Configuration/Authentication Settings/Active Directory (with NTLM)

From Davical
Revision as of 07:24, 26 February 2008 by 122.216.67.155 (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

To make DAViCal authenticate from Active Directory please read Configuration/AD first.

This page takes off from where Configuration/AD leaves off. If you have completed the previous sections you are now able to use AD to authenticate your users, but the users much provide authentication credentials each time the DAViCal server is accessed. In the page we discuss how to use mod_ntlm to create an SSO environment so that the client obtains the authentication information using the NTLM protocal.

Please note that though the NTLMv3 protocal is considered fairly secure, the implementation described here is only marginally so. Consider using only within a secure environment such as a firewall protected LAN.

Please also note that doing all this may NOT be worth the effort if your client of choice does not support NTLM. At the time of writing only accessing DAViCal through the IE browser and Firefox browser have been successfully tested.

(Later testing has proven that the Lightning add-in for Thunderbird works well with NTLM authentication.)

mod_ntlm

mod_ntlm is a non-standard Apache module to allow Apache to perform NTLM authentication. The module can be obtained at the following: mod_ntlm.

The module is a bit old and will not compile according to the included instructions at the time of this writing (Feb 26, 2008).

Based on instructions found at Ntlm Authentication I was able to compile the module.

At this point let me review my environment just in case and for reference;

  • Ubuntu 7.10 Gutsy
  • Apache2.2
  • DAViCal 0.9.4
  • PostgreSQL 8.2
  • PHP5
  • mod_ntlm 2.0.1

To compile the mod_ntlm module;

1. Edit smbval/smblib.inc.c (basically remover "static" from lines 25,26 and 35)

diff -r mod_ntlm2-0.1/smbval/smblib.inc.c mod_ntlm2-0.1-fixed/smbval/smblib.inc.c
25,26c25,26
< static int SMBlib_errno;
< static int SMBlib_SMB_Error;
---
> int SMBlib_errno;
> int SMBlib_SMB_Error;
35c35
< static SMB_State_Types SMBlib_State;
---
> SMB_State_Types SMBlib_State;

2. Edit the Makefile (change mod_ntlm.so to mod_ntlm.la)

diff -r mod_ntlm2-0.1/Makefile mod_ntlm2-0.1-fixed/Makefile
20c20
<       $(APXS) -i -a -n 'ntlm' mod_ntlm.so
---
>       $(APXS) -i -a -n 'ntlm' mod_ntlm.la

3. Finally edit mod_ntlm.c

diff -r mod_ntlm2-0.1/mod_ntlm.c mod_ntlm2-0.1-fixed/mod_ntlm.c
590c590,596
<     apr_pool_sub_make(&sp,p,NULL);
---
>     /*
>      * apr_pool_sub_make(&sp,p,NULL);
>      *
>      * This function call is not longer available with apache 2.2
>      * Try replacing it with apr_pool_create_ex()
>      */
>     apr_pool_create_ex(&sp,p,NULL,NULL);

After doing these edits, the standard "make" and "make install" should run without mishap.

Apache Configuration

Now that mod_ntlm has been installed we need to configure Apache to use the module. Add the following to the file site-available/default;

AuthType NTLM
NTLMAuth on
NTLMAuthoritative on
NTLMDomain mydomain.com
NTLMServer dc1.mydomain.com
NTLMBackup dc2.mydomain.com
Require valid-user
Satisfy all

The above should be within the <directory> directive. Now restart your Apache Daemon.

Now your Apache web server should be running NTLM authentication. Here's a test PHP page you can try to see if it is working.

<?php
echo "You have logged in as <b>". $_SERVER['REMOTE_USER']. "";
?>

If you see the page NTLM is working, if not you should get prompted to login.

Note that if you are a Firefox user NTLM authentication is not enabled by default. To enable NTLM on Firefox;

  1. Enter "about:config" at the address bar of your Firefox browser.
  2. Type "ntlm" in the filter bar.
  3. Double click on network.automatic-ntlm-auth.trusted-uris and enter the hostname of your DAViCal server here. (just the hostname, don't add "http://")

DAViCal

Now that Apache is setup for NTLM authentication, you need to setup DAViCal to do the same. This part is actually really simple.

  1. Download the "drivers_ldap_sso.php" and "HTTPAuthSession.php" file from here.
  2. Put the files in /usr/share/rsdcs/inc/. (The HTTPAuthSession.php will replace the original one so backing it up before-hand might be prudent.)
  3. In your servername-conf.php file under /etc/davical replace the line include_once('drivers_ldap.php'); with include_once('drivers_ldap_sso.php');