Implementing Single Sign On on Linux with Apache

From OtterHub - OTRS Community Wiki
Jump to: navigation, search

Enabling Single Sign On for Customers is pretty Easy with Ubuntu, but should be as easy with other distributions with other package managers. This manual should also help you set up Agent SSO, just some modification in the OTRS Configuration section needed.

Installing Modules

A simple command does the trick for Debian based systems:

apt-get install libapache2-authenntlm-perl

On some systems you may have to enable the module, on Ubuntu you can continue with the apache location configuration

Apache Configuration

Just add these lines to the /etc/apache2/conf.d/otrs.conf (or where your config is)

<Location /otrs>
  PerlAuthenHandler Apache2::AuthenNTLM
  AuthType ntlm,basic
  AuthName Basic
  require valid-user
  PerlAddVar ntdomain "DOMAIN dc bdc"
  PerlSetVar defaultdomain DOMAIN
  PerlSetVar splitdomainprefix 1
</Location>

DOMAIN has to be your NetBIOS domain name in capitals. "dc" and "bdc" have to be your domain controllers. If you only have one, just omit the bdc entry. The defaultdomain option enables users to enter only username and password on systems not supporting NTLM authentification. Otherwise the would have to enter DOMAIN\username and password into the Basic Auth input fields.

OTRS Configuration

Add these lines to the end of your config

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{CustomerPanelLoginURL} = 'http://otrs-server/otrs/no_sso_login_possible.html';
$Self->{CustomerPanelLogoutURL} = 'http://otrs-server/otrs/logout.html';

Of course these links won't work until you generated these html files.

Troubleshooting

  • When you get
[error] Connect to SMB Server failed (pdc = dc.domain.com bdc = bdc.domain.com domain = domain error = -11/0) for /otrs/customer.pl

set the dc and bdc settings in non-FQDN way. Otherwise check your resolv.conf

  • When you are asked for your credentials even in IE, be sure either the site is manually entered in the sites list for intranet sites or if you are using a proxy server for internet access, the otrs server isn't accessed over it.