vjGuardADPlugin - 1.0.1

Active Directory authentication - Identity management - SSO with NTLM protocol.

You are currently browsing
the website for symfony 1

Visit the Symfony2 website


« Back to the Plugins Home

Signin


Forgot your password?
Create an account

Tools

Stats

advanced search
Information Readme Dependencies Releases Changelog Contribute
Show source

vjGuardADPlugin

The vjGuardADPlugin packages authentification using Active Directory, proposes management of users (only from AD), groups (create on AD and on database) and permissions and Single Sign On (SSO) with NTLM protocol if activated.

It replaces the vjAuthPlugin which won't be supported soon !

Installation

  • Install the plugin and the dependency

    $ symfony plugin:install sfFormExtraPlugin
    $ symfony plugin:install vjGuardADPlugin
    
  • Publish the assets

    $ symfony plugin:publish-assets
    
  • Clear the cache

    $ symfony cc
    

Secure your application

To secure a symfony application:

  • Enable the module vjGuardADAuth in settings.yml

     all:
       .settings:
         enabled_modules: [..., vjGuardADAuth]
    
  • Change the default login modules in settings.yml

    .actions:
      login_module:           vjGuardADAuth
      login_action:           login
    
      secure_module:          vjGuardADAuth
      secure_action:          secure
    
  • Secure some modules or your entire application in security.yml

      default:
        is_secure: on
    
  • Add some parameters in app.yml

      all:          
        ad:
          options:   # theses options are usefull for the adldap class, the documentation is online
            account_suffix:            '@mysite.fr'
            base_dn:                   'DC=mysite,DC=fr'
            domain_controllers:        [ "myDC1.mysite.fr", "myDC2.mysite.fr" ]
            ad_username:               'username_administrator_active_directory'
            ad_password:               'password_administrator_active_directory'
            recursive_groups:          false
          # if ntlm activated, autologon with the windows username (there are some issues with the NTLM protocol, they are documented farther in this readme)
          ntlm_active:                 true
          # the name of the group authorized to acces to application
          group_authorize:             GROUP
          # the master OU in your AD where will be create the groups
          master_ou:                   'OU=ENFANT2,OU=ENFANT1,OU=PARENT'
          # the value is added after the name of the group
          # ie : I add the group 'administrator', in AD, the group created will be 'administrator_SECURE_GROUP' but still appear as 'administrator' in your web interface
          # if useless, set false
          secure_group_name:           _SECURE_GROUP
          # an array of group not allowed to be created
          # if useless, set false
          group_not_allowed:           [ group1, group2 ]
    

Identity management from AD

To secure a symfony application:

  • Enable the module vjGuardADUser, vjGuardADGroup, vjGuardADPermission in settings.yml

     all:
       .settings:
         enabled_modules: [..., vjGuardADUser, vjGuardADGroup, vjGuardADPermission]
    
  • Build forms, filters, model and database

    $ symfony doctrine:build --all --and-load="plugins/vjGuardADPlugin/data/fixtures/"
    
  • Clear the cache

    $ symfony cc
    
  • Update the file apps/your_app/lib/myUser.class.php

    class myUser extends vjGuardADSecurityUser
    {
    }
    
  • Download jQuery (http://jquery.com/) in web/js/ and add in apps/your_app/config/view.yml

    javascripts:    [jquery-1.3.2.min.js]
    
  • A "local" super admin is created with the plugin (Don't forget to remove this user when you add another user who has app-admin right (in a new group for example) !)

    Identifiant (login)    : admin
    Mot de passe (password): admin
    

Override admin generator's datas

This plugin has some french datas. I don't have internationalized the plugin. I hope I'll have time to :)

  • Override the title of the list of vjGuardADUser (ie)

      generator:
        param:
          config:
            list:
              title:  "User's list"
    

NTLM Configuration

The NTLM protocol talk some issues. It uses to make some modifications on each computer (for each user more precisely).

  • For Microsoft Internet Explorer, you need to modify 3 keys on the windows registry (ie for the Intranet domain : www.yourDomain.com)

      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      "DisableNTLMPreAuth"=dword:00000001
      "EnableNegotiate"=dword:00000000
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yourDomain.com]
      "*"=dword:00000001
    
  • For Mozilla Firefox, you need to modify the configuration of the browser (type about:config on the url)

      search ntlm
      network.automatic-ntlm-auth.allow-proxies   true
      network.automatic-ntlm-auth.trusted-uris    yourDomain.com
      network.ntlm.send-lm-response               true
    

Theses fixs work on IE6, IE7, IE8 and FF3.5 but I think they work too on FF2 and FF3.

TODO

  • internationalization

  • any idea, advice, issue, other ? please email me :)