OCS Inventory NG LDAP + SSO

Question

OCS Inventory NG version : 2.12.1

Active Directory 2012

Hello,

I have installed OCS Inventory NG server, and try to setup LDAP with SSO on it, but it doen't work.

On my OCS server I setup ldap and everything works fine. Then I get my Apache2 server is able to authenticate users with mod_auth_gssapi (AD backend). Then i set this option in /usr/share/ocsinventory-reports/ocsreports/var.php:

define('AUTH_TYPE', 4);

And then I restart my Apache2 webserver. I expected that my users can login to the server using SSO.

But I get blank page instead of it.

Blank page

Does anyone know how to solve this problem and is it possible to configure LDAP+SSO in OCS Inventory NG?

Answer 1

This is a small instruction, how to setup OCS Inventory NG LDAP SSO.

We have:

Ubuntu 22.04 for OCS Inventory NG

Active Directory 2012

Domain Name: example.com

Steps:

1. Setup OCS Inventory Server.

2. Setup LDAP Configuration.

3. Install Kerberos client and Apache2 mod_auth_gssapi.

apt-get install krb5-user libapache2-mod-auth-gssapi

4. Create user "ocs_sso" for OCS Inventory NG SSO in Active Directory.

5. Create keytab file.

ktpass -princ HTTP/[email protected] -mapuser [email protected] -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass * -out D:\krb5.keytab

6. Copy keytab file to OCS Inventory NG server, for example in /etc/krb5.keytab.

7. Edit krb5.conf file:

[libdefaults]
        default_realm = EXAMPLE.COM
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        default_tgs_enctypes = AES256-SHA1
        default_tkt_enctypes = AES256-SHA1
        preferred_enctypes = AES256-SHA1
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                        }
                plain = {
                        something = something-else
                        }
                }
        fcc-mit-ticketflags = true
[realms]
        EXAMPLE.COM = {
        kdc = example.com
        admin_server = example.com
        default_domain = EXAMPLE.COM
        }
[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM
[login]
        krb4_convert = true
        krb4_get_tickets = false

8. Check, if you can authentificate form your OCS Inventory NG server with your keytab file in Active Directory:

kinit -V -k -t /etc/krb5.keytab HTTP/[email protected]

Must be somthing like that:

Using default cache: /tmp/krb5cc_0
Using principal: HTTP/[email protected]
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5

9. Edit your Apache2 000-default.conf file.

Add into <VirtualHost *:80> section:

    <Directory /usr/share/ocsinventory-reports/ocsreports>
      AuthName "OCS Inventory NG"
      AuthType GSSAPI
      #GssapiAllowedMech krb5
      #GssapiBasicAuth On
      GssapiLocalName On
      GssapiCredStore keytab:/etc/krb5.keytab
      require valid-user
    </Directory>

10. Restart Apache2 service:

service apache2 restart

11 .If you have blank page after login into OCS Inventory NG server you can try this solution:

https://github.com/OCSInventory-NG/OCSInventory-ocsreports/issues/1570