• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Resolu] SSO via NTLM erreur fusioninventory-agent
#1
Bonjour,

J'ai un petit problème :

Nous allons migrer notre base glpi sur un nouveau serveur Debian 7 et en voulant remettre en place le SSO j'ai un problème car l'agent n'arrive pas à se connecter au dossier glpi/plugins/fusioninventory

Voici mes fichiers de configuration :

/etc/apache2/sites-available/default :

Code:
<VirtualHost *:80>
        ServerAdmin root@localhost
        ServerName glpi-serveur-84.xxxxxxxxxxx.com
        ServerAlias glpi-serveur-84

        DocumentRoot /var/www/glpi
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>


        <Directory /var/www/glpi>
                Options -Indexes -FollowSymLinks MultiViews
                NTLMAuth on
                AuthType NTLM
                AuthName "GLPI NTLM Authentication"
                NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
                NTLMBasicAuthoritative on
                require valid-user
                Order allow,deny
                allow from all
                Satisfy All
        </Directory>


        <Directory /var/www/glpi/plugins/fusioninventory>
                Satisfy Any
                Allow from all
        </Directory>


        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogFormat "%h %l %u %t \"%r\" %>s %b" common
        CustomLog ${APACHE_LOG_DIR}/access.log common
        CustomLog ${APACHE_LOG_DIR}/referer.log "%{Referer}i -> %U"
        CustomLog ${APACHE_LOG_DIR}/agent.log "%{User-agent}i"

        Alias /phpmyadmin "/usr/share/phpmyadmin"
        Alias /phpsysinfo "/usr/share/phpsysinfo"
</VirtualHost>


/usr/local/etc/fusioninventory/agent.cfg :

Code:
...
server = http://127.0.0.1/glpi/plugins/fusioninventory/
...

Et lorsque j’exécute l'agent j'ai le message suivant :

Code:
[debug] FusionInventory Agent (2.3.4)
[debug] Configuration directory: /usr/local/etc/fusioninventory
[debug] Data directory: /usr/local/share/fusioninventory
[debug] Storage directory: /usr/local/var/fusioninventory
[debug] Lib directory: /usr/local/share/fusioninventory/lib
[debug] [target server0] Next server contact planned for Wed Dec 18 18:17:48 2013
[debug] Available tasks:
[debug] - ESX: 2.2.1
[debug] - Inventory: 1.0
[debug] - WakeOnLan: 2.0
[debug] - NetDiscovery: 2.2.0
[debug] - Deploy: 2.0.4
[debug] - NetInventory: 2.2.0
[debug] FusionInventory Agent initialised
[debug] [http client] Using Compress::Zlib for compression
[debug2] [http client] sending message:
<?xml version="1.0" encoding="UTF-8" ?>
<REQUEST>
  <DEVICEID>GLPI-SERVEUR-84-2013-12-18-17-12-21</DEVICEID>
  <QUERY>PROLOG</QUERY>
  <TOKEN>12345678</TOKEN>
</REQUEST>
[error] [http client] authentication required, no credentials available
[fault] No answer from the server at /usr/local/share/fusioninventory/lib/FusionInventory/Agent.pm line 261.

Il s'agit des versions :
fusioninventory-agent : 2.3.4
fusioninventory : 0.84+2.0
glpi : 0.84.3
debian : 7.0.1
apache2 : 2.2.22-13


Et un truc que je comprend pas c'est que quand je remet le fichier par defaut /usr/local/etc/fusioninventory/agent.cfg , mon SSO ne fonctionne plus (ce qui est logique) mais l'agent lui arrive à communiquer.

Il s'agit a coup sur d'un problème de configuration du fichier /usr/local/etc/fusioninventory/agent.cfg mais je ne vois pas ce qui cloche.

