Internet Explorer in a MS AD
> network.
>
> We tried to use www-authenticate with NTLM but we can't check against
> LDAP, because AD does not provide the user password hash.

When using NTLM then PHP does not do the authentication itself but
relies on the web server to do this for you. So there is no need to
authenticate against an LDAP server.

But if you indeed want to access an LDAP directory and need credentials
for this, you must not use NTLM but only a plain login form where you
get username/password you can use.



--
Arno Welzel
https://arnowelzel.de
http://de-rec-fahrrad.de
http://fahrradzukunft.de

[Tim Ritberg]

Am 04.10.2016 um 20:19 schrieb Arno Welzel:
> Tim Ritberg schrieb am 2016-10-02 um 11:37:
>
>> How to develop a S-SSO for a PHP-page?
>> We are using Apache with PHP 5.5 and the Internet Explorer in a MS AD
>> network.
>>
>> We tried to use www-authenticate with NTLM but we can't check against
>> LDAP, because AD does not provide the user password hash.
>
> When using NTLM then PHP does not do the authentication itself but
> relies on the web server to do this for you. So there is no need to
> authenticate against an LDAP server.

This is not an option, because PHP should control the login process.
There has to be a fallback login option.

>
> But if you indeed want to access an LDAP directory and need credentials
> for this, you must not use NTLM but only a plain login form where you
> get username/password you can use.

I know.

Tim

[Jerry Stuckle]

On 10/4/2016 2:55 PM, Tim Ritberg wrote:
> Am 04.10.2016 um 20:19 schrieb Arno Welzel:
>> Tim Ritberg schrieb am 2016-10-02 um 11:37:
>>
>>> How to develop a S-SSO for a PHP-page?
>>> We are using Apache with PHP 5.5 and the Internet Explorer in a MS AD
>>> network.
>>>
>>> We tried to use www-authenticate with NTLM but we can't check against
>>> LDAP, because AD does not provide the user password hash.
>>
>> When using NTLM then PHP does not do the authentication itself but
>> relies on the web server to do this for you. So there is no need to
>> authenticate against an LDAP server.
> This is not an option, because PHP should control the login process.
> There has to be a fallback login option.
>

Then you are screwed. As Arno indicated, PHP does not get the plain text
password. You can use NTLM (in which case the web server handles the
login), or you can use PHP with a login form.

>>
>> But if you indeed want to access an LDAP directory and need credentials
>> for this, you must not use NTLM but only a plain login form where you
>> get username/password you can use.
> I know.
>
> Tim
>

Sorry. One or the other.

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstu...@attglobal.net
==================

[Tim Ritberg]

What about other ways for seamless SSO?
I read about Kerberos and SAML.

Tim

[Jerry Stuckle]

Then you need to read more to find out why they won't do what you need.

But you're asking the wrong question. Why do you think you need PHP to
do the authorization?

[Tim Ritberg]

Am 05.10.2016 um 18:53 schrieb Jerry Stuckle:
>>
>
> Then you need to read more to find out why they won't do what you need.
>
> But you're asking the wrong question. Why do you think you need PHP to
> do the authorization?

Because the website is written in PHP.

Tim

[Jerry Stuckle]

So? That fails to answer the question. Why do you think you need PHP
to do the authorization?

[Tim Ritberg]

Am 05.10.2016 um 20:35 schrieb Jerry Stuckle:
>
> So? That fails to answer the question. Why do you think you need PHP
> to do the authorization?

As I said:
"...because PHP should control the login process.

There has to be a fallback login option."

Tim

[Jerry Stuckle]

Again - why should PHP control the login process? SSO is normally
handled by the server - which is why you don't get a plain-text password
(security exposure).'

Fallback would be a form, as Arno indicated.

[Tim Ritberg]

Am 05.10.2016 um 22:31 schrieb Jerry Stuckle:
> Again - why should PHP control the login process? SSO is normally
> handled by the server - which is why you don't get a plain-text password
> (security exposure).'
>
> Fallback would be a form, as Arno indicated.
>

How to design a fallback scenario with an Apache Auth Module?
Those modules give back 403.

Tim

[Jerry Stuckle]

There is no fallback to a 403. Processing stops at that time.

You need to find someone who knows how to properly configure your
server. This isn't a PHP problem, and in any case would be more than
could be handled in a newsgroup.

