[opencms-dev] Information : Authentication through NT domain ...
Apostoly Guillaume
ApostolyG at mail.europcar.com
Mon Jul 7 10:04:01 CEST 2003
Hi Brendon,
I already achieved that with about the same configuration, but what I would
like to do in fact is that : the user authenticated by apache considered as
the opencms user. This means : if the user comes to an access restricted
ressource (for reading) and he was declared in opencms as being able to read
this resource, he pass through transparently. Or : if the user loggin to
apache and comes to the administration login page, he's automatically
authenticated. Do you think it would be hard to modify in opencms ?
What do you think about that Alexander ?
The idea would be that pseudo algorithm :
if( "apache_user" exists)
{ considere the corresponding user to be logged in in opencms }
else
{ considere him to be guest }
Below is a sample code I used to retrieve the login user on the Java side
(found on jguru) :
<html>
<head><title>test login</title></head>
<body bgcolor="white">
<%
String auth = request.getHeader("Authorization");
if (auth == null)
{
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM");
response.flushBuffer();
return;
}
if (auth.startsWith("NTLM "))
{
byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
int off = 0, length, offset;
if (msg[8] == 1)
{
byte z = 0;
byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S',
(byte)'S', (byte)'P',
z,(byte)2, z, z, z, z, z, z, z,(byte)40, z, z, z,
(byte)1, (byte)130, z, z,z, (byte)2, (byte)2,
(byte)2, z, z, z, z, z, z, z, z, z, z, z, z};
response.setHeader("WWW-Authenticate", "NTLM " +
new sun.misc.BASE64Encoder().encodeBuffer(msg1));
response.sendError(response.SC_UNAUTHORIZED);
return;
}
else if (msg[8] == 3)
{
off = 30;
length = msg[off+17]*256 + msg[off+16];
offset = msg[off+19]*256 + msg[off+18];
String remoteHost = new String(msg, offset, length);
length = msg[off+1]*256 + msg[off];
offset = msg[off+3]*256 + msg[off+2];
String domain = new String(msg, offset, length);
length = msg[off+9]*256 + msg[off+8];
offset = msg[off+11]*256 + msg[off+10];
String username = new String(msg, offset, length);
out.println("Username:"+username+"<BR>");
out.println("RemoteHost:"+remoteHost+"<BR>");
out.println("Domain:"+domain+"<BR>");
}
}
%>
</body>
</html>
Hope we'll be able to go further.
Regards,
Guillaume.
> -----Message d'origine-----
> De: Brendon Price [mailto:Brendon.Price at sytec.co.nz]
> Date: jeudi 3 juillet 2003 21:59
> À: 'opencms-dev at opencms.org'
> Cc: Apostoly Guillaume
> Objet: RE: [opencms-dev] Information : Authentication through
> NT domain
> ...
>
>
> Hi Guillaume,
>
> The following is some detail on how to get NTLM working with
> Apache 1.3 and
> opencms.
> Not really an OpenCMS issue but it may be of interest to a few people
> attempting this.
> This allows NT Integrated Security to the opencms resources, so users
> accessing the
> site must belong to a valid NT Domain Group. This would be
> useful for an
> Intranet for instance.
>
> Note that this was for Apache 1.3, but there is a mod_ntlm
> for Apache 2 so
> the process is probably much the same.
> 1. Stop apache
> 2. Download the mod_ntlm source from SourceForge
> (<http://sourceforge.net/projects/modntlm/>)
> 3. Make sure the apache-devel RPM is installed on the server and build
> mod_ntlm:
> Extract the source, change to the directory, and type "make
> install". This
> uses apxs from apache-devel to build
> the module and install it (into /usr/lib/apache). This also modifies
> httpd.conf to include the appropriate LoadModule and
> AddModule directives.
> 4. Add the NTLM authentication directives to httpd.conf, eg:
> <Location /publicsite>
> AuthType NTLM
> NTLMAuth On
> NTLMAuthoritative On
> NTLMDomain DOMAIN
> NTLMServer PDC_servername
> # NTLMBackup servername
> Require valid-user
> </Location>
> 5. Do some magic stuff to make it all work - this is important!
> Make sure the KeepAlive directive is set to "on" and comment out the
> following MSIE related config, ie
> #SetEnvIf User-Agent ".*MSIE.*" \
> # nokeepalive ssl-unclean-shutdown \
> # downgrade-1.0 force-response-1.0
> 6. Make sure the names specified for NTLMServer and
> NTLMBackup are in the
> local hosts file on the web server.
> 7. Start Apache and test...
> You do not have to register the web server on the domain
> controller for this
> to work. It also doesn't care what the web server hostname or httpd
> ServerName directive is set to.
>
> Regards
> Brendon
>
> -----Original Message-----
> From: Apostoly Guillaume [mailto:ApostolyG at mail.europcar.com]
> Sent: Wednesday, 2 July 2003 4:55 a.m.
> To: opencms-dev at opencms.org
> Subject: [opencms-dev] Information : Authentication through NT domain
> ...
>
>
> Hi all,
>
> My current goal is to allow OpenCMS authentication through NT
> Server. I've
> got no LDAP server so this could mean use NTLM.
> I'm on a linux gentoo with apache and tomcat (currently
> standalone, i've got
> to change that).
> I'm currently trying to use mod_ntlm ( http://modntlm.sourceforge.net/
> <http://modntlm.sourceforge.net/> ) with apache. After that,
> i'll configure
> Tomcat to work with apache (with mod_xxxxx), and i'll get the
> apache logged
> in user through "request.getRemoteUser()" as describe here :
> http://www.jguru.com/faq/view.jsp?EID=1045412
> <http://www.jguru.com/faq/view.jsp?EID=1045412> .
> After that point, i'll need someone that knows well the authentication
> system from opencms to allow this :
>
> I'd like opencms to rely on the "request.getRemoteUser()" to
> know who is
> logged in (the username), but to still use it's own system for the
> permissions. This means creating the user in the opencms
> database, allowing
> them to work on project, etc, but relying on NTLM
> authentication from apache
> for the login.
>
> Has anybody progressed in that direction ?
> Am I completly (tick the right answer) : - wrong - nuts - dumb ?
>
> Thanks by advance,
>
> Regards,
>
> Guillaume.
>
> _______________________________________
> Guillaume APOSTOLY
> Business-Analyst EIS-BSD
> Tél: +33 (0)1.30.44.95.22
> Fax: +33 (0)1.30.44.98.08
> ApostolyG at mail.europcar.com <mailto:ApostolyG at mail.europcar.com>
> _______________________________________
>
>
>
>
>
>
>
> _______________________________________________
> This mail is send to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list,
> please visit
> http://mail.opencms.org/mailman/listinfo/opencms-dev
>
More information about the opencms-dev
mailing list