mirror of
https://github.com/EGroupware/egroupware.git
synced 2025-02-23 05:41:02 +01:00
added info about firefox with NTLM and update EGroupware configuration
This commit is contained in:
Ralf Becker
parent
4a44ea778d
commit
d50040e99c
41
phpgwapi/ntlm/README
Normal file
41
phpgwapi/ntlm/README
Normal file
@ -0,0 +1,41 @@
|
||||
Steps to set up NTLM Single Sign On for eGroupWare 1.6+
|
||||
=======================================================
|
||||
(Version: $Id$)
|
||||
|
||||
NTLM SSO removes Windows users on a PC, which is a member of a Windows domain
|
||||
and who are logged into that domain, from the need to explicitly log into eGW.
|
||||
They simply point IE to the eGW URL (eg. http://domain.com/egroupware/) and
|
||||
start working. They can of cause explicitly log out and log in as an other user.
|
||||
|
||||
Firefox (at least 3.6) requires to manually enable NTLM Auth via about:config:
|
||||
search for ntlm and set "network.automatic-ntlm-auth.trusted-uris" to the domain
|
||||
your EGroupware install is using. Otherwise you will only get a popup to enter
|
||||
username (with prepended windows domain eg. DOMAIN\username) and password.
|
||||
|
||||
Here's in short what you need:
|
||||
-----------------------------
|
||||
1. eGW 1.6 running on Apache
|
||||
2. a fully working and configured winbind configuration (not described here)
|
||||
3. mod_ntlm_winbind (eg. for openSUSE from their package apache2-mod_auth_ntml_winbind)
|
||||
4. an Apache configuration with the egroupware.conf in this directory (expecting eGW
|
||||
to be installed in it's default location /usr/share/egroupware) or port the necessary
|
||||
settings to your Apache configuration.
|
||||
--> You NEED to change the domain from "TEST" to your used domain name!
|
||||
5. Make the following changes in eGW's setup >> configuraition:
|
||||
- HTTP auth types (comma-separated) to use without login-page, eg. "NTLM": NTLM
|
||||
- Select which type of authentication you are using: ADS
|
||||
This is not needed for NTLM authentication, but allows the users to use their windows
|
||||
user and password to log into eGW, if they log in using an other browser or location.
|
||||
- Host/IP Domain controler: ... <-- NEED to be filled out
|
||||
- Domain name: ... <-- NEED to be filled out, same domain name as above
|
||||
6. If you use EMail, you have to explicitly specify user/pw to use for contacting the IMAP
|
||||
(and SMTP) server, it's no longer available to eGW!
|
||||
|
||||
Please note the DC has to be started before you start winbind!
|
||||
|
||||
The eGW code should work with every Apache authentication, which sets REMOTE_USER and AUTH_TYPE.
|
||||
With slight modifications (different var names) it should work eg. with SSL client certificates.
|
||||
|
||||
This feature was sponsored by Sponsored by Carl Knauber Holding GmbH und Co. KG.
|
||||
|
||||
Ralf Becker
|
||||
71
phpgwapi/ntlm/egroupware.conf
Normal file
71
phpgwapi/ntlm/egroupware.conf
Normal file
@ -0,0 +1,71 @@
|
||||
#
|
||||
# Apache and PHP configuration for EGroupware using NTLM authentication
|
||||
#
|
||||
# This version of EGroupware configuration might not be as up to date as
|
||||
# the one in /usr/share/doc/rpm-build/apache.conf!
|
||||
#
|
||||
# Version: $Id$
|
||||
#
|
||||
|
||||
Alias /egroupware /usr/share/egroupware
|
||||
|
||||
<Directory /usr/share/egroupware/phpgwapi/ntlm/>
|
||||
AuthName "NTLM eGroupWare Authentication"
|
||||
NTLMAuth on
|
||||
NegotiateAuth off
|
||||
NTLMBasicRealm TEST
|
||||
NTLMBasicAuth on
|
||||
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
|
||||
NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
|
||||
PlaintextAuthHelper "/usr/bin/ntlm_auth --domain=TEST.LOCAL --helper-protocol=squid-2.5-basic"
|
||||
NTLMBasicAuthoritative on
|
||||
AuthType NTLM
|
||||
require valid-user
|
||||
</Directory>
|
||||
|
||||
<Directory /usr/share/egroupware/>
|
||||
Options FollowSymLinks ExecCGI
|
||||
AllowOverride None
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
DirectoryIndex index.html index.php
|
||||
AddHandler cgi-script .cgi
|
||||
AddDefaultCharset Off
|
||||
php_flag file_uploads on
|
||||
php_flag log_errors on
|
||||
php_flag magic_quotes_gpc off
|
||||
php_flag magic_quotes_runtime off
|
||||
php_flag register_globals off
|
||||
php_flag short_open_tag on
|
||||
php_flag track_vars on
|
||||
php_flag display_errors off
|
||||
# E_ALL & ~E_NOTICE & ~E_STRICT = 8191 - 8 - 2048 = 6135
|
||||
php_value error_reporting 6135
|
||||
php_value max_execution_time 90
|
||||
php_admin_value mbstring.func_overload 7
|
||||
php_value memory_limit 64M
|
||||
php_value session.gc_maxlifetime 14400
|
||||
php_value include_path .:/usr/share/pear
|
||||
php_admin_value open_basedir /usr/share/egroupware:/var/lib/egroupware:/tmp:/usr/share/pear:/usr/bin/zip:/usr/share/jpgraph:/usr/bin/tnef:/usr/bin/aspell
|
||||
php_value upload_max_filesize 64M
|
||||
php_admin_value upload_tmp_dir /tmp
|
||||
php_value post_max_size 65M
|
||||
<Files ~ "\.inc\.php$">
|
||||
Order allow,deny
|
||||
Deny from all
|
||||
</Files>
|
||||
</Directory>
|
||||
|
||||
<Directory /usr/share/egroupware/phpsysinfo/>
|
||||
php_admin_value open_basedir /
|
||||
</Directory>
|
||||
|
||||
<Directory /usr/share/egroupware/gallery/>
|
||||
php_admin_value open_basedir /usr/share/egroupware:/var/lib/egroupware:/tmp:/usr/share/pear:/usr/bin:/bin
|
||||
</Directory>
|
||||
|
||||
<Location /egroupware/rpc.php>
|
||||
php_admin_value mbstring.func_overload 0
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Location>
|
||||
Loading…
Reference in New Issue
Block a user