[Arno Welzel]

There is no fallback, because Apache *must* authenticate the user
*before* it will pass the query to PHP.

If you don't want this, then you have to implement your own
authentication in PHP which *must* be used *always* then.

[Arno Welzel]

Then do it this way. If you need examples how to authenticate against an
AD server have a look at the DokuWiki authentication modules:

<https://www.dokuwiki.org/auth:ldap>
<https://www.dokuwiki.org/auth:ldap_ad>
<https://github.com/splitbrain/dokuwiki/tree/master/lib/plugins/authad>

[Tim Ritberg]

Am 07.10.2016 um 17:44 schrieb Arno Welzel:
>
> There is no fallback, because Apache *must* authenticate the user
> *before* it will pass the query to PHP.
>
> If you don't want this, then you have to implement your own
> authentication in PHP which *must* be used *always* then.

As I said before.

[Tim Ritberg]

Am 07.10.2016 um 17:47 schrieb Arno Welzel:
>
> Then do it this way. If you need examples how to authenticate against an
> AD server have a look at the DokuWiki authentication modules:
>
> <https://www.dokuwiki.org/auth:ldap>
> <https://www.dokuwiki.org/auth:ldap_ad>
> <https://github.com/splitbrain/dokuwiki/tree/master/lib/plugins/authad>

This is not seamless.


Tim

[Jerry Stuckle]

Which means you need to use a sign in form. But it will not be a
"fall-back". It will be your means of authentication.

[Jerry Stuckle]

Like it or not, that's your choice. You can take it or you can leave it.

[Tim Ritberg]

Am 07.10.2016 um 23:13 schrieb Jerry Stuckle:
> On 10/7/2016 12:07 PM, Tim Ritberg wrote:
>> Am 07.10.2016 um 17:47 schrieb Arno Welzel:
>>>
>>> Then do it this way. If you need examples how to authenticate against an
>>> AD server have a look at the DokuWiki authentication modules:
>>>
>>> <https://www.dokuwiki.org/auth:ldap>
>>> <https://www.dokuwiki.org/auth:ldap_ad>
>>> <https://github.com/splitbrain/dokuwiki/tree/master/lib/plugins/authad>
>> This is not seamless.
>>
>>
>> Tim
>>
>
> Like it or not, that's your choice. You can take it or you can leave it.
>

What about other ways? I heard of SAML.

Tim

[Jerry Stuckle]

You can "hear of" anything you want. The bottom line is - you can do
authentication through the server, or through the application. SSO
authentication requires server authentication. Application (PHP)
authentication requires a form.

To be blunt: get an education in how authentication operates. From your
questions, you are a definite danger to your client or employer.

[Arno Welzel]

Define "seamless" - without the need of entering username/password
again? Then use NTLM.

And no, there is no fallback. Live with it.

[Arno Welzel]

You can just try it: <https://simplesamlphp.org/>

But I'm not sure if this will solve your SSO problem.

[Tim Ritberg]

Am 08.10.2016 um 12:31 schrieb Arno Welzel:
>
> Define "seamless" - without the need of entering username/password
> again? Then use NTLM.

Thats right. I tried NTLM, but I can't use that with AD.

>
> And no, there is no fallback. Live with it.

You can code NTLM with PHP. This is working but not compatible with AD
as user database.

Tim

[Tim Ritberg]

Am 07.10.2016 um 23:12 schrieb Jerry Stuckle:

> Which means you need to use a sign in form. But it will not be a
> "fall-back". It will be your means of authentication.
>

I got it work...

[Jerry Stuckle]

Let me guess. You got your Apache configuration set up properly.

[Tim Ritberg]

Am 24.10.2016 um 14:22 schrieb Jerry Stuckle:
> On 10/24/2016 6:33 AM, Tim Ritberg wrote:
>> Am 07.10.2016 um 23:12 schrieb Jerry Stuckle:
>>
>>> Which means you need to use a sign in form. But it will not be a
>>> "fall-back". It will be your means of authentication.
>>>
>>
>> I got it work...
>>
>
> Let me guess. You got your Apache configuration set up properly.
>

no.

[Jerry Stuckle]

So how did you do it? I know you didn't do it in PHP, because if Apache
rejects the request due to a failed authorization, the PHP code never
gets control. To allow that to happen would be a huge security violation.