Configuration/Authentication Settings/Active Directory (with NTLM)

From Davical
Jump to: navigation, search

To make DAViCal authenticate from Active Directory please read Active Directory first.

This page takes off from where Active Directory leaves off. If you have completed the previous sections you are now able to use AD to authenticate your users, but the users much provide authentication credentials each time the DAViCal server is accessed. In the page we discuss how to use mod_ntlm to create an SSO environment so that the client obtains the authentication information using the NTLM protocal.

Please note that though the NTLMv3 protocol is considered fairly secure, the implementation described here is only marginally so. Consider using only within a secure environment such as a firewall protected LAN.

Please also note that doing all this may NOT be worth the effort if your client of choice does not support NTLM.

At the time of writing (Feb 26, 2008) the following have been confirmed to work;

  • IE6
  • Firefox2 (See the end of Apache Configuration below for how to get NTLM working on Firefox)
  • Lightning0.7 (Calendar Add-in for Thunderbird)


mod_ntlm

mod_ntlm is a non-standard Apache module to allow Apache to perform NTLM authentication. The module can be obtained at the following: mod_ntlm.

The module is a bit old and will not compile according to the included instructions at the time of this writing (Feb 26, 2008).

Based on instructions found at Ntlm Authentication I was able to compile the module.

At this point let me review my environment just in case and for reference;

  • Ubuntu 7.10 Gutsy
  • Apache2.2
  • DAViCal 0.9.4
  • PostgreSQL 8.2
  • PHP5
  • mod_ntlm 2.0.1

To compile the mod_ntlm module;

1. Edit smbval/smblib.inc.c (basically remover "static" from lines 25,26 and 35)

diff -r mod_ntlm2-0.1/smbval/smblib.inc.c mod_ntlm2-0.1-fixed/smbval/smblib.inc.c
25,26c25,26
< static int SMBlib_errno;
< static int SMBlib_SMB_Error;
---
> int SMBlib_errno;
> int SMBlib_SMB_Error;
35c35
< static SMB_State_Types SMBlib_State;
---
> SMB_State_Types SMBlib_State;

2. Edit the Makefile (change mod_ntlm.so to mod_ntlm.la)

diff -r mod_ntlm2-0.1/Makefile mod_ntlm2-0.1-fixed/Makefile
20c20
<       $(APXS) -i -a -n 'ntlm' mod_ntlm.so
---
>       $(APXS) -i -a -n 'ntlm' mod_ntlm.la

3. Finally edit mod_ntlm.c

diff -r mod_ntlm2-0.1/mod_ntlm.c mod_ntlm2-0.1-fixed/mod_ntlm.c
590c590,596
<     apr_pool_sub_make(&sp,p,NULL);
---
>     /*
>      * apr_pool_sub_make(&sp,p,NULL);
>      *
>      * This function call is not longer available with apache 2.2
>      * Try replacing it with apr_pool_create_ex()
>      */
>     apr_pool_create_ex(&sp,p,NULL,NULL);

After doing these edits, the standard "make" and "make install" should run without mishap.

Apache Configuration

Now that mod_ntlm has been installed we need to configure Apache to use the module. Add the following to the file site-available/default;

AuthType NTLM
NTLMAuth on
NTLMAuthoritative on
NTLMDomain mydomain.com
NTLMServer dc1.mydomain.com
NTLMBackup dc2.mydomain.com
Require valid-user
Satisfy all

The above should be within the <directory> directive. Now restart your Apache Daemon.

Now your Apache web server should be running NTLM authentication. Here's a test PHP page you can try to see if it is working.

<?php
echo "You have logged in as <b>". $_SERVER['REMOTE_USER']. "</b>";
?>

If you see the page NTLM is working, if not you should get prompted to login.

Note that if you are a Firefox user NTLM authentication is not enabled by default. To enable NTLM on Firefox;

  1. Enter "about:config" at the address bar of your Firefox browser.
  2. Type "ntlm" in the filter bar.
  3. Double click on network.automatic-ntlm-auth.trusted-uris and enter the hostname of your DAViCal server here. (just the hostname, don't add "http://")

DAViCal

Now that Apache is setup for NTLM authentication, you need to setup DAViCal to do the same. This part is actually really simple.

  1. In your servername-conf.php file under /etc/davical, make sure you have the line include_once('drivers_ldap.php');
  2. In the same place, set $c->authenticate_hook['config']['i_use_mode_kerberos'] = "i_know_what_i_am_doing"; to have the ldap driver accept a REMOTE_USER from the webserver without trying to check a password.