[opencms-dev] Information : Authentication through NT domain ...

Mon Jul 7 10:04:01 CEST 2003

Hi Brendon,

I already achieved that with about the same configuration, but what I would
like to do in fact is that : the user authenticated by apache considered as
the opencms user. This means : if the user comes to an access restricted
ressource (for reading) and he was declared in opencms as being able to read
this resource, he pass through transparently. Or : if the user loggin to
apache and comes to the administration login page, he's automatically
authenticated. Do you think it would be hard to modify in opencms ?
What do you think about that Alexander ?
The idea would be that pseudo algorithm : 
if( "apache_user" exists) 
	{ considere the corresponding user to be logged in in opencms }
else
	{ considere him to be guest }

Below is a sample code I used to retrieve the login user on the Java side
(found on jguru) :
<html>
<head><title>test login</title></head>
<body bgcolor="white">
<%
String auth = request.getHeader("Authorization");
if (auth == null)
{
  response.setStatus(response.SC_UNAUTHORIZED);
  response.setHeader("WWW-Authenticate", "NTLM");
  response.flushBuffer();
  return;
}
if (auth.startsWith("NTLM "))
{
  byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
  int off = 0, length, offset;
  if (msg[8] == 1)
  {
    byte z = 0;
    byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S',
(byte)'S', (byte)'P', 
      z,(byte)2, z, z, z, z, z, z, z,(byte)40, z, z, z, 
      (byte)1, (byte)130, z, z,z, (byte)2, (byte)2,
      (byte)2, z, z, z, z, z, z, z, z, z, z, z, z};
    response.setHeader("WWW-Authenticate", "NTLM " + 
       new sun.misc.BASE64Encoder().encodeBuffer(msg1));
    response.sendError(response.SC_UNAUTHORIZED);
    return;
  }
  else if (msg[8] == 3)
  {
    off = 30;

    length = msg[off+17]*256 + msg[off+16];
    offset = msg[off+19]*256 + msg[off+18];
    String remoteHost = new String(msg, offset, length);

    length = msg[off+1]*256 + msg[off];
    offset = msg[off+3]*256 + msg[off+2];
    String domain = new String(msg, offset, length);

    length = msg[off+9]*256 + msg[off+8];
    offset = msg[off+11]*256 + msg[off+10];
    String username = new String(msg, offset, length);

    out.println("Username:"+username+"<BR>");
    out.println("RemoteHost:"+remoteHost+"<BR>");
    out.println("Domain:"+domain+"<BR>");
  }
}
%>
</body>
</html>

Hope we'll be able to go further.

Regards,

Guillaume.

> -----Message d'origine-----
> De: Brendon Price [mailto:Brendon.Price at sytec.co.nz]
> Date: jeudi 3 juillet 2003 21:59
> À: 'opencms-dev at opencms.org'
> Cc: Apostoly Guillaume
> Objet: RE: [opencms-dev] Information : Authentication through 
> NT domain
> ...
> 
> 
> Hi Guillaume,
> 
> The following is some detail on how to get NTLM working with 
> Apache 1.3 and
> opencms.
> Not really an OpenCMS issue but it may be of interest to a few people
> attempting this.
> This allows NT Integrated Security to the opencms resources, so users
> accessing the
> site must belong to a valid NT Domain Group. This would be 
> useful for an
> Intranet for instance.
> 
> Note that this was for Apache 1.3, but there is a mod_ntlm 
> for Apache 2 so
> the process is probably much the same.
> 1. Stop apache
> 2. Download the mod_ntlm source from SourceForge
> (<http://sourceforge.net/projects/modntlm/>)
> 3. Make sure the apache-devel RPM is installed on the server and build
> mod_ntlm:
> Extract the source, change to the directory, and type "make 
> install". This
> uses apxs from apache-devel to build
> the module and install it (into /usr/lib/apache). This also modifies
> httpd.conf to include the appropriate LoadModule and
> AddModule directives.
> 4. Add the NTLM authentication directives to httpd.conf, eg:
> <Location /publicsite>
> AuthType NTLM
> NTLMAuth On
> NTLMAuthoritative On
> NTLMDomain DOMAIN
> NTLMServer PDC_servername
> # NTLMBackup servername
> Require valid-user
> </Location>
> 5. Do some magic stuff to make it all work - this is important!
> Make sure the KeepAlive directive is set to "on" and comment out the
> following MSIE related config, ie
> #SetEnvIf User-Agent ".*MSIE.*" \
> # nokeepalive ssl-unclean-shutdown \
> # downgrade-1.0 force-response-1.0
> 6. Make sure the names specified for NTLMServer and 
> NTLMBackup are in the
> local hosts file on the web server.
> 7. Start Apache and test...
> You do not have to register the web server on the domain 
> controller for this
> to work. It also doesn't care what the web server hostname or httpd
> ServerName directive is set to.
> 
> Regards
> Brendon
> 
> -----Original Message-----
> From: Apostoly Guillaume [mailto:ApostolyG at mail.europcar.com]
> Sent: Wednesday, 2 July 2003 4:55 a.m.
> To: opencms-dev at opencms.org
> Subject: [opencms-dev] Information : Authentication through NT domain
> ...
> 
> 
> Hi all,
>  
> My current goal is to allow OpenCMS authentication through NT 
> Server. I've
> got no LDAP server so this could mean use NTLM.
> I'm on a linux gentoo with apache and tomcat (currently 
> standalone, i've got
> to change that).
> I'm currently trying to use mod_ntlm ( http://modntlm.sourceforge.net/
> <http://modntlm.sourceforge.net/>  ) with apache. After that, 
> i'll configure
> Tomcat to work with apache (with mod_xxxxx), and i'll get the 
> apache logged
> in user through "request.getRemoteUser()" as describe here :
> http://www.jguru.com/faq/view.jsp?EID=1045412
> <http://www.jguru.com/faq/view.jsp?EID=1045412>  .
> After that point, i'll need someone that knows well the authentication
> system from opencms to allow this : 
>  
> I'd like opencms to rely on the "request.getRemoteUser()" to 
> know who is
> logged in (the username), but to still use it's own system for the
> permissions. This means creating the user in the opencms 
> database, allowing
> them to work on project, etc, but relying on NTLM 
> authentication from apache
> for the login.
>  
> Has anybody progressed in that direction ?
> Am I completly (tick the right answer) : - wrong - nuts - dumb ?
>  
> Thanks by advance,
>  
> Regards,
>  
> Guillaume.
>  
> _______________________________________
> Guillaume APOSTOLY 
> Business-Analyst EIS-BSD 
> Tél: +33 (0)1.30.44.95.22 
> Fax: +33 (0)1.30.44.98.08 
> ApostolyG at mail.europcar.com <mailto:ApostolyG at mail.europcar.com>  
> _______________________________________ 
> 
> 
> 
> 
> 
> 
>  
> _______________________________________________
> This mail is send to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, 
> please visit
> http://mail.opencms.org/mailman/listinfo/opencms-dev
> 