vjGuardADPlugin - 1.1.3

Active Directory authentication - Identity management - SSO with NTLM or Kerberos protocol.

You are currently browsing
the website for symfony 1

Visit the Symfony2 website


« Back to the Plugins Home

Signin


Forgot your password?
Create an account

Tools

Stats

advanced search
Information Readme Dependencies Releases Changelog Contribute
Show source

vjGuardADPlugin

The vjGuardADPlugin packages authentification using Active Directory, proposes management of users (only from AD), groups (create on AD and on database) and permissions and Single Sign On (SSO) with NTLM or Kerberos protocol if activated.

It replaces the vjAuthPlugin which won't be supported soon !

Installation

  • Add pear channel

    $ pear channel-discover plugins.symfony-project.org
    $ pear channel-discover pear.symfony-project.com
    
  • Install the plugin and the dependency

    $ symfony plugin:install sfFormExtraPlugin
    $ symfony plugin:install vjGuardADPlugin
    
  • Publish the assets

    $ symfony plugin:publish-assets
    
  • Clear the cache

    $ symfony cc
    

Secure your application

To secure a symfony application:

  • Enable the module vjGuardADAuth in settings.yml

     all:
       .settings:
         enabled_modules: [..., vjGuardADAuth]
         i18n:            true
         default_helper:  [..., I18N]
    
  • Change the default login modules in settings.yml

    .actions:
      login_module:           vjGuardADAuth
      login_action:           login
    
      secure_module:          vjGuardADAuth
      secure_action:          secure
    
  • Secure some modules or your entire application in security.yml

      default:
        is_secure: true
    
  • Add some parameters in app.yml

      all:          
        ad:
          options:   # theses options are usefull for the adldap class, the documentation is online
            account_suffix:            '@mysite.fr'
            base_dn:                   'DC=mysite,DC=fr'
            domain_controllers:        [ "myDC1.mysite.fr", "myDC2.mysite.fr" ]
            ad_username:               'username_administrator_active_directory'
            ad_password:               'password_administrator_active_directory'
            recursive_groups:          false
          # if ntlm is activated, autologon with the windows username (there are some issues with the NTLM protocol, they are documented farther in this readme)
          ntlm_active:                 true
          # if kerberos is activated, autologon with the windows username
          kerberos_active:             true
          # the name of the group authorized to acces to application
          group_authorize:             GROUP
          # the master OU in your AD where will be create the groups
          master_ou:                   'OU=ENFANT2,OU=ENFANT1,OU=PARENT'
          # the value is added after the name of the group
          # ie : I add the group 'administrator', in AD, the group created will be 'administrator_SECURE_GROUP' but still appear as 'administrator' in your web interface
          # if useless, set false
          secure_group_name:           _SECURE_GROUP
          # an array of group not allowed to be created
          # if useless, set false
          group_not_allowed:           [ group1, group2 ]
    

Identity management from AD

To secure a symfony application:

  • Enable the module vjGuardADUser, vjGuardADGroup, vjGuardADPermission in settings.yml

     all:
       .settings:
         enabled_modules: [..., vjGuardADUser, vjGuardADGroup, vjGuardADPermission]
    
  • Build forms, filters, model and database

    $ symfony doctrine:build --all --and-load="plugins/vjGuardADPlugin/data/fixtures/"
    
  • Clear the cache

    $ symfony cc
    
  • Update the file apps/your_app/lib/myUser.class.php

    class myUser extends vjGuardADSecurityUser
    {
    }
    
  • Download jQuery (http://jquery.com/) in web/js/ and add in apps/your_app/config/view.yml

    javascripts:    [jquery-1.3.2.min.js]
    
  • A "local" super admin is created with the plugin (this user will be delete when another user will have admin rights (task set-super-admin))

    Identifiant (login)    : admin
    Mot de passe (password): admin
    

Tasks

I had a task to set someone super administrator. Before this, you need to connect to application with the "local" super admin.

Now, go to vjGuardADUser module and add a new user (your future super admin) by tapping his name (not username).

Autocompletion will do the rest. Now you can set him super admin with the task :

  • set-super-admin

    $ symfony vjGuardAD:set-super-admin yourusername

For information, the 'local' super admin will be delete when you'll use this task.

Override admin generator's datas

This plugin has some french datas. I don't have internationalized the plugin. I hope I'll have time to :)

  • Override the title of the list of vjGuardADUser (ie)

      generator:
        param:
          config:
            list:
              title:  "User's list"
    

NTLM Configuration

The NTLM protocol talk some issues. It uses to make some modifications on each computer (for each user more precisely).

  • For Microsoft Internet Explorer, you need to modify 3 keys on the windows registry (ie for the Intranet domain : www.yourDomain.com)

      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      "DisableNTLMPreAuth"=dword:00000001
      "EnableNegotiate"=dword:00000000
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yourDomain.com]
      "*"=dword:00000001
    
  • For Mozilla Firefox, you need to modify the configuration of the browser (type about:config on the url)

      search ntlm
      network.automatic-ntlm-auth.allow-proxies   true
      network.automatic-ntlm-auth.trusted-uris    yourDomain.com
      network.ntlm.send-lm-response               true
    

Theses fixs work on IE6, IE7, IE8 and FF3.5 but I think they work too on FF2 and FF3.

TODO

  • any idea, advice, issue, other ? please email me :)