JosefJezek/how-to-ntlm-with-apache.md

## how-to-ntlm-with-apache.md

      
    Raw
  

              how-to-ntlm-with-apache.md
            
          
    How to NTLM with Apache 

Author: Josef Jezek
Mod Auth with Winbind


Linux joined to win domain
https://gist.github.com/9050408

Install on Ubuntu 12.04

sudo apt-get update
sudo apt-get install libapache2-mod-python python-crypto git

git clone git://github.com/Legrandin/PyAuthenNTLM2.git
cd PyAuthenNTLM2
sudo python setup.py install -f
Setup

Apache

<Directory /var/www/wordpress>

   AuthType NTLM
   AuthName WDOMAIN
   require valid-user

   PythonAuthenHandler pyntlm
   PythonOption Domain WDOMAIN
   PythonOption PDC 192.1.2.45
   PythonOption BDC 192.1.2.46

   # Bypass authentication for local clients.
   # Comment these lines if they should authenticate too.
   Order deny,allow
   Deny  from all
   Allow from 127.0.0.1
   Satify any

</Directory>
WordPress


http://css.dzone.com/news/wordpress-auto-sign-iis7-and
see below for my plugin

DokuWiki


https://www.dokuwiki.org/auth:ntlm

Drupal


https://drupal.org/project/webserver_auth

Client configuring

According to your environment, you may need to configure your client to make NTLM authentication work.
Internet Explorer


Open "Tools" -> "Internet Options".
On the "Advanced" tab make sure the option "Security -> Enable Integrated Windows Authentication" is checked.
Only for FQDN ex. http://intranet.domain.com (http://intranet is ok)
On the "Security" tab select "Local Intranet" -> "Sites" -> "Advanced" and add your server URL to the list.

Google Chrome


On Windows Chrome normally uses IE's behaviour, see more information here.

Mozilla Firefox


Type about:config in the browser's address bar.
Add your server URL to network.automatic-ntlm-auth.trusted-uris property.

Issues


Legrandin/PyAuthenNTLM2#12
sudo vi /usr/local/lib/python2.7/dist-packages/pyntlm.py

Resources


https://github.com/Legrandin/PyAuthenNTLM2
http://stackoverflow.com/questions/11736544/apache2-php-create-automatic-ntlm-login-page


## wordpress-ntlm-auth.php
<?php
/*
Plugin Name: NTLM Authentication - IIS or Apache
Plugin URI: https://gist.github.com/josefjezek/5748211
Description: This plugin allows WordPress to use any NTLM authentication method for authentication instead of only the built-in WordPress forms-based authentication method. Ensure Windows Authentication is enabled in IIS.
Version: 1.0
Author: Josef Jezek
Author URI: http://about.me/josefjezek
*/

add_action('init', 'ntlm_auth_auto_login');
add_action('login_form', 'ntlm_auth_wp_login_form');

/**
* Check if the user is browsing from the internal network
*
* @return boolean
*/
function ntlm_auth_is_lan_user() {
  // Is it a user from the internal LAN?
  $remoteAddress = $_SERVER['REMOTE_ADDR'];
  return (substr($remoteAddress, 0, 8) === '192.168.' || substr($remoteAddress, 0, 3) === '10.');
}

/**
* Check if a request is xmlrpc call
*
* @return boolean
*/
function ntlm_auth_is_xmlrpc() {
  // Is it a request from xmlrpc?
  $uri = $_SERVER['REQUEST_URI'];
  // return (false !== strpos($uri, 'xmlrpc.php'));
  return ($uri == '/xmlrpc.php');
}

/**
* Auto-login if the user is known
*/
function ntlm_auth_auto_login() {
  if (!is_user_logged_in() && ntlm_auth_is_lan_user() && !ntlm_auth_is_xmlrpc()) {
    ntlm_auth_wp_login_form();
  }
}