Cdt.
  Reply
#2
Tu dis dans ta conf apache que le login/mot de passe est requis, hors l'agent n'as pas ses login et mot de passe. donc soit tu rajoute dans l'url avec un compte readonly, soit tu exclu le dossier plugins/fusioninventory/ du reauire SSO, soit tu fait un nouveau vhost qui ne défini pas de SSO
Co-leader, official developper
DCS official PARTNER: dcs.glpi@dcsit-group.com
  Reply
#3
Je ne l'exclu pas déjà avec :

Code:
<Directory /var/www/glpi/plugins/fusioninventory>
                Satisfy Any
                Allow from all
        </Directory>
  Reply
#4
ah, et dans les logs apache?
Co-leader, official developper
DCS official PARTNER: dcs.glpi@dcsit-group.com
  Reply
#5
Au moment ou je lance l'agent voici les lignes qui s'inscrivent dans les fichiers logs :

/var/log/apache2/access.log :
Code:
127.0.0.1 - - [19/Dec/2013:14:12:07 +0100] "POST /glpi/plugins/fusioninventory/ HTTP/1.1" 401 753

/var/log/apache2/agent.log :
Code:
FusionInventory-Agent_v2.3.4

/var/log/apache2/referer.log :
Code:
- -> /glpi/plugins/fusioninventory/

Et rien dans le error.log
  Reply
#6
T'as un 401, donc il ne prend plus ton exclusion
Co-leader, official developper
DCS official PARTNER: dcs.glpi@dcsit-group.com
  Reply
#7
Oui mais je ne vois pas ce qui cloche dans ma conf apache :

Code:
<VirtualHost *:80>
        ServerAdmin root@localhost
        ServerName glpi-serveur-84.prevost-industries.com
        ServerAlias glpi-serveur-84

        DocumentRoot /var/www/glpi
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/glpi>
                Options -Indexes -FollowSymLinks MultiViews
                AllowOverride None
                NTLMAuth on
                AuthType NTLM
                AuthName "GLPI NTLM Authentication"
                NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
                NTLMBasicAuthoritative on
                require valid-user
                Order allow,deny
                allow from all
        </Directory>

        <Directory /var/www/glpi/plugins/fusioninventory/>
                Satisfy Any
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogFormat "%h %l %u %t \"%r\" %>s %b" common
        CustomLog ${APACHE_LOG_DIR}/access.log common
        CustomLog ${APACHE_LOG_DIR}/referer.log "%{Referer}i -> %U"
        CustomLog ${APACHE_LOG_DIR}/agent.log "%{User-agent}i"

        Alias /phpmyadmin "/usr/share/phpmyadmin"
        Alias /phpsysinfo "/usr/share/phpsysinfo"
</VirtualHost>
  Reply
#8
Problème résolu ...

Ca ne venait pas d'apache en fait...

Dans la conf de mon agent j'avais entré comme adresse :
server = http://127.0.0.1/glpi/plugins/fusioninventory/

au lieu de :
server = http://127.0.0.1/plugins/fusioninventory/
  Reply
#9
Hi there,
could someone help with defining SSO via NTLM here:
Code:
<Directory /usr/share/glpi>
#    Options None
#    AllowOverride Limit Options FileInfo

    php_value memory_limit 64M

#    Options ExecCGI
    Options -Indexes -FollowSymLinks MultiViews
    AllowOverride None

    NTLMAuth on
    AuthType NTLM
    AuthName "NTLM Authentication"
    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
    NTLMBasicAuthoritative on
    Require valid-user
    Order allow,deny
    Satisfy all
    Allow from all
</Directory>
The results are:
- When visiting the site http: //myglpiserver.company.local/glpi:
Firefox - shows basic auth window, passing correct credentials the user authenticates successfully
IE11 - SSO works OK
Chrome - SSO works OK

- When visiting the site https: //myglpiserver.company.local/glpi:
Firefox - shows basic auth window, passing correct credentials the user authenticates successfully
IE11 - 401 Authorization Required
Chrome - SSO works OK

Site *.comany.local has been added to the IE's intranet zone.
It's the third time we try to make it work and did not found any solution to make SSO work with GLPI and Windows domain (it seems like it's working partially, though). I'm running out of ideas... Sad
Best regards, Olo

Latest stable versions of GLPI+FI+OCS on Apache/2.2.15 (Unix) | CentOS 6.x x64 (epel, remi, remi-php55, remi-safe, home_guillomovitch) | AD w2k8R2, w7 (x64), FusionInventory Agent 2.3.18, FusionInventory 0.90+1.4
  Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)