SSO authentication use Active Directory based on Apache HTTPD mod_auth_sspi
JoergOct 28 2011 — edited Nov 14 2011Hello All,
I'd like to elaborate jointly an alternative for Single Sign On authentication in APEX in a Windows environment on basis of only free software. I've done some of the steps and for a few I still have no working solution. [I have to mention, that we are using Oracle IAS (10g) as middleware (also used as SSO-Server) right now; but unfortunately it's out dated, there's no support and we have to make savings so we need an alternative solution.]
What the key components are:
============================
A) What the architecture should look like:
------------------------------------------
- One NTLM or SSPI-Based Solution for authenticating the user in our Windows environment: Apache HHTD with "mod_auth_sspi" on a Windows Server.
- APEX installed as: APEX Listener 1.1 on GlassFish 3.1.1 on the same Windows machine.
B) Part 1: the working solution (for me):
-----------------------------------------
- GlassFish installed and working
- APEX and Listener installed and working
- The Apache HTTPD installed part is working with "mod_auth_sspi". If a user browses to the Apache URL he gets authenticated.
C) Part 2: Not working parts (for me):
----------------------------------------
- Authentication Scheme in APEX
- LDAP Query to Active directory (I think I can handle this but I have not started yet.)
Here is the more detailed description A PETTITON: "Please contribute to build a solution jointly"
###############################################################################################################
*01) Installation and Configuration APEX on Database-Server*
==========================================================
Database Server=Oracle 10.2.0.4 under AIX
Version=Application Express 4.1.0.00.32
Setup as described in "http://download.oracle.com/docs/cd/E23903_01/doc/doc.41/e21673/toc.htm"
and choosing scenario 1 / Application Express Listener "http://download.oracle.com/docs/cd/E23903_01/doc/doc.41/e21673/overview.htm#autoId11"
*02) Installation and Configuration GlassFish Server*
==========================================================
OS=Windows 2008 R2 64 bit.
Version=3.1.1
Setup as described in "http://download.oracle.com/docs/cd/E18930_01/html/821-2427/index.html"
and choosing the custom installation "http://download.oracle.com/docs/cd/E18930_01/html/821-2427/ghmos.html#gkrhf" (Create a server domain)
*03) Installation and Configuration APEX Listener*
==========================================================
Version=1.1.3
Setup as described in "http://www.oracle.com/technetwork/developer-tools/apex-listener/documentation/index.html"
and choosing deployment on GlassFish Server with TNS Connection (through Oracle client).
*04) Installation and Configuration Apache HTTPD*
==========================================================
OS=Windows 2008 R2 64 bit.
Version=2.2.21
File=httpd-2.2.21-win32-x86-no_ssl.msi
Setup as performed with msi-File.
*05) Installation and Configuration Apache mod_auth_sspi*
==========================================================
Source of Module mod_auth_sspi="http://mod-auth-sspi.sourceforge.net/docu/mod_auth_sspi/"
Configuration in Apache "http.conf"=
###
# Original source by: Tim Costello <tjcostel@users.sourceforge.net>
# Original Home: http://mod-auth-sspi.sf.net/
# Binary compiled by: Guenter Knauf <gknauf@users.sourceforge.net>
# Home: http://www.gknw.at/development/apache/
#
# Add to your httpd.conf
<IfModule !mod_auth_sspi.c>
LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>
#
# Configuration for mod_auth_sspi
<IfModule mod_auth_sspi.c>
<Location />
AuthName "A Protected Place"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
# SSPIBasicPreferred
# SSPIUsernameCase lower
require valid-user
</Location>
</IfModule>
# End of mod_auth_sspi.
### ende
*06) Installation and Configuration PHP 5.3.8*
==========================================================
In Connection with Apache HTTPD.
Source=php-5.3.8-Win32-VC9-x86.zip
Version=5.3.8
Configuration in Apache "http.conf"=
### LoadModule start
LoadModule php5_module "D:/APEX/Apache/PHP538/php5apache2_2.dll"
AddType application/x-httpd-php .php
PHPIniDir "D:/APEX/Apache/PHP538/php"
### end
Configuration in php.ini=
### start
Production Value: On
extension_dir = "D:/APEX/Apache/PHP538/ext"
### end
*07) A php-File for testing HTTP header variable "REMOTE_USER"*
=============================================================
Example Content for the php-file:
---
<?php
echo "<hr>You have logged in as <b>" . $_SERVER['REMOTE_USER'] . "</b><hr>";
?>
==> put's out the username in the following way
domain.com\username
---
*08) Setting up authentication schema (AS)*
==========================================================
Please help here!!! If the AS = HTTP Header Variable then I can think of the following way:
8.1) Using the #CALLBACK# in the Settings section of the AS:
---
HTTP-HeaderVarName=X_REMOTE_USER
Action if Empty=Redirect to URL
URL=http://server/sso-callback.php?success=#CALLBACK#
Verify=Each Request
---
8.2) The content of the php-File "sso-callback.php":
Question: Which URL should be called? How shall I push the username back to APEX?
---
<?php
$suc=$_GET[success];
//get the RREMOTE_USER
$remus=$_SERVER['REMOTE_USER'];
//strip of the domain from REMOTE_USER (
$remus=strtoupper(substr($remus,strpos($remus,"\\")+1,strlen($remus)-strpos($remus,"\\")));
$ses = substr($suc,strpos($suc,"=")+1,strlen($suc)-strpos($suc,"="));
$url = substr($suc,0,strpos($suc,"?"));
$backurl=$url."?p_authentication=".$remus;
header("Location: ".$backurl);
?>
---
8.3)
I got a glassfish http 500 error and the glassfish server error log I says:
...
[#|2011-10-27T14:47:06.096+0200|SEVERE|oracle-glassfish3.1.1|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=26;_ThreadName=http-thread-pool-8080(4);|_init_: # headers=44
declare nm owa.vc_arr := ?;
vl owa.vc_arr := ?;
begin
owa.init_cgi_env( ?, nm, vl );
htp.init; htp.HTBUF_LEN := 63;
? := sys_context('USERENV','SID');
end;
SID:506
CALL:
begin
apex_authentication.callback(p_ajax_identifier=>?,
p_session_id=>?);
commit;
end;
BINDS
p_ajax_identifier:E972C1F32DFF3310EBF922E21D36DF6BE326346424D8FBE693CF71751D4E98EF
p_session_id:1945586496749947
p_ajax_identifier:E972C1F32DFF3310EBF922E21D36DF6BE326346424D8FBE693CF71751D4E98EF
p_session_id:1945586496749947
EXEC FAILED:ORA-06550: line 2, column 2:
PLS-00306: wrong number or types of arguments in call to 'CALLBACK'
ORA-06550: line 2, column 2:
PL/SQL: Statement ignored
|#]
...
---
Some more questions:
------------------------
What's the Role of the sentry function (for example shown in " https://forums.oracle.com/forums/thread.jspa?threadID=2283805 ") and how is it used? (don't know where to put it).
I saw this " http://jastraub.blogspot.com/2008/03/ntlm-http-authentication-and.html " contribution and also this one " https://forums.oracle.com/forums/thread.jspa?threadID=2277259 " but don't know hot to put them together and how to adjust them?
*09) Creating a authorization schema*
==========================================================
In PLSQL using a DBMS_LDAP query.
######################################################################################
Best regards,
Joerg
Edited by: user961152 on 28.10.2011 11:00
Edited by: user961152 on 28.10.2011 11:01