NTLM auth module for Apache/Unix
Copyright (C) 2000 Andreas Gal
(gal@users.sourceforge.net)
Visit
http://modntlm.sourceforge.net for code updates.
NTLM is an authentication protocol used by
Microsoft Internet Informations
Server(tm)
and
Microsoft Internet Explorer(tm).
While it is not really secure, it offers background authentication (the
workstation logon credentials of users are passed through to the web
server). This feature is widely used in intranets based on these
Microsoft products.
This module is implementing NTLM authentication for Apache on Unix platforms.
It is available free of charges under the BSD License.
Update April 2007 by Michael Baltaks
There are two options for NTLM authentication in Apache without using Windows
(If you're using Windows,
mod_auth_sspi is what you need).
The first option is this apache module, mod_ntlm, source code for
apache 1.x and
apache 2.x. The source code is kept in Subversion,
so try svn co https://modntlm.svn.sourceforge.net/svnroot/modntlm/trunk to get
it. This includes the improvements from
http://modntlm.jamiekerwick.co.uk/ as well as a patch to support reverse
proxy mode. This module has no other dependancies, but doesn't support
groups or NTLMv2, which is by default the only NTLM allowed in Windows Vista
(you can
change that setting).
The second option is
mod_auth_ntlm_winbind, which requires a working winbindd
(get some
help with winbind). The benefits of bothering to configure winbind are
group support and NTLMv2 support. Read about it at
http://adldap.sourceforge.net/mod_auth_ntlm_winbind.php.
Download
The source code of
mod_ntlm
is available for download through the
Sourceforge project page.
Install
You have to be root to compile and install mod_ntlm.c successfully. You
need a ready-to-run apache distribution installed. Go
to the source distribution directory of
mod_ntlm
and enter:
make install && make restart
The Makefile is using apxs to compile and install mod_ntlm. Certain
versions of apxs are known to fail unter certain versions of
SuSE Linux.
It works fine for me with SuSE Linux 6.3 and Solaris 2.6, no other
platforms have been tested yet.
Directives in http.conf
This directives can be placed into a virtual directory to
configure mod_ntlm:
| NTLMAuth on/off |
enable/disable NTLM authentication |
| NTLMAuthoritative on/off |
allow users who couldn't be authenticated to be handled by other
authentication modules |
| NTLMDomain domain_name |
Domain users should be authenticated against |
| NTLMServer server_name or ip_addr |
Primary SMB server to authenticate users (Windows NT or Samba) |
| NTLMBackup server_name or ip_addr |
Backup SMB server to authenticate users if primary is down |
| Require valid-user |
Every user that is accepted by the SMB server can access this
resource |
| Require user user_name |
Only this specific user(s) are allowed. Specify one or multiple users
separated by spaces |
Example configuration for httpd.conf:
AuthType NTLM
NTLMAuth on
NTLMAuthoritative on
NTLMDomain UWSPDOM
NTLMServer dc1
NTLMBackup dc2
Require user agal
Comments, Limitations
- Basic authentication against SMB server is not supported. There are
enough modules that do this and you need https to make it safe.
- Internet Explorer 3.0 (broken keepalive) is not supported, it's about time
to get a new browsers. Those users should have taken their
computers away for using year old software.
- You can produce a problem by pressing reload fast and often. The connection
is forced into reset each time, and sometimes Internet Explorer
is sending a msg3 to an apache process that didn't send the msg1 yet.
I'm not sure weather this is an apache or Linux or IE problem. It
could be resolved by caching credentials, which is unsafe and involves
neat things like file locking and mmap().
Bugs, missing features
- not enough tested
- association of per-connection based information to r-connection is
wrong this way, but not better supported in Apache 1.3.9. Let's look
at 2.0, maybe there is a per-connection config?
- autoconf has to be done
- test on more platforms
- figure out how to fetch user groups from the DC (well, wait untill
SAMBA_TNG is able to do that and then borrow the code)
Feedback
Any kind of feedback is appreciated. I'm interessted in bug reports
but also success stories.
|