NTLM (mod_ntlm) for Solaris 10

Background

If your TWiki is on an intranet where users are authenticated via Windows domain controllers then NTLM is the obvious choice if you want single-signon, i.e. that users are not prompted for a password when they open TWiki yet TWiki knows who they are.

There are many other topics on NTLM on TWiki.org that either focus specifically on NTLM or mentions NTLM. See the references section below. This topic focus solely on how to get it working on Solaris although only some of the points made here are specific to Solaris.

It is the Apache Web Server that authenticates users by way of NTLM, not TWiki itself. This is done by an Apache module (a so called DSO) called mod_ntlm. TWiki simply gets passed the REMOTE_USER variable same as if you were using htpasswd.

If you have build your own Apache Web Server then building the mod_ntlm binary is very simple. If on the other hand your are using the Apache Web Server that comes pre-installed with Solaris or a package from SunFreeware or similar then you can take advantage of the binaries attached below.

Target platform in this article is Solaris 10 (whether SPARC or X86 based) and TWiki 4.x.

How to build your own mod_ntlm binary

(or how the binaries attached to this topic were build)

Only requirement is to have an Apache installation with a working apxs. Sun has build the Apache that comes with Solaris using the Sun Studio C compiler which - unlike gcc - is not installed by default on a Solaris 10 system. The Sun Studio C compiler is free these days and is really good to have installed in your system in any case. Download it from Sun and install.

Note: The build process below assumes that you have installed the Sun Studio compiler as root, i.e. in its default location: /opt. If you have installed it somewhere else (e.g. /apps/SStudio) you must do the following before building:

LTFLAGS=--tag=CC; export LTFLAGS
CC=/apps/SStudio/SUNWspro/bin/cc; export CC

and edit the Makefile so that the line

APXS=apxs

becomes

APXS=apxs -S CC=/apps/SStudio/SUNWspro/bin/cc

Building mod_ntlm binary

Note 1: Official mod_ntlm documentation says to run make install && make restart. This will create the mod_ntlm binary, copy it into Apache directory, put load instructions into httpd.conf and restart Apache. We are only interested in building the actual binary so we only run make all.

Note 2: For tools that originate from the GNU/Linux world it is generally best practice to use GNU make rather than Sun's equivalent. Solaris 10 has both. Note how we force the make in step 4 to use GNU's version.

1. Download the mod_ntlm distribution and unpack into a temp directory.
2. Go to directory where you unpacked the source.
3. Make sure make can find apxs, i.e. add the Apache bin directory to your path, e.g. add /apps/apache2/bin to your path.
4. /usr/sfw/bin/gmake MAKE=/usr/sfw/bin/gmake all
5. This will create the mod_ntlm binary, mod_ntlm.so in .libs. Copy it to a location of your choice, .e.g. /usr/apache2/libexec (which is where the packaged modules live). Make sure it is readable by the user running the web server.

Binaries

The only binary you will need is mod_ntlm.so which you find in the packages listed here. Packages include mod_ntlm module for Apache 2.0 and Apache 2.2. Choose the package appropriate for your platform.

• mod_ntlm, Solaris 10, SPARC, does not have large file support
• mod_ntlm, Solaris 10, X86, does not have large file support

Note that the source distribution on which the binary is based is included in the package as per license rules.

Update 11 Aug 2007: Since the above was made two things have happened.:

• The official mod_ntlm has again found a maintainer. He has put all bug fixes from the unofficial mod_ntlm into the official release as well as added some other fixes/enhancements. There is therefore no longer any reason to use the unofficial version.
• Sun has updated the Apache2 distribution included with Solaris 10 so that it is now build with large file support. This means that all third party modules (such as mod_ntlm) need to be rebuild. If you try to use the above binaries on a Apache installation build with large file support the mod_ntlm module with have a segmentation fault and not work!

For the above two reasons new binaries are needed:

• Official mod_ntlm v0.3, Solaris 10, X86. Build using Sun Studio compiler against Apache 2.0.58 installation. Has large file support.

Bottom line here is that is is actually pretty difficult to create pre-build binaries for an Apache module. The recommendation is to build your own mod_ntlm against the your target Apache host because by doing so you are sure that all parameters match.

Apache Web Server configuration

Finding the Domain Controller

The prerequisite is to know the host names of your PDC (Primary Domain Controller) and BDC (Backup Domain Controller). Most people know which Windows domain they are logged into but few know which domain controller actually authenticates them as Windows does not easily reveal this information. The best way to get this information is to ask your system administrator, but actually you can find out yourself. The following assumes that your domain is called ACMEDOMAIN.

The easiest is simply to issue the command net time domain:acmedomain from a Windows command line. This will tell you your PDC.

C:\>net time /domain:acmedomain
Current time at \\ACMEDC0001 is 7/23/2006 12:07 AM

The command completed successfully.

Alternatively your can use the NETDOM tool which is part of the Windows Resource Kit (at least it used to be). You can download it from Microsoft or from http://d8ngmjfe56px68eg28.roads-uae.org/download_free_reskit_tools.htm. Used with the "bdc" parameter it will give the following output:

C:\netdom bdc
NetDom 1.8 @1997-98. Written by Christophe Robert - Microsoft.

Searching PDC for domain ACMEDOMAIN ...
Found PDC \\ACMEDC0001
Connecting to \\ACMEDC0001 ...
Listing BDCs of ACMEDOMAIN ...

