NTLM auth module for Apache/Unix

Copyright (C) 2000 Andreas Gal (gal@users.sourceforge.net)
Visit http://modntlm.sourceforge.net for code updates.

NTLM is an authentication protocol used by Microsoft Internet Informations Server(tm) and Microsoft Internet Explorer(tm). While it is not really secure, it offers background authentication (the workstation logon credentials of users are passed through to the web server). This feature is widely used in intranets based on these Microsoft products.

This module is implementing NTLM authentication for Apache on Unix platforms. It is available free of charges under the BSD License.


The source code of mod_ntlm is available for download through the Sourceforge project page.


You have to be root to compile and install mod_ntlm.c successfully. You need a ready-to-run apache distribution installed. Go to the source distribution directory of mod_ntlm and enter:

make install && make restart

The Makefile is using apxs to compile and install mod_ntlm. Certain versions of apxs are known to fail under certain versions of SuSE Linux.
It works fine for me with SuSE Linux 6.3 and Solaris 2.6, no other platforms have been tested yet.

Directives in http.conf

This directives can be placed into a virtual directory to configure mod_ntlm:

NTLMAuth on/off enable/disable NTLM authentication
AuthNTGroups filename restrict access by looking up users in plain text group files (see below)
NTLMAuthoritative on/off allow users who couldn't be authenticated to be handled by other authentication modules
NTLMDomain domain_name Domain users should be authenticated against
NTLMServer server_name or ip_addr Primary SMB server to authenticate users (Windows NT or Samba)
NTLMBackup server_name or ip_addr Backup SMB server to authenticate users if primary is down
NTLMBasicAuth on/off enable/disable Basic authentication in addition to NTLM authentication. Note that setting NTLMAuth to off disables the Basic authentication of this module too.
NTLMBasicRealm realm The realm to pass to the client for Basic authentication.
Require valid-user Every user that is accepted by the SMB server can access this resource
Require user user_name Only this specific user(s) are allowed. Specify one or multiple users separated by spaces

Example configuration for httpd.conf:

     AuthType NTLM
     NTLMAuth on
     NTLMAuthoritative on
     NTLMServer dc1
     NTLMBackup dc2
     Require user agal

Comments, Limitations


So far it is not possible to use group authentication with mod_ntlm, see section Limitations below. This patched version implements a first (and very basic) group authentication to use with require group directive. To achieve this I (Markus Rietzler) have "borrowed" some code from the original mod_auth.c module, which comes with apache source (see my comments /* rit, ... */ in mod_ntlm.c).

Now you can use the following configuration options:

     AuthType NTLM
     AuthNTGroups /usr/local/apache/conf/ntgroup
     NTLMAuth on
     NTLMAuthoritative on
     NTLMServer dc1
     NTLMBackup dc2
     Require group admi
The user-group-definition will be done in /usr/local/apache/conf/ntgroup (at the moment) by hand (!)
     admi: joe jane
     office: jim jeff
The authentication process will work in two steps:
  1. check the user against DC
  2. if user is authenticated via DC, check whether user is member of group admi
After successful authentication via require group, there will be a new environment variable: REMOTE_NTGROUP.

At the moment it is necessary to handle the group settings manually. With the new Samba TNG branch you can use samedit to receive all the required information (e.g. all nt-groups and all the users in one group). At the moment we are working on an automatic export of all of the nt-groups (and users) via some shell or perl script...

Tested with: apache 2.0.40 (with mod_so, mod_expire, mod_perl) under hp-ux 11.0.

Markus Rietzler,
eMail: markus.rietzler@wuppertal-navigator.de or markus.rietzler@rzf.fin-nrw.de
Oct 2000

Bugs, missing features


Any kind of feedback is appreciated. I'm interessted in bug reports but also success stories.