How-to: Integrating Nictool with Active Directory

[technicidat]

 How to integrate Nictool authentication with Active Directory.

Intro:

The point of this how-to is to replace the MySQL based authentication with Active Directory (AD).
This will probably work for (Open) LDAP too but I have not tested this.
I wont go into details about the advantages of using a directory to manage your users, it makes sense for a lot of reasons.

Method:

Instead of authenticating the user from MySQL, we will use Apache's mod_authz_ldap module to talk to the AD and authenticate the user first.
A modified version of Nictool's index.cgi file then connects to AD to look up the user account. Should Apache successfully authenticate a user, the index.cgi file will see this and allow the user to proceed into the Nictool web interface without re-entering their login details.

The way this works is that mod_authz_ldap sets a HTTP parameter called "remote_user".
This parameter is the "username" field and maps to the "sAMAccountName" LDAP parameter in AD.

Steps:

1. Install, configure and test Nictool:
- Use the standard docs to do this
- It must be fully functional installation (test it well) and should authenticating correctly from MySQL (create some test users, dont just use the Admin account)


2. Active Directory structure:

- The structure I used in Active Directory is to create a separate Organizational Unit (OU) for each organization/company/department that needs to authenticate to Nictool.
- You then create each organizations' users under their OU. I think makes it easier to manage user accounts when you have many customers instead of having them all in one OU.
- Your own company should also have an OU for it's users, this OU is mapped to the top level of Nictool (you want to have control over all the sub groups)
- The naming of the OU must match (exactly) the Nictool Group created in the Nictool web interface
- I guess this Group/OU could be named anything but I just use a 4 letter code to identify each customer (also I have no spaces in mine, so Im not sure if it works with spaces..)

e.g. OU naming format:
CUS1
CUS2
CUS3

3. Create the users under each OU in AD:
- I use the username format of: first.lastname


4. Create the corresponding users in Nictool using the web interface:
- Make sure the usernames match (exactly) those in AD (sAMAccountName),
i.e. first.lastname
- Note that Nictool wont allow you to create a user account with an empty password via the web interface, just choose some random password (you will have to clear it later anyway).


5. Create the binddn user account:
- Unless you have anonymous access to your AD, you will most likely need to create an account to allow Nictool and Apache to query the directory.
- Create a user with standard permissions and set a password, which must match those used in your Apache config and index.cgi
e.g. binddn_user (password: SomeSecretPassword)


6. Clear the Nictool user account passwords in MySQL:
- For this to work you must set an empty (NULL) password for the users in Nictool (I guess you could write a SQL script to periodically do this from the crontab?)
- Use the MySQL command line client, phpmyadmin, MySQL GUI Tools or your favourite method of editing MySQL data.
- Go into the DB and clear the password in the users table (mine is called nt_users)
**NOTE: Don't clear the Admin (root) user password. You may need this to log on in case the domain controller is down or there is some other trouble..


7. Make sure the Apache vhost config for your Nictool (client) looks like this:

- NOTE: Substitute the IP's, file paths, etc to match your own setup!!
- I HIGHLY recommend this vhost uses SSL to secure the login, otherwise it goes over the net as plain text (I use an SSL secured Apache ProxyPass)
- 192.168.10.10 in the example is your domain controller, substitute with your own IP (you may be able to add a BDC too, have not tried this yet..)


<VirtualHost 127.0.0.1:80>

        ServerName nictool.your.domain.tld
        ServerAdmin noc@your.domain.tld

        ErrorLog /var/log/apache/nictool.your.domain.tld/nictool.your.domain.tld-error_log
        CustomLog /var/log/apache/nictool.your.domain.tld/nictool.your.domain.tld-access_log combined

        ServerPath /opt/webapps/apps/NicToolClient/htdocs
        DocumentRoot /opt/webapps/apps/NicToolClient/htdocs

        Alias /images/ "/opt/webapps/apps/NicToolClient/htdocs/images/"

        DirectoryIndex index.cgi

        <Files "*.cgi">
                SetHandler perl-script
                PerlResponseHandler ModPerl::Registry
                PerlOptions +ParseHeaders
                Options +ExecCGI
        </Files>

        <Directory "/opt/webapps/apps/NicToolClient/htdocs">
                AllowOverride None
                Order allow,deny
                Allow from all
        </Directory>

        <Location />
                AllowOverride AuthConfig
                Order deny,allow
                Allow from all
                AuthType               Basic
                AuthBasicProvider      ldap
                AuthzLDAPAuthoritative off
                AuthName               "DNS Management Login"
                AuthLDAPBindDN         binddn_user@your.domain.tld
                AuthLDAPBindPassword   Some SomeSecretPasswword
                AuthLDAPURL            "ldap://192.168.10.10/dc=your,dc=domain,dc=tld?sAMAccountName?sub?(objectclass=*)"
                require valid-user
        </Location>

</VirtualHost>


8. Install mod_authz_ldap and restart Apache

On CentOS/RHEL: (your distro may be different)

#yum install mod_authz_ldap.x86_64


9. Replace the index.cgi in the web root (NicToolClient/htdocs) with the modified version and edit some parameters:
(make a backup of the original first in case..)

# cp index.cgi index.cgi.BAK

# wget http://www.nexus6.co.za/download/newindexcgi
# mv newindexcgi index.cgi

- You need to fill in several things here, substitute for your own values:

my $server = "192.168.10.10";
my $bindu = 'binddn_user@your.domain.tld';
my $basedn = "dc=your,dc=domain,dc=tld";
my $bindp = 'SomeSecurePassword';


- Look for and edit:

if( $ou[1] eq 'YOUR-OU' ) {

- Replace 'YOUR-OU' with your own (your company) AD OU,

e.g. MYCOMPANY (note: this is NOT neccessarily the DC from the LDAP string in Apache, it will be any OU you specify)

- The 'YOUR-OU' parameter will map users in the AD to the accounts in the top level of Nictool
i.e. those that can see all the sub groups, this will usually your company or department, subgroups usually only see domains in their own group.


10. Log in to Nictool:
- You should only need to visit the Nictool home page and be presented with a login box by Apache.
- If all goes well, you should be able to log in using your AD account to Nictool.


NOTES:
Check the logs (both Apache and AD Event Viewer logs) for clues if something isn't working.
I think anyone with a decent level of Linux/Apache and AD should be able to configure and troubleshoot this.
If you are really stuck try to post back to this thread and I will see if I can help.

If you notice some mistakes here, please let me know so I can update this and other people don't have to suffer too..

THANKS:
Go to Adrian Goins over at Arces.net, without whom this would not be working. Thanks again!

[chaitanya.veerla]

Hi Sir,

I have followed same procedure as u mentioned in the doc. But I am not succeed.

My version of nictool is NicTool v2.18.


I am getting 500 error on the screen. Could you please suggest me.

Thanks & Regards,
Chaitanya

[Rich.West]

I recently had to tackle the same issue, and the link to "newindex.cgi" in the original posting just didn't work for the release I'm on (v2.20).  Although, it did provide a good starting point as I took the code and inserted it in to the proper places on the new version.

It's not great.. or clean.  Probably the best way to do this would be to use native LDAP modules rather than have Apache handle the LDAP authentication which gets passed to NicTool, but this should get people started down the LDAP authentication route in a pinch.