I would like to retrieve a windows username and some group memberships transparently via php. I've been looking at mod_auth_ntlm and it looks like it might do the trick, but I don't have enough experience with that module to make a good descision about the direction that I should go.
Server: debian linux w/ apache
Clients: windows XP w/ IE
LAN: corporate Intranet
All I want to do is grab the windows username and then do a look up to see if they are in a group that has access.
Any suggestions?
NTLM w/ PHP
Moderator: General Moderators
Solved
Not sure if anybody cares, but I did get this to work.
Here's how:
** Note: If you want Firefox to login transparently, you must add the full URL to your RT instance to the "network.automatic-ntlm-auth.trusted-uris" option in "about:config"
- This was done by using mod_auth_ntlm compiled as a dynamic module and linked in to apache.
- NTLM contains a configuration file that is located at /etc/apache-ssl/conf.d/ntlm.conf and contains the following entries which force the root (/) transparent auth:
<Location / >
AuthType NTLM
NTLMAuth on
NTLMAuthoritative on
NTLMDomain MYDOMAIN
NTLMServer server1
NTLMBackup server2
Require valid-user
</Location>
Conf.d is included at the bottom of httpd.conf on debian distros.
modules.conf has the following line:
“LoadModule ntlm_module /usr/lib/apache/1.3/mod_ntlm.so”
Because the distro is debian and under VMWare, several changes had to be made for this all to work:
1. VMTools had to be manually installed.
a. This required GCC to be downgraded to ver. 3.3.5 and symlinked over top of the normal gcc compiler (ln -s /usr/bin/gcc-3.3 /usr/bin/gcc)
b. The kernel source headers needed to be recompiled and sym linked so that vmtools would work (ln –s kernel-source-2.6.8 linux)
c. ASM required an alias as well: (ln –s asm-i386 asm)
2. Once that was fixed, mod_auth_NTLM was able to be compiled from these resources: http://modntlm.jamiekerwick.co.uk/ [ref: http://builder.com.com/5100-6387_14-5032010.html, ref: http://twiki.org/cgi-bin/view/Codev/Tra ... entication]
This is pretty cool; I essentially open a browser and point it at the server and it logs me in. I don't get prompted for credentials if I have already logged into the domain via windows. If I am not on the domain then I get prompted for credentials. I am now using LDAP queries to check group memberships to see who has access.
It sure is nice being able to code in PHP in a linux environment while the rest of the organization can continue to support it via the existing AD structure.
Here's how:
** Note: If you want Firefox to login transparently, you must add the full URL to your RT instance to the "network.automatic-ntlm-auth.trusted-uris" option in "about:config"
- This was done by using mod_auth_ntlm compiled as a dynamic module and linked in to apache.
- NTLM contains a configuration file that is located at /etc/apache-ssl/conf.d/ntlm.conf and contains the following entries which force the root (/) transparent auth:
<Location / >
AuthType NTLM
NTLMAuth on
NTLMAuthoritative on
NTLMDomain MYDOMAIN
NTLMServer server1
NTLMBackup server2
Require valid-user
</Location>
Conf.d is included at the bottom of httpd.conf on debian distros.
modules.conf has the following line:
“LoadModule ntlm_module /usr/lib/apache/1.3/mod_ntlm.so”
Because the distro is debian and under VMWare, several changes had to be made for this all to work:
1. VMTools had to be manually installed.
a. This required GCC to be downgraded to ver. 3.3.5 and symlinked over top of the normal gcc compiler (ln -s /usr/bin/gcc-3.3 /usr/bin/gcc)
b. The kernel source headers needed to be recompiled and sym linked so that vmtools would work (ln –s kernel-source-2.6.8 linux)
c. ASM required an alias as well: (ln –s asm-i386 asm)
2. Once that was fixed, mod_auth_NTLM was able to be compiled from these resources: http://modntlm.jamiekerwick.co.uk/ [ref: http://builder.com.com/5100-6387_14-5032010.html, ref: http://twiki.org/cgi-bin/view/Codev/Tra ... entication]
This is pretty cool; I essentially open a browser and point it at the server and it logs me in. I don't get prompted for credentials if I have already logged into the domain via windows. If I am not on the domain then I get prompted for credentials. I am now using LDAP queries to check group memberships to see who has access.
It sure is nice being able to code in PHP in a linux environment while the rest of the organization can continue to support it via the existing AD structure.