NTLM authentication?

By restless-1 on 14 Oct 2002 at 14:05 UTC

I am installing Drupal on Apache 1.3.* under Windows 2000 for our intranet. I have a module installed to give me NTLM authentication to authenticate accesses to the site when they connect with Internet Explorer.

I would also like users to be automagically logged in using their NT domain credentials (domain\user). Is there a way to do this currently?

Thanks,
Mike

Comments

Not that I am aware off

Kjartan commented 17 October 2002 at 09:52

If you are able to find some example code for PHP on how to accomplish this I'm sure someone could make a quick module for it.

--
Kjartan

I have used the following cod

(not verified) commented 24 June 2003 at 03:33

I have used the following code to authenticate against an Exchange server.
I'm sure AD can't be much different.

$dn="cn=TestUser ,cn=Recipients,ou=xxxx,o=xxx";
$password = "654321";

if (!($ldap = ldap_connect("mail.xxx.xxx.xxx", 389))) {
die ("Could not connect to LDAP server");
}

if (!($res = @ldap_bind($ldap, $dn, $password))) {
die ("Could not bind to $dn");
}

Sadly I do not have the skills to code a module.
I wish there was a small working ldap authentication module, I don;t much care for the directory searching and whatnot, I just want people to be able to use their usual login ids and password.

active directory is supported, but not NTLM

moshe weitzman commented 19 October 2002 at 03:59

if you look in the Contrib repository, under /modules/authentication/LDAP, you will find a generic LDAP authentication module. this module enables authentication against an external LDAP server, and has been tested against the Windows Active Directory (AD supports LDAP nicely). The module doesn't do NTLM; users must type in their username/password on the drupal login page (or box) and they will be authenticated by Active Directory. This shouldn't be too big a hassle, since passwords may be remembered via cookie.

The module also lets you search the LDAP Directory via a Search block, it displays and allows editing of LDAP data on the user profile pages, and generally kicks ass. Thanks to Pixelworks for donating the source for that module.

The module requires a few changes to the user module. See the README file.

FYI, Drupal runs perfectly under IIS if you prefer that to Windows Apache.

LDAP Modules break user.module

(not verified) commented 23 June 2003 at 13:57

Hi,

I've just tried out installing the ldap.module together with the update user.module (89KB) this does not work since the drupal-powered website does no longer show a log-in screen.

Could you pleas supply me with the correct information on this ? I'm not familiar with the way a CVS is supposed to be operated so i'm kind of lost for the good code. Though i believe i've downloaded the correct files allready anyhow.

mailto:joris.lambrecht@transoceanlogistics.com

wait a bit longer please

moshe weitzman commented 23 June 2003 at 14:28

i will be releasing a user.module and an ldap_integration.module which are compatible with 4.2 release.

Yay!!

(not verified) commented 24 June 2003 at 07:07

You need testers ?

Wait a bit longer please

(not verified) commented 24 June 2003 at 10:29

Well, i will then. The oddest i've seen so far is the original user.module lets the Drupal scripts run fine while the newer user.module (89kb) shows blank pages, no error output found.

ldap bind user

(not verified) commented 5 October 2003 at 21:10

Can't get it to work.
I'm authenticating on AC.
This is the Ldap Bind DN
cn=ldapuser,cn=users,dc=net,dc=minkema,dc=nl

ldapuser is authenticated correctly. But it is the only user I get authenticated. This is the user who has authority to query.
Bu where do I put it's password?

Every other user gets the next message:
warning: LDAP: Unable to bind to server: Invalid credentials in /drupal/html/modules/ldap_integration.module on line 459.

LDAP 4.2 compatible release date ...

(not verified) commented 26 June 2003 at 09:21

Anyone has any clue on this ? I'm expecting (by guess) the RC's to be over within 3 months or so, will we have to wait that long for the ldap-module to be released ? Would be a great extra to this release i figure by now ...

Regards,

Joris

(the anonymous poster)

new ldap_integration module released today

moshe weitzman commented 6 July 2003 at 04:55

please send me feedback on today's commit of a new user.module and ldap_integration.module which work on drupal 4.2.