/**
* Add Windows Authentication to wp-login.php
*
* @action: login_form
**/
function ntlm_auth_wp_login_form() {
  // Checks if NTLM provided a user or a user is from the internal LAN, and if not,
  // rejects the request with 401 so that it can be authenticated
  if (empty($_SERVER["REMOTE_USER"]) || !ntlm_auth_is_lan_user()) {
    nocache_headers();
    header("HTTP/1.1 401 Unauthorized");
    ob_clean();
    exit();
  } else {
    if (function_exists('get_user_by')) {
      // For IIS or Apache + module
      //$username = strtolower(substr($_SERVER['REMOTE_USER'], strrpos($_SERVER['REMOTE_USER'], '\\')+1));
      // For Apache + python script
      $username = strtolower(substr($_SERVER['REMOTE_USER'], strrpos($_SERVER['REMOTE_USER'], '\\')));
      $user = get_user_by('login', $username);
      // print_r($username);
      // print_r($user);

      if ($user && $username == $user->user_login) {
        do_action('wp_login', $user->user_login);
        wp_set_current_user($user->ID);

        // Remember for 14 days, default is 2 days
        $remember = true;
        wp_set_auth_cookie($user->ID, $remember);

        //$redirect_to = user_admin_url();
        $redirect_to = home_url();
        if (isset($_GET['redirect_to'])) {
          $redirect_to = $_GET['redirect_to'];
        }
        wp_safe_redirect($redirect_to);

        exit();
      }
    }
  }
}
?>
	<?php
	/*
	Plugin Name: NTLM Authentication - IIS or Apache
	Plugin URI: https://gist.github.com/josefjezek/5748211
	Description: This plugin allows WordPress to use any NTLM authentication method for authentication instead of only the built-in WordPress forms-based authentication method. Ensure Windows Authentication is enabled in IIS.
	Version: 1.0
	Author: Josef Jezek
	Author URI: http://about.me/josefjezek
	*/

	add_action('init', 'ntlm_auth_auto_login');
	add_action('login_form', 'ntlm_auth_wp_login_form');

	/**
	* Check if the user is browsing from the internal network
	*
	* @return boolean
	*/
	function ntlm_auth_is_lan_user() {
	// Is it a user from the internal LAN?
	$remoteAddress = $_SERVER['REMOTE_ADDR'];
	return (substr($remoteAddress, 0, 8) === '192.168.' \|\| substr($remoteAddress, 0, 3) === '10.');
	}

	/**
	* Check if a request is xmlrpc call
	*
	* @return boolean
	*/
	function ntlm_auth_is_xmlrpc() {
	// Is it a request from xmlrpc?
	$uri = $_SERVER['REQUEST_URI'];
	// return (false !== strpos($uri, 'xmlrpc.php'));
	return ($uri == '/xmlrpc.php');
	}

	/**
	* Auto-login if the user is known
	*/
	function ntlm_auth_auto_login() {
	if (!is_user_logged_in() && ntlm_auth_is_lan_user() && !ntlm_auth_is_xmlrpc()) {
	ntlm_auth_wp_login_form();
	}
	}

	/**
	* Add Windows Authentication to wp-login.php
	*
	* @action: login_form
	**/
	function ntlm_auth_wp_login_form() {
	// Checks if NTLM provided a user or a user is from the internal LAN, and if not,
	// rejects the request with 401 so that it can be authenticated
	if (empty($_SERVER["REMOTE_USER"]) \|\| !ntlm_auth_is_lan_user()) {
	nocache_headers();
	header("HTTP/1.1 401 Unauthorized");
	ob_clean();
	exit();
	} else {
	if (function_exists('get_user_by')) {
	// For IIS or Apache + module
	//$username = strtolower(substr($_SERVER['REMOTE_USER'], strrpos($_SERVER['REMOTE_USER'], '\\')+1));
	// For Apache + python script
	$username = strtolower(substr($_SERVER['REMOTE_USER'], strrpos($_SERVER['REMOTE_USER'], '\\')));
	$user = get_user_by('login', $username);
	// print_r($username);
	// print_r($user);

	if ($user && $username == $user->user_login) {
	do_action('wp_login', $user->user_login);
	wp_set_current_user($user->ID);

	// Remember for 14 days, default is 2 days
	$remember = true;
	wp_set_auth_cookie($user->ID, $remember);

	//$redirect_to = user_admin_url();
	$redirect_to = home_url();
	if (isset($_GET['redirect_to'])) {
	$redirect_to = $_GET['redirect_to'];
	}
	wp_safe_redirect($redirect_to);

	exit();
	}
	}
	}
	}
	?>