Summary: Use Windows-Logon for Authentication on pmwiki
Version: 1
Prerequisites: apache, mod_ntlm, samba/winbind
Status: Stable
Maintainer: Falk Hamann
Questions answered by this recipe
Note: For other single sign-on issues for sharing database logins you may want to see AuthUserDbase.
This section is optional; use it to indicate the types of questions (if any) this recipe is intended to answer.
- How can Windows-Logon be used for Authentication on pmwiki ?
- How can Single Sign-On be realized ?
- Why do DOMAIN-user have to authenticate second time on pmwiki ?
- Would Authentication against Primary-Domain-Controller be possible ?
Description
This Cookbook describes a solution to realize Single Sign-On with Windows-Clients against Primary-Domain-Controller (Samba).
This Cookbook describes a solution to realize Single Sign-On with Windows-Clients against Primary-Domain-Controller (Samba).
A long, but good description of NTLM could be found here.
What's needed ?
- Server
- Webserver which understands NTLM and validate hashes via PDC
- Windows, IIS or apache2+mod_auth_sspi
- *nix, apache+mod_ntlm and samba/winbindd
- some small adjustments on pmwiki
- Client
- OS which authenticate users against Primary-Domain-Controller
- Browser which sends NTLM (I prefer Firefox.)
Server - Windows
- IIS should be play with NTLM out of the box (but is NOT free)!?
- apache(v2.2.3)+mod-auth-sspi
Server - *nix
- download, configure, compile apache+mod_ntlm
- prepare winbindd for apache+mod_ntml
- install, configure samba
- let the server join the domain
- grant apache to access /var/run/samba/winbindd_privileged
- groupadd winbindd
- chgrp winbindd /var/run/samba/winbindd_privileged
- /etc/rc.d/apache restart
pmwiki-config
- local/farmconfig.php or local/config.php
include_once ("$FarmD/scripts/httpauth.php");//NTLM-Auth, Basic-Auth
include_once ("$FarmD/scripts/authuser.php");
if(@$_SERVER['REMOTE_USER']) {
#remove domainname
$temp = preg_replace("/^[^\\\]+\\\/", "", @$_SERVER['REMOTE_USER']);
$_SERVER['REMOTE_USER'] = $temp;
$Author = $temp; #set Author to REMOTE_USER
AuthUserId($pagename, stripmagic(@$_SERVER['REMOTE_USER']));#authuser
#fix-author for editform
SDVA($InputTags['e_author'], array(
':html' => "$Author<input type='hidden' \$InputFormArgs />",
'name' => 'author', 'value' => $Author));
}
Client Preferences
- Firefox Preferences
- about:config
- network.automatic-ntlm-auth.trusted-uris=yourserver.domain
- Opera Preferences
- opera:config
- Network->Enable NTLM
- IE Preferences
- not used, unknown
Notes
What happens, if browser not support NTLM ?
Fallback Authentication-method is "Basic-Auth", which pop-up the ugly browserwindow, which asks for login and password.
username: DOMAIN\user
Which browsers/plattforms support NTLM ?
- WinXP/Firefox >1.0: works
- WinXP/Opera 9.02: only Basic-Auth (see forum)
- WinXP/IE 6: should work (not tested)
- linux/Firefox 2.0: only Basic-Auth
- linux/Firefox 2.0+NTLM-Proxy: should work (not tested)
- linux/Opera 9.02: FAILED !!" (NTLM featre for Opera seems to be windows-only)
Could Groups defined in AuthUser be used ?
- Yes ! Nothing have to be changed. You can define also global passwords in config.php. See PasswordsAdmin and Passwords.
Release Notes
If the recipe has multiple releases, then release notes can be placed here. Note that it's often easier for people to work with "release dates" instead of "version numbers".
Version 1(20061130)
See Also
Contributors
Comments
