5 users Sign-in to change your status

Active Directory authentication - Identity management - SSO with NTLM or Kerberos protocol Security Internationalization Model Backend

• Repository
• Download package
• Browse source

Active Directory authentication - Identity management - SSO with NTLM or Kerberos protocol.

• Active Directory authentication : the login and password must be in AD to be valid, you can configure AD's parameters of course
• Identity management : based on sfDoctrineGuardPlugin, this one proposes management of users (only from AD), groups (create on AD and on database) and permissions.
• SSO with NTLM or Kerberos protocol : after some configuration (see README / NTLM configuration), the authentication's module uses your windows login to log you in the application.
• Internationalization : the plugin is internationalized.

Developers

Name	Status	Email
Jean-Philippe MORVAN	lead	rf.fiujelliv-elliv <<ta>> navrom.pj

License

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

Releases for sf 1.4

Version	License	API	Released
1.1.4stable	MIT license	0.0.1alpha	25/02/2010
1.1.3stable	MIT license	0.0.1alpha	24/02/2010
1.1.2stable	MIT license	0.0.1alpha	18/01/2010
1.1.1stable	MIT license	0.0.1alpha	07/01/2010
1.1.0stable	MIT license	0.0.1alpha	07/01/2010
1.0.1stable	MIT license	0.0.1alpha	07/12/2009
1.0.0stable	MIT license	0.0.1alpha	07/12/2009

Releases for sf 1.3

Version	License	API	Released
1.1.4stable	MIT license	0.0.1alpha	25/02/2010
1.1.3stable	MIT license	0.0.1alpha	24/02/2010
1.1.2stable	MIT license	0.0.1alpha	18/01/2010
1.1.1stable	MIT license	0.0.1alpha	07/01/2010
1.1.0stable	MIT license	0.0.1alpha	07/01/2010
1.0.1stable	MIT license	0.0.1alpha	07/12/2009
1.0.0stable	MIT license	0.0.1alpha	07/12/2009

Name	Channel	Version
sfFormExtraPlugin	plugins.symfony-project.org	1.1.0-1.5.0

Join this plugin team

Other releases

Release 1.1.4 - 25/02/2010

Release 1.1.3 - 24/02/2010

Release 1.1.2 - 18/01/2010

Release 1.1.1 - 07/01/2010

Release 1.1.0 - 07/01/2010

Release 1.0.1 - 07/12/2009

Release 1.0.0 - 07/12/2009

vjGuardADPlugin

The vjGuardADPlugin packages authentification using Active Directory, proposes management of users (only from AD), groups (create on AD and on database) and permissions and Single Sign On (SSO) with NTLM or Kerberos protocol if activated.

It replaces the vjAuthPlugin which won't be supported soon !

Installation

• Add pear channel

  $ pear channel-discover plugins.symfony-project.org
  $ pear channel-discover pear.symfony-project.com
  

• Install the plugin and the dependency

  $ symfony plugin:install sfFormExtraPlugin
  $ symfony plugin:install vjGuardADPlugin
  

• Publish the assets

  $ symfony plugin:publish-assets
  

• Clear the cache

  $ symfony cc
  

Secure your application

To secure a symfony application:

• Enable the module vjGuardADAuth in settings.yml

   all:
     .settings:
       enabled_modules: [..., vjGuardADAuth]
       i18n:            true
       default_helper:  [..., I18N]
  

• Change the default login modules in settings.yml

  .actions:
    login_module:           vjGuardADAuth
    login_action:           login
  
    secure_module:          vjGuardADAuth
    secure_action:          secure
  

• Secure some modules or your entire application in security.yml

    default:
      is_secure: true
  

• Add some parameters in app.yml

    all:          
      ad:
        options:   # theses options are usefull for the adldap class, the documentation is online
          account_suffix:            '@mysite.fr'
          base_dn:                   'DC=mysite,DC=fr'
          domain_controllers:        [ "myDC1.mysite.fr", "myDC2.mysite.fr" ]
          ad_username:               'username_administrator_active_directory'
          ad_password:               'password_administrator_active_directory'
          recursive_groups:          false
        # if ntlm is activated, autologon with the windows username (there are some issues with the NTLM protocol, they are documented farther in this readme)
        ntlm_active:                 true
        # if kerberos is activated, autologon with the windows username
        kerberos_active:             true
        # the name of the group authorized to acces to application
        group_authorize:             GROUP
        # the master OU in your AD where will be create the groups
        master_ou:                   'OU=ENFANT2,OU=ENFANT1,OU=PARENT'
        # the value is added after the name of the group
        # ie : I add the group 'administrator', in AD, the group created will be 'administrator_SECURE_GROUP' but still appear as 'administrator' in your web interface
        # if useless, set false
        secure_group_name:           _SECURE_GROUP
        # an array of group not allowed to be created
        # if useless, set false
        group_not_allowed:           [ group1, group2 ]
  

Identity management from AD

To secure a symfony application:

• Enable the module vjGuardADUser, vjGuardADGroup, vjGuardADPermission in settings.yml

   all:
     .settings:
       enabled_modules: [..., vjGuardADUser, vjGuardADGroup, vjGuardADPermission]
  

• Build forms, filters, model and database

  $ symfony doctrine:build --all --and-load="plugins/vjGuardADPlugin/data/fixtures/"
  

• Clear the cache

  $ symfony cc
  

• Update the file apps/your_app/lib/myUser.class.php

  class myUser extends vjGuardADSecurityUser
  {
  }
  

• Download jQuery (http://jquery.com/) in web/js/ and add in apps/your_app/config/view.yml

  javascripts:    [jquery-1.3.2.min.js]
  

• A "local" super admin is created with the plugin (this user will be delete when another user will have admin rights (task set-super-admin))

  Identifiant (login)    : admin
  Mot de passe (password): admin
  

Tasks

I had a task to set someone super administrator. Before this, you need to connect to application with the "local" super admin.

Now, go to vjGuardADUser module and add a new user (your future super admin) by tapping his name (not username).

Autocompletion will do the rest. Now you can set him super admin with the task :

• set-super-admin

  $ symfony vjGuardAD:set-super-admin yourusername

For information, the 'local' super admin will be delete when you'll use this task.

Override admin generator's datas

This plugin has some french datas. I don't have internationalized the plugin. I hope I'll have time to :)

• Override the title of the list of vjGuardADUser (ie)

    generator:
      param:
        config:
          list:
            title:  "User's list"
  

NTLM Configuration

The NTLM protocol talk some issues. It uses to make some modifications on each computer (for each user more precisely).

• For Microsoft Internet Explorer, you need to modify 3 keys on the windows registry (ie for the Intranet domain : www.yourDomain.com)

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "DisableNTLMPreAuth"=dword:00000001
    "EnableNegotiate"=dword:00000000
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yourDomain.com]
    "*"=dword:00000001
  

• For Mozilla Firefox, you need to modify the configuration of the browser (type about:config on the url)

    search ntlm
    network.automatic-ntlm-auth.allow-proxies   true
    network.automatic-ntlm-auth.trusted-uris    yourDomain.com
    network.ntlm.send-lm-response               true
  

Theses fixs work on IE6, IE7, IE8 and FF3.5 but I think they work too on FF2 and FF3.

TODO

• any idea, advice, issue, other ? please email me :)