How to NTLM with Apache

how-to-ntlm-with-apache.md

How to NTLM with Apache

Author: Josef Jezek

Mod Auth with Winbind

• Linux joined to win domain
• https://gist.github.com/9050408

Install on Ubuntu 12.04

sudo apt-get update
sudo apt-get install libapache2-mod-python python-crypto git

git clone git://github.com/Legrandin/PyAuthenNTLM2.git
cd PyAuthenNTLM2
sudo python setup.py install -f

Setup

Apache

<Directory /var/www/wordpress>

   AuthType NTLM
   AuthName WDOMAIN
   require valid-user

   PythonAuthenHandler pyntlm
   PythonOption Domain WDOMAIN
   PythonOption PDC 192.1.2.45
   PythonOption BDC 192.1.2.46

   # Bypass authentication for local clients.
   # Comment these lines if they should authenticate too.
   Order deny,allow
   Deny  from all
   Allow from 127.0.0.1
   Satify any

</Directory>

WordPress

• http://css.dzone.com/news/wordpress-auto-sign-iis7-and
• see below for my plugin

DokuWiki

• https://www.dokuwiki.org/auth:ntlm

Drupal

• https://drupal.org/project/webserver_auth

Client configuring

According to your environment, you may need to configure your client to make NTLM authentication work.

Internet Explorer

• Open "Tools" -> "Internet Options".
• On the "Advanced" tab make sure the option "Security -> Enable Integrated Windows Authentication" is checked.
• Only for FQDN ex. http://intranet.domain.com (http://intranet is ok)
• On the "Security" tab select "Local Intranet" -> "Sites" -> "Advanced" and add your server URL to the list.

Google Chrome

• On Windows Chrome normally uses IE's behaviour, see more information here.

Mozilla Firefox

• Type about:config in the browser's address bar.
• Add your server URL to network.automatic-ntlm-auth.trusted-uris property.

Issues

• Legrandin/PyAuthenNTLM2#12
• sudo vi /usr/local/lib/python2.7/dist-packages/pyntlm.py

Resources

• https://github.com/Legrandin/PyAuthenNTLM2
• http://stackoverflow.com/questions/11736544/apache2-php-create-automatic-ntlm-login-page

wordpress-ntlm-auth.php

<?php
/*
Plugin Name: NTLM Authentication - IIS or Apache
Plugin URI: https://gist.github.com/josefjezek/5748211
Description: This plugin allows WordPress to use any NTLM authentication method for authentication instead of only the built-in WordPress forms-based authentication method. Ensure Windows Authentication is enabled in IIS.
Version: 1.0
Author: Josef Jezek
Author URI: http://about.me/josefjezek
*/

add_action('init', 'ntlm_auth_auto_login');
add_action('login_form', 'ntlm_auth_wp_login_form');

/**
* Check if the user is browsing from the internal network
* 
* @return boolean
*/
function ntlm_auth_is_lan_user() {
  // Is it a user from the internal LAN?
  $remoteAddress = $_SERVER['REMOTE_ADDR'];	
  return (substr($remoteAddress, 0, 8) === '192.168.' || substr($remoteAddress, 0, 3) === '10.');
}

/**
* Check if a request is xmlrpc call
* 
* @return boolean
*/
function ntlm_auth_is_xmlrpc() {
  // Is it a request from xmlrpc?
  $uri = $_SERVER['REQUEST_URI'];	
  // return (false !== strpos($uri, 'xmlrpc.php'));
  return ($uri == '/xmlrpc.php');
}

/**
* Auto-login if the user is known
*/
function ntlm_auth_auto_login() {
  if (!is_user_logged_in() && ntlm_auth_is_lan_user() && !ntlm_auth_is_xmlrpc()) {
    ntlm_auth_wp_login_form();
  }
}

/**
* Add Windows Authentication to wp-login.php
*
* @action: login_form
**/
function ntlm_auth_wp_login_form() {
  // Checks if NTLM provided a user or a user is from the internal LAN, and if not,
  // rejects the request with 401 so that it can be authenticated
  if (empty($_SERVER["REMOTE_USER"]) || !ntlm_auth_is_lan_user()) {
    nocache_headers();
    header("HTTP/1.1 401 Unauthorized");
    ob_clean();
    exit();
  } else {
    if (function_exists('get_user_by')) {
      // For IIS or Apache + module
      //$username = strtolower(substr($_SERVER['REMOTE_USER'], strrpos($_SERVER['REMOTE_USER'], '\\')+1));
      // For Apache + python script
      $username = strtolower(substr($_SERVER['REMOTE_USER'], strrpos($_SERVER['REMOTE_USER'], '\\')));
      $user = get_user_by('login', $username);
      // print_r($username);
      // print_r($user);
      
      if ($user && $username == $user->user_login) {
        do_action('wp_login', $user->user_login);
        wp_set_current_user($user->ID);
        
        // Remember for 14 days, default is 2 days
        $remember = true;
        wp_set_auth_cookie($user->ID, $remember);
        
        //$redirect_to = user_admin_url();
        $redirect_to = home_url();
        if (isset($_GET['redirect_to'])) {
          $redirect_to = $_GET['redirect_to'];
        }
        wp_safe_redirect($redirect_to);
        
        exit();
      }
    }
  }
}
?>