Apache authentication: NTLM Single Signon: Difference between revisions

Latest revision as of 16:46, 14 May 2023

This material is proposed for merging ...

It should be merged with Apache. Everything in one place seems logical (Discuss)

NTLM single sign on under Apache

Note: This guide assumes you have Samba configured and connected to a Windows domain

Installation and Configuration

Install needed packages:

# apk add apache2 apache-mod-auth-ntlm-winbind

Add apache user to winbind group:

# addgroup <user> winbind

add to httpd.conf (virtual host):

Contents of /etc/apache2/httpd.conf

# /etc/apache2/httpd.conf

AuthType NTLM
NTLMauth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
Require user <users>

Ensure that all users requiring authentication are added to the last line.

Alternatively, allow all valid users who are members of the winbind domain with the following:

Contents of /etc/apache2/httpd.conf

# /etc/apache2/httpd.conf

AuthType NTLM
NTLMauth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -require-membership-of="WORKGROUP\Domain Users""
Require valid user

Restart Apache and test:

# rc-service apache2 restart

@@ Line 1: / Line 1: @@
-NTLM single sign on under Apache<br />
+{{Merge|Apache|Everything in one place seems logical}}
-Install needed packages (you will need both the main and testing repositories from edge):<br />
- apache2<br />
+NTLM single sign on under [[Apache]]
- apache-mod-auth-ntlm-winbind<br />
- samba (joined to a Windows Domain) with winbind running<br />
+{{Note|This guide assumes you have Samba configured and connected to a Windows domain}}
-<br />
-add apache user to winbind group<br />
+== Installation and Configuration ==
-Note: This howto does not show how to join Samba to a Windows domain, only how to setup the Apache authentication helper that uses the NTLM protocol while authenticating to such a domain.
-add to httpd.conf (virtual host):<br />
+Install needed packages:
- AuthType NTLM<br />
- NTLMauth on<br />
+{{cmd|# apk add apache2 apache-mod-auth-ntlm-winbind}}
- NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"<br />
- Require user jbilyk<br />
+Add apache user to winbind group:
-Don't forget to customize the final line with the username(s) that you wish to limit usage to.  Alternatively, make the final line "Require valid user" and change the helper line to inlude something like "-require-membership-of="WORKGROUP\Domain Users"".<br />
-Restart apache and test<br />
+{{cmd|# addgroup <user> winbind}}
+add to httpd.conf (virtual host):
+{{cat|/etc/apache2/httpd.conf|<nowiki># /etc/apache2/httpd.conf
+AuthType NTLM
+NTLMauth on
+NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
+Require user <users>
+</nowiki>
+}}
+Ensure that all users requiring authentication are added to the last line.
+Alternatively, allow all valid users who are members of the winbind domain with the following:
+{{cat|/etc/apache2/httpd.conf|<nowiki># /etc/apache2/httpd.conf
+AuthType NTLM
+NTLMauth on
+NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -require-membership-of="WORKGROUP\Domain Users""
+Require valid user
+</nowiki>
+}}
+Restart Apache and test:
+{{cmd|# rc-service apache2 restart}}
 [[Category:Authentication]]
 [[Category:Web Server]]