JosefJezek
6/10/2013 - 11:53 AM
How to NTLM with Apache
How to NTLM with Apache
<?php
/*
Plugin Name: NTLM Authentication - IIS or Apache
Plugin URI: https://gist.github.com/josefjezek/5748211
Description: This plugin allows WordPress to use any NTLM authentication method for authentication instead of only the built-in WordPress forms-based authentication method. Ensure Windows Authentication is enabled in IIS.
Version: 1.0
Author: Josef Jezek
Author URI: http://about.me/josefjezek
*/
add_action('init', 'ntlm_auth_auto_login');
add_action('login_form', 'ntlm_auth_wp_login_form');
/**
* Check if the user is browsing from the internal network
*
* @return boolean
*/
function ntlm_auth_is_lan_user() {
// Is it a user from the internal LAN?
$remoteAddress = $_SERVER['REMOTE_ADDR'];
return (substr($remoteAddress, 0, 8) === '192.168.' || substr($remoteAddress, 0, 3) === '10.');
}
/**
* Check if a request is xmlrpc call
*
* @return boolean
*/
function ntlm_auth_is_xmlrpc() {
// Is it a request from xmlrpc?
$uri = $_SERVER['REQUEST_URI'];
// return (false !== strpos($uri, 'xmlrpc.php'));
return ($uri == '/xmlrpc.php');
}
/**
* Auto-login if the user is known
*/
function ntlm_auth_auto_login() {
if (!is_user_logged_in() && ntlm_auth_is_lan_user() && !ntlm_auth_is_xmlrpc()) {
ntlm_auth_wp_login_form();
}
}
/**
* Add Windows Authentication to wp-login.php
*
* @action: login_form
**/
function ntlm_auth_wp_login_form() {
// Checks if NTLM provided a user or a user is from the internal LAN, and if not,
// rejects the request with 401 so that it can be authenticated
if (empty($_SERVER["REMOTE_USER"]) || !ntlm_auth_is_lan_user()) {
nocache_headers();
header("HTTP/1.1 401 Unauthorized");
ob_clean();
exit();
} else {
if (function_exists('get_user_by')) {
// For IIS or Apache + module
//$username = strtolower(substr($_SERVER['REMOTE_USER'], strrpos($_SERVER['REMOTE_USER'], '\\')+1));
// For Apache + python script
$username = strtolower(substr($_SERVER['REMOTE_USER'], strrpos($_SERVER['REMOTE_USER'], '\\')));
$user = get_user_by('login', $username);
// print_r($username);
// print_r($user);
if ($user && $username == $user->user_login) {
do_action('wp_login', $user->user_login);
wp_set_current_user($user->ID);
// Remember for 14 days, default is 2 days
$remember = true;
wp_set_auth_cookie($user->ID, $remember);
//$redirect_to = user_admin_url();
$redirect_to = home_url();
if (isset($_GET['redirect_to'])) {
$redirect_to = $_GET['redirect_to'];
}
wp_safe_redirect($redirect_to);
exit();
}
}
}
}
?>How to NTLM with Apache 
Author: Josef Jezek
Mod Auth with Winbind
- Linux joined to win domain
- https://gist.github.com/9050408
Install on Ubuntu 12.04
sudo apt-get update
sudo apt-get install libapache2-mod-python python-crypto git
git clone git://github.com/Legrandin/PyAuthenNTLM2.git
cd PyAuthenNTLM2
sudo python setup.py install -f
Setup
Apache
<Directory /var/www/wordpress>
AuthType NTLM
AuthName WDOMAIN
require valid-user
PythonAuthenHandler pyntlm
PythonOption Domain WDOMAIN
PythonOption PDC 192.1.2.45
PythonOption BDC 192.1.2.46
# Bypass authentication for local clients.
# Comment these lines if they should authenticate too.
Order deny,allow
Deny from all
Allow from 127.0.0.1
Satify any
</Directory>
WordPress
- http://css.dzone.com/news/wordpress-auto-sign-iis7-and
- see below for my plugin
DokuWiki
Drupal
Client configuring
According to your environment, you may need to configure your client to make NTLM authentication work.
Internet Explorer
- Open "Tools" -> "Internet Options".
- On the "Advanced" tab make sure the option "Security -> Enable Integrated Windows Authentication" is checked.
- Only for FQDN ex. http://intranet.domain.com (http://intranet is ok)
- On the "Security" tab select "Local Intranet" -> "Sites" -> "Advanced" and add your server URL to the list.
Google Chrome
- On Windows Chrome normally uses IE's behaviour, see more information here.
Mozilla Firefox
- Type about:config in the browser's address bar.
- Add your server URL to network.automatic-ntlm-auth.trusted-uris property.
Issues
- https://github.com/Legrandin/PyAuthenNTLM2/issues/12
- sudo vi /usr/local/lib/python2.7/dist-packages/pyntlm.py