-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
State of Kerberos SSO on NC14 with EL7 (Apache 2.4, mod_auth_gssapi) #250
Comments
You do not need to protect the "global" location with Apache. Roughly speaking, the nextcloud has its own access control system. user_saml module extends it, allowing the use of additional tools for authentication.
After receiving information about the authenticated user and creating a session, the nextcloud will perform further actions on access control (including public links and DAV) on its own. |
Sure, I understand that - but I did not get that Location to work on NC14. Only using root for Location worked, the suggested Location always complained about user not provisioned. |
Very strange - I use a similar scheme and it works.
Further in the module user_saml, it is used for authentication:
In short - regardless of the authentication module on the web server, do a normalization of the login-name of apache user, using the same attribute, as used in backend module on the nextcloud. |
The only difficulty is that the module mod_lookup_identity works through sssd and additional configuration of sssd on the web server is needed. |
I am familiar with mod_lookup_identity. The lookup cannot be the issue since NC recognizes the user with just a different Location in Apache configuration. In any case this is just one of the issues - in the end we decided to drop NC due to the combination of multiple issues and may revisit the version 15 or wait until the SSO support is better. |
Hi
and for gssapi I used
|
Maybe a little late but I had the same problem.
That's not what you want. So you have to disable pretty url: Then update .htaccess file with
change Location to
Now login should work see also #415 |
Thanks a lot. It work's for me. |
Steps to reproduce
Install new NextCloud 14 on RHEL/CentOS 7 and try to make Kerberos SSO work. This is with PHP 7.1 from the IUS repository. gssproxy was also used which is why there is no keytab configuration in mod_auth_gssapi configuration.
I open this issue in the hope that it could help others trying to make Kerberos SSO work with NC14; and also to summarize the problems listed in different open issues.
Hopefully this can inform other system administrators for what to expect if planning to deploy NC with Kerberos SSO.
It is unfortunate that the Kerberos SSO support on NC is at this state - currently many/most enterprises still rely on Kerberos SSO and have not yet moved on to SAML/AD FS. Some of the issues listed here may also exist on SAML SSO.
Expected behaviour
There are several issues with the current status of Kerberos SSO on NC14 that makes it an unattractive/cumbersome solution. Ideally NC could still be used for public/password protected downloads and could still allow users to login by entering their LDAP credentials when necessary.
Actual behaviour
Several issues were encountered:
Server configuration
userPrincipalName
in LDAP Expert configuration. The default LDAP filters are not very good for enterprise usage; for example disabled users are still allowed login. Filters used were:Users
(&(objectclass=person)(&(primaryGroupID=513)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))
Login Attributes
(&(&(objectclass=person)(&(primaryGroupID=513)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(userPrincipalName=%uid))))
The only way I could make it work was to enable mod_auth_gssapi on location
/
- both locations mentioned in #118/index.php/login
and/index.php/apps/user_saml/saml/login
did not work.This obviously makes it impossible to share files with the public with a totally open share or with password protection and is a show-stopper for me at least.
Relevant Apache configuration:
Operating system: EL7
Web server: Apache 2.4
Database: MySQL
PHP version: 7.1
Nextcloud version: 14.0.0.19
Where did you install Nextcloud from: .tar.bz2
Edit: several improvements on language used.
The text was updated successfully, but these errors were encountered: