"Fossies" - the Fresh Open Source Software Archive

Member "mod_ntlm2-0.1/Documentation/mod_ntlm.html" (25 Feb 2003, 6503 Bytes) of package /linux/www/apache_httpd_modules/old/mod_ntlm2-0.1.tgz:

Caution: In this restricted "Fossies" environment the current HTML page may not be correctly presentated and may have some non-functional links. You can here alternatively try to browse the pure source code or just view or download the uninterpreted raw source code. If the rendering is insufficient you may try to find and view the page on the project site itself.

NTLM auth module for Apache/Unix

NTLM is an authentication protocol used by Microsoft Internet Informations Server(tm) and Microsoft Internet Explorer(tm). While it is not really secure, it offers background authentication (the workstation logon credentials of users are passed through to the web server). This feature is widely used in intranets based on these Microsoft products.

This module is implementing NTLM authentication for Apache on Unix platforms. It is available free of charges under the BSD License.

Download

The source code of mod_ntlm is available for download through the Sourceforge project page.

Install

You have to be root to compile and install mod_ntlm.c successfully. You need a ready-to-run apache distribution installed. Go to the source distribution directory of mod_ntlm and enter:

make install && make restart

The Makefile is using apxs to compile and install mod_ntlm. Certain versions of apxs are known to fail under certain versions of SuSE Linux.
It works fine for me with SuSE Linux 6.3 and Solaris 2.6, no other platforms have been tested yet.

Directives in http.conf

This directives can be placed into a virtual directory to configure mod_ntlm:

NTLMAuth on/off	enable/disable NTLM authentication
AuthNTGroups filename	restrict access by looking up users in plain text group files (see below)
NTLMAuthoritative on/off	allow users who couldn't be authenticated to be handled by other authentication modules
NTLMDomain domain_name	Domain users should be authenticated against
NTLMServer server_name or ip_addr	Primary SMB server to authenticate users (Windows NT or Samba)
NTLMBackup server_name or ip_addr	Backup SMB server to authenticate users if primary is down
NTLMBasicAuth on/off	enable/disable Basic authentication in addition to NTLM authentication. Note that setting NTLMAuth to off disables the Basic authentication of this module too.
NTLMBasicRealm realm	The realm to pass to the client for Basic authentication.
Require valid-user	Every user that is accepted by the SMB server can access this resource
Require user user_name	Only this specific user(s) are allowed. Specify one or multiple users separated by spaces

Example configuration for httpd.conf:

     AuthType NTLM
     NTLMAuth on
     NTLMAuthoritative on
     NTLMDomain UWSPDOM
     NTLMServer dc1
     NTLMBackup dc2
     Require user agal

Comments, Limitations

Internet Explorer 3.0 (broken keepalive) is not supported, it's about time to get a new browsers. Those users should have taken their computers away for using year old software.
You can produce a problem by pressing reload fast and often. The connection is forced into reset each time, and sometimes Internet Explorer is sending a msg3 to an apache process that didn't send the msg1 yet. I'm not sure weather this is an apache or Linux or IE problem. It could be resolved by caching credentials, which is unsafe and involves neat things like file locking and mmap().

AuthNTGroups

So far it is not possible to use group authentication with mod_ntlm, see section Limitations below. This patched version implements a first (and very basic) group authentication to use with require group directive. To achieve this I (Markus Rietzler) have "borrowed" some code from the original mod_auth.c module, which comes with apache source (see my comments /* rit, ... */ in mod_ntlm.c).

Now you can use the following configuration options:

     AuthType NTLM
     AuthNTGroups /usr/local/apache/conf/ntgroup
     NTLMAuth on
     NTLMAuthoritative on
     NTLMDomain UWSPDOM
     NTLMServer dc1
     NTLMBackup dc2
     Require group admi

The user-group-definition will be done in /usr/local/apache/conf/ntgroup (at the moment) by hand (!)

     admi: joe jane
     office: jim jeff

The authentication process will work in two steps:

check the user against DC
if user is authenticated via DC, check whether user is member of group admi

After successful authentication via require group, there will be a new environment variable: REMOTE_NTGROUP.

At the moment it is necessary to handle the group settings manually. With the new Samba TNG branch you can use samedit to receive all the required information (e.g. all nt-groups and all the users in one group). At the moment we are working on an automatic export of all of the nt-groups (and users) via some shell or perl script...

Tested with: apache 2.0.40 (with mod_so, mod_expire, mod_perl) under hp-ux 11.0.

Markus Rietzler,
eMail: markus.rietzler@wuppertal-navigator.de or markus.rietzler@rzf.fin-nrw.de
Oct 2000

Bugs, missing features

not enough tested
autoconf has to be done
test on more platforms
figure out how to fetch user groups from the DC (well, wait untill SAMBA_TNG is able to do that and then borrow the code)

Feedback

Any kind of feedback is appreciated. I'm interessted in bug reports but also success stories.