Steps to set up NTLM Single Sign On for eGroupWare 1.6
NTLM SSO removes Windows users on a PC, which is a member of a Windows
domain and who are logged into that domain, from the need to explicitly
log into eGW.
They simply point IE to the eGW URL (eg. http://domain.com/egroupware/)
and start working. They can of cause explicitly log out and log in as an
other user.
As far as I tested, Firefox 3 only allows to enter user (including
domain(!), eg. DOMAIN\user) and password in a popup, which then get’s
checked from apache via winbind.
It does NOT automatically log you in, if you’re logged into the domain
on your PC!
Here’s in short what you need:
- eGW 1.6 running on Apache
- a fully working and configured winbind configuration (not described here)
- mod_ntlm_winbind (eg. for openSUSE from their package
apache2-mod_auth_ntml_winbind)
- an Apache configuration with the egroupware.conf in this directory
(expecting eGW to be installed in it’s default location
/usr/share/egroupware) or port the necessary settings to your Apache
configuration.
–> You NEED to change the domain from “TEST” to your used domain name!
- Make the following changes in eGW’s setup >> configuraition:
- HTTP auth types (comma-separated) to use without login-page, eg.
“NTLM”: NTLM
- Select which type of authentication you are using: ADS
This is not needed for NTLM authentication, but allows the users
to
use their windows user and password to log into eGW, if they log in
using an other browser or location.
- Host/IP Domain controler: … <-- NEED to be filled out
- Domain name: … <-- NEED to be filled, same domain name as above
- If you use EMail, you have to explicitly specify user/pw to use for
contacting the IMAP (and SMTP) server, it’s no longer available to
eGW!
Please note the DC has to be started before you start winbind!
The eGW code should work with every Apache authentication, which sets
REMOTE_USER and AUTH_TYPE.
With slight modifications (different var names) it should work eg. with
SSL client certificates.
There’s an other feature: different authentication for SyncML and/or
GroupDAV
You can now use eg. an external auth provider for the login via the
WebGUI (eg. ADS) and the passwords stored in SQL for SyncML.
This features were sponsored by Carl Knauber Holding GmbH und Co. KG.
Ralf Becker
Ralf Becker
eGroupWare Training & Support ==> http://www.egroupware-support.de
Outdoor Unlimited Training GmbH [www.outdoor-training.de]
Handelsregister HRB Kaiserslautern 3587
Geschäftsführer Birgit und Ralf Becker
Leibnizstr. 17, 67663 Kaiserslautern, Germany
Telefon +49 (0)631 31657-0
This SF.Net email is sponsored by the Moblin Your Move Developer’s challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers
