Update: a new post is availbe, with an updates patchfile for Mantis 1.2.1!
The more tools are being used in an enterprise environment, the more logins and passwords need to be memorized. A first step is to use LDAP based authenticatin. In MS Windows based networks this offers to ability to manage all users in the Active Directory, so the users only have to use on username/password. But the user will still have to enter this into a login-screen in order to access the application.
Using SSO the user is always identified by already existind credentials. In the best case, the logon credetials of the operating system are being used. Since Active Directory is based on the Kereberos authentication protocoll, this offers the ability to use kerberos based authentication in other applications, and thus re-using the existing windows authentication.
The Internet Explorer is capable of using the windws logon-credentials to authenticate users on certain webservers. But with a slight modification this can also be used on an Apache running on a linux box. How to setup Apache to allow kerberos authentication is explained in another article. Once Apache is setup correct, Mantis needs to be slightly modified to use the information supplied by the kerberos authentication. My modifications are all based on the current development-release of mantis 1.1.0a2.
Modifing Mantis
Basically three files need to be modified: core\authentication_api.php, login.php and config.inc.php.
- In
config.inc.phpI switch from LDAP authentication to HTTP_AUTH, since I wand the webserver to handle the authentication. Also I introduce a new configuration settingsso_user_regex. This is needed, because I need to extract the username from the user identified by the webserver. So I use this handy little regex to do this for me:$g_login_method = HTTP_AUTH; $g_sso_user_regex = '/^(.*)@ACME\.COM$/i';This regex would extract the username portion for users of the domain “ACME.COM”.
- Next would be to modify
login.phpto extract the username from the authenticated user, if the user was detected using “Negotiation” (which is the case if IWA was used). So I apply my previously defined regex to the “Remote-User” variable of the server to get my mantis username. So we have to insert some code at line 32:if ( isset($_SERVER['REMOTE_USER'])) { # $_SERVER['AUTH_TYPE'] == 'Negotiate' ) preg_match(config_get('sso_user_regex'), $_SERVER['REMOTE_USER'], $user_match); $f_username = $user_match[1]; } - The last step is to add an additional condition to the
authentication_api.phpto prevent from trying to authenticate the user with the mantis user database using the username and password. This would only work, if the username and password would be supplied by the webserver, but using IWA we only have the username (the password is not transmitted in IWA, only the logon-challange). So this would only work if Basic Authentication would be used instead of kerberos authentication. So validating username and password with the mantis user database is restricted forHTTP_AUTHby modifing line 121:if ( HTTP_AUTH != $t_login_method && !auth_does_password_match( $t_user_id, $p_password ) ) { # if ( !auth_does_password_match( $t_user_id, $p_password ) ) {
So this should be all, to get Integrated Windows Authentication running. Below is a patchfile to apply the changes of authentication_api.php and login.php.
Attached you’ll find a patch-file to modified the corresponding files. To apply the patch you simple need to execute (assuming you have patch, and you’re executing it within your install-directory of Mantis):
patch < iwa_sso.patch -p0
Download: iwa_sso patch
This is exactly what I need! But unfortunately the link to the patch is broken.
@Sebastià Pla
Sorry for the broken link – this must have happend during my blog migration. However … I fixed the link, so the download should be working again.
Unfortunately not working with Mantis 1.2.1
Please, fix this.
I will see into that – actually I’m running it with Mantis 1.2.1, but Sergey you’re right, since I needed to make some minor modifications, because the actual lines moved somewhat. I will create a new patch-file and upload that.
OK, sorry for the delay, but I was just too busy to prep a new post. But finally I did get around to it, and you’ll find a new patchfile at http://www.eiben.weite-welt.com/2010/07/integrated-windows-authentication-in-mantis-updated-to-mantis-1-2-1/
Cool stuff! How do you manage the user names in Mantis? Do you create them there as well? (Only the username part?)
Does the solution only support logging in as “user@ACME.COM” or also as “ACME\user”?
I have used the suggestions here (and the next post of course) for 1.2.1 and seem to get weird results. Apache is set up nicely and can authenticate against my AD. Testing against another folder works just fine, but I guess something with Mantis makes it more complicated…
@Rick: yes, you have to create the accounts in Mantis as well in order to assign issues to these users. The account in Mantis is equal to the username, and the users log in using just “user” (not user@ACME.COM or ACME\user).
Hi eiben, thanks for that great article. Since I’ll be doing a new installation of Mantis 1.2.5, I am wondering if the script (new one) will work with Mantis 1.2.5 too ? And I am not clear about which files to change ?
I’m currently running Mantis 1.3.0dev (by now a little out-dated, I believe it’s a few months old) and the customizations work just fine. So I would assume, that this will also work with 1.2.5.
Did you also look at http://www.eiben.weite-welt.com/2010/07/integrated-windows-authentication-in-mantis-updated-to-mantis-1-2-1/? There I described some changes that happend in the Mantis base and how that affects which files need to be modified.
Basically you can look at the patch-file to see what actually needs to be changed.
If you need help, feel free to post either to the comments or mail me directly.
Do you have some experience with this windows-authetication-in-mantis and Gitweb plugin (http://noswap.com/blog/integrating-git-svn-with-mantisbt/)?
Login to mantis is OK but import data from GIT repository is failed. There is a problem with kerberos authentication.
Thank you for every help.
M.Hajek
No, I don’t have any experience with this plugin; sorry.
Hello Henning,
we have an problem with your patch. The Login with an AD user works, but you can also login with the AD User without an password or login with wrong passwords.
Can you help?
best regards
Well, you not only need to apply the patch, but you also need to update your webserver configuration. I’m using apache, so I modified my apache config, to do the authorization. Because ony authorized requests can get into the PHP process, I can just safely assume, that the username is correct. In my case I’m using kerberos auth in apache, to implement SSO with windows users to mantis.