NTLM (mod_ntlm) for Solaris 10

Background

If your Twiki is on an intranet where users are authenticated via Windows domain controllers then NTLM is the obvious choice if you want single-signon, i.e. that users are not prompted for a password when they open TWiki yet TWiki knows who they are. In a nutshell: seamless authentication.

There are many other topics on NTLM on TWiki.org that either focus specifically on NTLM or mentions NTLM. See the references section below. This topic focus solely on how to get it working on Solaris although only some of the points made here are specific to Solaris.

It is the Apache Web Server that authenticates users by way of NTLM, not TWiki itself. This is done by an Apache module (a so called DSO) called mod_ntlm. TWiki simply gets passed the REMOTE_USER variable same as if you where using htpasswd.

If you have build your own Apache Web Server then building the mod_ntlm binary is very simple. If on the other hand your are using the Apache Web Server that comes pre-installed with Solaris or a package from SunFreeware or similar then you can take advantage of the binaries attached below.

There are two mod_ntlm distributions, an original one and an unofficial one based off the original one. Neither of them seem to be maintained. It works, so who cares. The unofficial one has some bugs fixed and is therefore preferred. (Update June 2007: As of April 2007 the official mod_ntlm project seem have come to life again and have started by incorporating all the bug fixes from the unofficial version. This is good news. This means the unofficial version has become redundant. However the binaries you find below are based on a snapshot before this happened and therefore the unofficial version is the one recommended from download from this page.)

Target platform in this article is Solaris 10 (whether SPARC or X86 based) and TWiki 4.x.

How to build your own mod_ntlm binary

(or how the binaries attached to this topic were build)

First requirement is to have an Apache installation with a working apxs. It is tempting simply to use the apxs from the pre-installed Apache, i.e. the one in /usr/apache2. However Sun has build this one by using the Sun Studio C compiler which means that apxs in /usr/apache2/bin will reference all sorts of things that are likely not installed on your system.

So there is no other solution than to download the Apache Web Server source and build a full Apache. It turns out this is very simple as long as you are not requiring any complex things.

GNU C/C++ (gcc) is installed by default on Solaris 10. It lives in /usr/sfw/bin. Make sure this is in your path.

Making a usable Apache installation with a working apxs:

1. Download Apache Web Server source from www.apache.org. Unpack into a temp directory.
2. Go to directory where you unpacked the source.
3. ./configure --prefix=/apps/apache2
4. make
5. make install

Building mod_ntlm binary

(Official mod_ntlm documentation says to run make install && make restart. This will create the mod_ntlm binary, copy it into Apache directory, put load instructions into httpd.conf and restart Apache. We are only interested in building the actual binary so we only run make all.)

1. Download the mod_ntlm distribution and unpack into a temp directory.
2. Go to directory where you unpacked the source.
3. if your are building for Apache 2.2 (as opposed to Apache 1.3 and Apache 2.0) you wil need to change a single line of C code in mod_ntlm.c. This is because the code uses the deprecated APR function apr_pool_sub_make(). This function needs to be replaced by apr_pool_create_ex() function. In line 590 of mod_ntlm.c replace
      apr_pool_sub_make(&sp,p,NULL);
   by
      apr_pool_create_ex(&sp,p,NULL,NULL);.
4. Make sure make can find apxs, i.e. add the Apache bin directory to your path, e.g. add /apps/apache2/bin to your path.
5. make all
6. This will create the mod_ntlm binary, mod_ntlm.so in .libs. Copy it to a location of your choice, .e.g. /usr/apache2/libexec (which is where the packaged modules live). Make sure it is readable by the user running the web server.

Binaries

The only binary you will need is mod_ntlm.so which you find in the packages listed here. Packages include mod_ntlm module for Apache 2.0 and Apache 2.2. Choose the package appropriate for your platform.

• Original mod_ntlm, Solaris 10, SPARC
• Original mod_ntlm, Solaris 10, X86
• Unofficial mod_ntlm, Solaris 10, SPARC
• Unofficial mod_ntlm, Solaris 10, X86

Note that the source distribution on which the binary is based is included in the package as per license rules. The unofficial version is preferred as it has more bugs fixed.

Apache Web Server configuration

Finding the Domain Controller

The prerequisite is to know the host names of your PDC (Primary Domain Controller) and BDC (Backup Domain Controller). Most people know which Windows domain they are logged into but few know which domain controller actually authenticates them as Windows does not easily reveal this information. The best way to get this information is to ask your system administrator, but actually you can find out yourself. The following assumes that your domain is called ACMEDOMAIN.

The easiest is simply to issue the command net time domain:acmedomain from a Windows command line. This will tell you your PDC.

C:\>net time /domain:acmedomain
Current time at \\ACMEDC0001 is 7/23/2006 12:07 AM

The command completed successfully.

Alternatively your can use the NETDOM tool which is part of the Windows Resource Kit (at least it used to be). You can download it from Microsoft or from http://d8ngmjfe56px68eg28.roads-uae.org/download_free_reskit_tools.htm. Used with the "bdc" parameter it will give the following output:

C:\netdom bdc
NetDom 1.8 @1997-98. Written by Christophe Robert - Microsoft.

Searching PDC for domain ACMEDOMAIN ...
Found PDC \\ACMEDC0001
Connecting to \\ACMEDC0001 ...
Listing BDCs of ACMEDOMAIN ...