Does the LDAP module do what the original user wanted?

bsimser commented 2 October 2003 at 23:54

I'm just looking at using Drupal on IIS for a departmental intranet. However, with all the userid/passwords that people have I would like to let them into the site automatically as IIS knows who they are (from their domain\user). Will one of the ldap modules listed do this automatically? I don't want to have the user even see a login screen or have to type a userid/password (even if it is their NT one). Thanks.

not yet possible

moshe weitzman commented 6 October 2003 at 02:45

the current ldap_integration module does not speak NTLM. It will probably take a corporate sponsor to pay for this enhancement as it is non-trivial. i have not yet looked at this closely though. PHP examples of grabbing username/password from IIS would be very helpful.

- moshe

not that hard

moshe weitzman commented 6 October 2003 at 03:41

i just found this page which shows that the username is easily obtained from the $_SERVER array. I tested and it is indeed true. It should be straightforward to get Drupal to load the proper user account based on this variable.

The plan is ...

create a new ntlm.module with this code


** module is untested
**
** you must turn 'windows integrated authentication' for the drupal directory in IIS
** or use Apache ntlm module (really untested)
**
** you will want to disable the registration and login blocks in Drupal
**
**
** TODO:
** - strip domain name before saving the user
** - confirm that we can trust the $AUTH_USER element
** - optionally grab elements from Active Directory using LDAP during user login. this will auto populate
** fields like phone number, birthday, etc.
/*

function ntlm_init() {
  global $user  
  
  if ($user) {
    //do nothing because user is already logged in
  }
  else {
    if ($auser = $SERVER["AUTH_USER"]) {
      // user is logged into NT. try to log into Drupal. if unsuccessful, reg the user
      $user = user_load(array ("name" => $auser) );
      if (!$user) {
        if (variable_get("user_register", 1) == 1) {
          $user = user_save("", array("name" => $auser, "pass" => user_password(), "init" => $auser, "status" => 1, "rid" => _user_authenticated_id()));
          watchdog("user", "new user: $auser (NTLM)", l(t("edit user"), "admin/user/edit/$user->uid"));
        }
      }
    }
    else {
      // do nothing. user isn't logged into NT or web server has NTLM disabled
    }
  }
}

The NTLM is not the hard part

jsloan commented 23 October 2003 at 22:00

I used a similar approach to the example you give (your example is better so I am going to use it) but I need to take it a step further... I want to be able to log in as a different user. So I need to prompt for login & password, authenticate against the ADS/LDAP, maintain my new session, and then login as the local authenticated user when I log out!

Question - does the cvs ldap_integration.module work with the 4.3.0RC? I had trouble with it and wanted to make sure it is suppose to work before digging in.

also; here is the code I use to strip the domain name from the NT user string - I hope it helps:

$NTLMuser = preg_replace("/^.+\\\\/", "", $_SERVER["AUTH_USER"]);

I've adapted the above

degerrit commented 1 August 2005 at 17:52

I've adapted the above script to work on Apache 1.3 with mod_ntlm. It seems to work, but I haven't tested intensively.

Mozilla may need some tweaking to work: http://plone.org/documentation/how-to/singlesignonwindowsdomains . The note regarding network.automatic-ntlm-auth.trusted-uris is important.

/**
** module is slightly tested on Apache 1.3 with unofficial mod_ntlm (http://modntlm.jamiekerwick.co.uk/)
**
** you must turn 'windows integrated authentication' for the drupal directory in IIS
** or use Apache ntlm module (really untested)
**
** you will want to disable the registration and login blocks in Drupal
**
**
** TODO:
** - strip domain name before saving the user
** - confirm that we can trust the $AUTH_USER element
** - optionally grab elements from Active Directory using LDAP during user login. this will auto populate
** fields like phone number, birthday, etc.
*/

function ntlm_init() {
  global $user;

  if ($user->name) {
    //do nothing because user is already logged in
  }
  else {
    if ($auser = $_SERVER["REMOTE_USER"]) {
      // user is logged into NT. try to log into Drupal. if unsuccessful, reg the user
      $user = user_load(array ("name" => $auser) );
      if (!$user->name) {
        if (variable_get("user_register", 1) == 1) {
          $user = user_save("", array("name" => $auser, "pass" => user_password(), "init" => $auser, "status" => 1, "rid" => _user_authenticated_id()));
          watchdog("user", "new user: $auser (NTLM)", l(t("edit user"), "admin/user/edit/$user->uid"));
        }
      }
    }
    else {
      // do nothing. user isn't logged into NT or web server has NTLM disabled
    }
  }
}