BDC   1 = \\ACMEDC0002
BDC   2 = \\ACMEDC0003
BDC   3 = \\ACMEDC0004
BDC   4 = \\ACMEDC0005

So now we can say that our PDC is ACMEDC001 and our BDC is ACMEDC0002.

Configuring httpd.conf

In this topic we are using the pre-installed Apache 2, therefore the config file is found in /etc/apache2/httpd.conf.

First make sure the mod_ntlm module is actually loaded by Apache. Find the section with lots of LoadModule directives. In the end of this section add a single line as follows:

LoadModule ntlm_module /apps/twiki-root/apachemodules/mod_ntlm.so

assuming that you have mod_ntlm.so in /apps/twiki-root/apachemodules. Correct as appropriate.

It is primarily your TWiki bin directory that you would want to use NTLM authentication on. There is no need to add it globally to the web server. Below is an example where NTLM authentication is added to the TWiki bin directory:

<Directory "/apps/twiki-root/twiki/bin">
   ...
   ...
# NTLM settings
         AuthType NTLM
         NTLMAuth on
         NTLMAuthoritative on
         NTLMDomain acmedomain
         NTLMServer acmedc0001
         NTLMBackup acmedc0002
         Require valid-user
   ...
   ...
</Directory>

(see Original mod_ntlm website for documentation on which directives can be used with mod_ntlm and how they work).

If you from before have other Auth* settings in your httpd.conf file then these must be deleted before you add the above settings. This is very likely to be the case as most people start out with Apache basic authentication and then at a later time replace with NTLM authentication.

Restart your Apache server (svcadm restart apache2). Look out for errors in Apache's error log (/var/apache2/logs/error_log) and in the SMF log related to Apache (/var/svc/log/network-http:apache2.log).

Testing NTLM

If you want to test NTLM authentication on your Apache outside of the TWiki you can do so by creating simple Perl script:

#!/usr/bin/perl -wT
print "<html><head><title>NTLM Perl test</title></head>";
print "<body>";
print "REMOTE_USER : $ENV{REMOTE_USER}<br>";
print "</body></html>";

Make sure the file is executable and can be read by the user running the web server. Put it into your TWiki bin directory. Point your browser to the file and if everything works you should see your own username in the REMOTE_USER variable.

Troubleshooting mod_ntlm

The mod_ntlm module will put extra information into Apache log if you increase the LogLevel in the httpd.conf file. Try increasing to "debug" then restart Apache. See if the messages in the Apache error log gives you more information.

TWiki configuration

Use the configure script to change global settings in TWiki.

In Security Setup --> Authentication change variable LoginManager to Twiki::Client::ApacheLogin.

In Security Setup --> Register change variable AllowLoginName to be ticked (on).

In Security Setup --> Passwords change variable PasswordManager to none.

Possible problems

Upper or lower case username. I wonder what will happen if you have configured user "JOHNDOE" as a member of groups in TWiki but it is actually "johndoe" that gets passed to TWiki in the REMOTE_USER variable ? Suppose your IT administrators have been sloppy when they configured users in the Windows domain, i.e. creating some users with lower case names and others with upper case names? If they haven't been consistent it can potentially become messy. Am I seeing ghosts here? Is this a problem?.

Problems not encountered

Here is a list of problems that other users of mod_ntlm have encountered, but not me.

• That REMOTE_USER is "DOMAINNAME\USER" rather than simply "USER". LoginNameAndNtlm in TWiki Support Web. This topic is quite old. A test outside of the Twiki environment reveals that in my case the REMOTE_USER is "USER" so this is not something that has been fixed in Twiki. Maybe because I use the unofficial version of mod_ntlm?, maybe because I use Apache 2.0 and not Apache 1.3 (doubt it), or maybe this is related to something on the Windows side?.

• That mod_ntlm is slow. Works ok for me on fairly old Intel based server running Solaris 10. I have however noticed a noticable speed difference between mod_ntlm compiled using GNU C/C++ versus compiled using Sun Studio v12 compiler: The resulting binary when compiled using Sun Studio just seems to be quite a lot faster than if compiled using GNU C/C++. Have no explanation why. The difference is really noticable.

• That mod_ntlm directives in Apache configuration file cannot be placed inside <Directory> but only inside <Location>. Maybe because I use Apache 2.0 and not Apache 1.3 ?

References

• mod_ntlm on SourceForge
• NTLM on Wikipedia
• NTLM on Twiki.org (Google search)
• SolarisInstallCookbook. General cookbook on how to install TWiki on Solaris 10.

-- Contributors: Lars Haarber - 25 Aug 2006

Discussion

Thanks Lars for sharing this with the TWikiCommunity!

-- PeterThoeny - 02 Sep 2006

Previously I was using PAM authentication for our internal twiki site, saw this topic and thought…. “I’m having some of that”. Now I installed the unofficial mod on a Debian Linux system and come across a few problems.

1. I needed to install the dev stuff to get apxs.

apt-get install apache2-dev

maybe apt-get install apache2-utils would of worked but I just walloped the dev stuff on.

2. When I run make I had to point it to the actual apxs location due it being called apxs2

make all APXS=/usr/bin/apxs2

4. to make this stuff work in firefox (the browser of choice) in the url edit box at the top of firefox I put

about:config

In the filter I typed

ntlm

then I was presented with 3 things I could change. In the network.automatic-ntlm-auth.trusted-uris I put

vm-wiki

The wiki server, this I think is what the user would type in to get to the wiki, note this is a comma separated list, so many servers can be specified here. Hopefully this will speed up other’s linux installs of this apache mod

-- GarethSmith - 03 Sep 2006