BDC   1 = \\ACMEDC0002
BDC   2 = \\ACMEDC0003
BDC   3 = \\ACMEDC0004
BDC   4 = \\ACMEDC0005

So now we can say that our PDC is ACMEDC001 and our BDC is ACMEDC0002.

Configuring httpd.conf

In this topic we are using the pre-installed Apache 2, therefore the config file is found in /etc/apache2/httpd.conf.

First make sure the mod_ntlm module is actually loaded by Apache. Find the section with lots of LoadModule directives. In the end of this section add a single line as follows:

LoadModule ntlm_module /apps/mod_ntlm2_unofficial/mod_ntlm.so

assuming that you have mod_ntlm.so in /apps/mod_ntlm2_unofficial. Correct as appropriate.

It is primarily your Twiki bin directory that you would want to use NTLM authentication on. There is no need to add it globally to the web server. Below is an example where NTLM authentication is added to the Twiki bin directory:

<Directory "/apps/twiki/bin">
   ...
   ...
# NTLM settings
         AuthType NTLM
         NTLMAuth on
         NTLMAuthoritative on
         NTLMDomain acmedomain
         NTLMServer acmedc0001
         NTLMBackup acmedc0002
         Require valid-user
   ...
   ...
</Directory>

(see Original mod_ntlm website for documentation on which directives can be used with mod_ntlm and how they work).

Restart your Apache server (svcadm restart apache2). Look out for errors in Apache's error log (/var/apache2/logs/error_log) and in the SMF log related to Apache (/var/svc/log/network-http:apache2.log).

Testing NTLM

If you want to test NTLM authentication on your Apache outside of the Twiki you can do so by creating simple Perl script:

#!/usr/bin/perl -wT
print "<html><head><title>NTLM Perl test</title></head>";
print "<body>";
print "REMOTE_USER : $ENV{REMOTE_USER}<br>";
print "</body></html>";

Make sure the file is executable and can be read by the user running the web server. Put it into your Twiki bin directory. Point your browser to the file and if everything works you should see your own username in the REMOTE_USER variable.

Troubleshooting mod_ntlm

The mod_ntlm module will put extra information into Apache log if you increase the LogLevel in the httpd.conf file. Try increasing to "debug" then restart Apache. See if the messages in the Apache error log gives you more information.

Twiki configuration

Use the configure script to change global preferences in Twiki.

In Security Setup --> Authentication change variable LoginManager to Twiki::Client::ApacheLogin.

In Security Setup --> Passwords change variable PasswordManager to none.

Possible problems

Upper or lower case username. I wonder what will happen if you have configured user "JOHNDOE" as a member of groups in Twiki but it is actually "johndoe" that gets passed to Twiki in the REMOTE_USER variable ? Suppose your IT administrators have been sloppy when they configured users in the Windows domain, i.e. creating some users with lower case names and others with upper case names? If they haven't been consistent it can potentially become messy. Am I seeing ghosts here? Is this a problem?.

Problems not encountered

Here is a list of problems that other users of mod_ntlm have encountered, but not me.

• That REMOTE_USER is "DOMAINNAME\USER" rather than simply "USER". LoginNameAndNtlm in Twiki Support Web. This topic is quite old. A test outside of the TWiki environment reveals that in my case the REMOTE_USER is "USER" so this is not something that has been fixed in TWiki. Maybe because I use the unofficial version of mod_ntlm?, maybe because I use Apache 2.0 and not Apache 1.3 (doubt it), or maybe this is related to something on the Windows side?.

• That mod_ntlm is slow. Works ok for me on fairly old X86-based server running Solaris 10.

• That mod_ntlm directives in Apache configuration file cannot be placed inside <Directory> but only inside <Location>. Maybe because I use Apache 2.0 and not Apache 1.3 ?

References

• Original mod_ntlm
• Unoffical mod_ntlm
• NTLM on Wikipedia
• NTLM on TWiki.org (Google search)

-- Contributors: Lars Bruun-Hansen - 25 Aug 2006

Discussion

Thanks Lars for sharing this with the TWikiCommunity!

-- PeterThoeny - 02 Sep 2006

Previously I was using PAM authentication for our internal twiki site, saw this topic and thought…. “I’m having some of that”. Now I installed the unofficial mod on a Debian Linux system and come across a few problems.

1. I needed to install the dev stuff to get apxs.

apt-get install apache2-dev

maybe apt-get install apache2-utils would of worked but I just walloped the dev stuff on.

2. When I run make I had to point it to the actual apxs location due it being called apxs2

make all APXS=/usr/bin/apxs2

4. to make this stuff work in firefox (the browser of choice) in the url edit box at the top of firefox I put

about:config

In the filter I typed

ntlm

then I was presented with 3 things I could change. In the network.automatic-ntlm-auth.trusted-uris I put

vm-wiki

The wiki server, this I think is what the user would type in to get to the wiki, note this is a comma separated list, so many servers can be specified here. Hopefully this will speed up other’s linux installs of this apache mod

-- GarethSmith - 03 Sep 2006

RE: Domain Controllers On newer versions of NETDOM you'll need to use a line more like netdom QUERY PDC, as netdom bdc is no longer a function

-- DavidWall - 16 Oct 2006