Apache-AuthenNTLM
view release on metacpan or search on metacpan
AuthenNTLM.pm view on Meta::CPAN
The main advantage of the Perl implementation is, that it can be easily extended
to verify the user/password against other sources than a windows domain controller.
The defaultf implementation is to go to the domain controller for the given domain
and verify the user. If you want to verify the user against another source, you
can inherit from Apache::AuthenNTLM and override it's methods.
To support users that aren't using Internet Explorer, Apache::AuthenNTLM can
also perform basic authentication depending on its configuration.
B<IMPORTANT:> NTLM authentification works only when KeepAlive is on. (If you have set ntlmdebug 2, and see that there is no return message (type 3), check your httpd.conf file for "KeepAlive Off". If KeepAlive Off, then change it to KeepAlive On, re...
=head1 CONFIGURATION
=head2 AuthType
Set the type of authentication. Can be either "basic", "ntlm"
or "ntlm,basic" for doing both.
=head2 AuthName
Set the realm for basic authentication
=head2 require valid-user
Necessary to tell Apache to require user authentication at all. Can also
used to allow only some users, e.g.
require user foo bar
Note that Apache::AuthenNTLM does not perform any authorization, if
the require xxx is executed by Apache itself. Alternatively you can
use another (Perl-)module to perform authorization.
=head2 PerlAddVar ntdomain "domain pdc bdc"
This is used to create a mapping between a domain and both a pdc and bdc for
that domain. Domain, pdc and bdc must be separated by a space. You can
specify mappings for more than one domain.
NOTE FOR WINDOWS ACTIVE DIRECTORY USERS: You must specify the DOMAIN for
the pdc and/or bdc. Windows smb servers will not accept ip address in dotted
quad form. For example, the SPEEVES domain pdc has an ip address of 192.168.0.2.
If you enter the ntdomain as:
PerlAddVar ntdomain 192.168.0.2
Then you will never be able be able to authenticate to the remote server correctly,
and you will receive a "Can not get NONCE" error in the error_log. You must
specify it as:
PerlAddVar ntdomain SPEEVES
This means that you will need to resolve the DOMAIN locally on the web server
machine. I put it into the /etc/hosts file.
For the complete run-down on this issue, check out:
http://www.gossamer-threads.com/archive/mod_perl_C1/modperl_F7/%5BFwd:_Re:_Apache::AuthenNTLM-2.04_Problems..%5D_P104237/
=head2 PerlSetVar defaultdomain
Set the default domain. This is used when the client does not provide
any information about the domain.
=head2 PerlSetVar fallbackdomain
fallbackdomain is used in cases where the domain that the user supplied
isn't configured. This is useful in environments where you have a lot of
domains, which trust each other, allowing you to always authenticate against
a single domain, (removing the need to configure all domains available in
your network).
=head2 PerlSetVar ntlmauthoritative
Setting the ntlmauthoritative directive explicitly to 'off' allows authentication
to be passed on to lower level modules if AuthenNTLM cannot authenticate the user
and the NTLM authentication scheme is used.
If set to 'on', which is the default, AuthenNTLM will try to verify the user and,
if it fails, will give an Authorization Required reply.
=head2 PerlSetVar basicauthoritative
Setting the ntlmauthoritative directive explicitly to 'off' allows authentication
to be passed on to lower level modules if AuthenNTLM cannot authenticate the user
and the Basic authentication scheme is used.
If set to 'on', which is the default, AuthenNTLM will try to verify the user and
if it fails will give an Authorization Required reply.
=head2 PerlSetVar ntlmsemkey
There are troubles when two authentication requests take place at the same
time. If the second request starts, before the first request has successfully
verified the user to the smb (windows) server, the smb server will terminate the first
request. To avoid this Apache::AuthenNTLM serializes all requests. It uses a semaphore
for this purpose. The semkey directive set the key which is used (default: 23754).
Set it to zero to turn serialization off.
=head2 PerlSetVar ntlmsemtimeout
This set the timeout value used to wait for the semaphore. The default is two seconds.
It is very small because during the time Apache waits for the semaphore, no other
authentication request can be sent to the windows server. Also Apache::AuthenNTLM
only asks the windows server once per keep-alive connection, this timeout value
should be as small as possible.
=head2 PerlSetVar splitdomainprefix
If set to 1, $self -> map_user ($r) will return "username"
else $self -> map_user ($r) will return "domain\username"
Default is "domain\username"
=head2 PerlSetVar ntlmdebug
Set this to 1 if you want extra debugging information in the error log.
Set it to 2 to also see the binary data of the NTLM headers.
( run in 2.488 seconds using v1.01-cache-2.11-cpan-c966e8aa7e8 )