NTLM auth module for Apache/Unix

Copyright (C) 2000 Andreas Gal (gal@users.sourceforge.net)
Visit http://modntlm.sourceforge.net for code updates.

NTLM is an authentication protocol used by Microsoft Internet Informations Server(tm) and Microsoft Internet Explorer(tm). While it is not really secure, it offers background authentication (the workstation logon credentials of users are passed through to the web server). This feature is widely used in intranets based on these Microsoft products.

This module is implementing NTLM authentication for Apache on Unix platforms. It is available free of charges under the BSD License.

Update April 2007 by Michael Baltaks

There are two options for NTLM authentication in Apache without using Windows (If you're using Windows, mod_auth_sspi is what you need).

The first option is this apache module, mod_ntlm, source code for apache 1.x and apache 2.x. The source code is kept in Subversion, so try

svn co https://modntlm.svn.sourceforge.net/svnroot/modntlm/trunk
to get it. This includes the improvements from http://modntlm.jamiekerwick.co.uk/ as well as a patch to support reverse proxy mode. This module has no other dependancies, but doesn't support groups or NTLMv2, which is by default the only NTLM allowed in Windows Vista (you can change that setting).

The second option is mod_auth_ntlm_winbind, which requires a working winbindd (get some help with winbind). The benefits of bothering to configure winbind are group support and NTLMv2 support. Read about it at http://adldap.sourceforge.net/mod_auth_ntlm_winbind.php.

Download

The source code of mod_ntlm is available for download through the Sourceforge project page.

Install

You have to be root to compile and install mod_ntlm.c successfully. You need a ready-to-run apache distribution installed. Go to the source distribution directory of mod_ntlm and enter:

make install && make restart

The Makefile is using apxs to compile and install mod_ntlm. Certain versions of apxs are known to fail unter certain versions of SuSE Linux.
It works fine for me with SuSE Linux 6.3 and Solaris 2.6, no other platforms have been tested yet.

Directives in http.conf

This directives can be placed into a virtual directory to configure mod_ntlm:

NTLMAuth on/off enable/disable NTLM authentication
NTLMAuthoritative on/off allow users who couldn't be authenticated to be handled by other authentication modules
NTLMDomain domain_name Domain users should be authenticated against
NTLMServer server_name or ip_addr Primary SMB server to authenticate users (Windows NT or Samba)
NTLMBackup server_name or ip_addr Backup SMB server to authenticate users if primary is down
Require valid-user Every user that is accepted by the SMB server can access this resource
Require user user_name Only this specific user(s) are allowed. Specify one or multiple users separated by spaces

Example configuration for httpd.conf:

     AuthType NTLM
     NTLMAuth on
     NTLMAuthoritative on
     NTLMDomain UWSPDOM
     NTLMServer dc1
     NTLMBackup dc2
     Require user agal

Comments, Limitations

  • Basic authentication against SMB server is not supported. There are enough modules that do this and you need https to make it safe.
  • Internet Explorer 3.0 (broken keepalive) is not supported, it's about time to get a new browsers. Those users should have taken their computers away for using year old software.
  • You can produce a problem by pressing reload fast and often. The connection is forced into reset each time, and sometimes Internet Explorer is sending a msg3 to an apache process that didn't send the msg1 yet. I'm not sure weather this is an apache or Linux or IE problem. It could be resolved by caching credentials, which is unsafe and involves neat things like file locking and mmap().

Bugs, missing features

  • not enough tested
  • association of per-connection based information to r-connection is wrong this way, but not better supported in Apache 1.3.9. Let's look at 2.0, maybe there is a per-connection config?
  • autoconf has to be done
  • test on more platforms
  • figure out how to fetch user groups from the DC (well, wait untill SAMBA_TNG is able to do that and then borrow the code)

Feedback

Any kind of feedback is appreciated. I'm interessted in bug reports but also success stories.