NTLM is a proprietary (and not so good) protocol for deploying Single Sign On in predominantly Windows oriented networks (our company network also). NTLM sits on top of HTTP, so users who are logged on to the Windows Active Directory network can transparently log-on to web services using their Microsoft Windows credentials (and thereby having Single Sign On). Getting IIS servers working with NTLM is easy (it should be), but traditionaly Apache servers have had problems in doing this.
This document explains how to get NTLM authentication working in Drupal in Linux + Apache boxes.
There are various methods for getting NTLM authentication working in Apache.
- mod_ntlm - This is an Apache module which will add NTLM support to Apache. However, this module is not very actively maintained, and getting it compiled and running in various Apache versions ( and various distributions ) is a herculean task. To top it, the compilation throws out a lot of warnings, and one tends to feel uncomfortable with it.
- mod_ntlm_winbind - for boxes that have Winbind ( 1, 2 ) configured, this module can be configured to provide NTLM authentication for Apache. However, this module is still under development and is not well tested.
However, for the help of people working in such unfriendly conditions, there is an excellent perl module that provides good support for NTLM authentication.
Follow the steps given below for getting NTLM authentication working.
- Install/Configure mod_perl under Apache - (and get it working of-course)
Download the following files for doing NTLM authentication (the following files worked for us)
- For Fedora Core systems download the module from http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm
- For Debian Linux systems, download the module from http://search.cpan.org/~speeves/Apache-AuthenNTLM-2.10
Install the module
tar xvfz Apache*AuthenNTLM*.tgz
Edit the Apache configuration and enable KeepAlive
Restart your Apache server.
- Configure apache to do the authentication. For eg in .htaccess add.
# Enable the Authentication module
# Do NTLM and basic authentication
# The name that should be displayed in the Auth box, if NTLM fails
# Ask for a valid user.
# domain pdc bdc
# Domain : Your windows domain
# pdc : Primary Domain Controller
# bdc : Backup Domain controller.
# Note : Multiple domains can be specified.
PerlAddVar ntdomain "OURDOMAIN domainpdc domainsdc"
# What should be the default domain
PerlSetVar defaultdomain OURDOMAIN
# The user names are in the form "OURDOMAIN\user_name". Let us split it.
PerlSetVar splitdomainprefix 1
# Set the debug variables
PerlSetVar ntlmdebug 0
PerlSetVar ntlmauthoritative off
More documentation is available in the accompanying README file in the tarball or the following link
Once this is done, the domain user is populated as REMOTE_USER in the http server variables, which can be picked up by any application for doing authentication.
- Now we need to enable Drupal to pick up this user id and automatically create a user. Once we have NTLM authentication working, the user id is available as REMOTE_USER. The WebServer Auth module can use this variable to automatically log the user in.
Download, install, enable and configure the Webserver auth module and you should have a Drupal setup which can seamlessly integrate into Windows AD based networks.