This project forked from legrandin/pyauthenntlm2
PyAuthenNTLM2 is a pure Python module that enables Apache to carry out authentication via NTLM and an external Domain Controller.
PyAuthenNTLM2 is a module that enables Apache to carry out authentication by
means of the NTLM protocol and a separate Domain Controller.
Introduction
============
The specific use case of PyAuthenNTLM2 is the following:
* Users have valid accounts in an existing Windows domain, and you want such
credentials to be used for HTTP authentication.
* Apache runs on a server that is not part of the Windows domain.
* Some of the users cannot use Kerberos. For instance, they connect via a proxy
or they use machines that are not part of the domain.
Although Kerberos (including its Microsoft variant "Integrated Windows
Authentication") is the best option in terms of security for HTTP
authentication, the venerable NTLM protocol is still a good compromise, much
better than the widespread Basic protocol and marginally better than Digest.
With Basic, anybody can pick up your password from the messages sent to the
server (unless you use TLS), whereas with Digest the web server needs local
access to the actual password. With NTLM, the webserver can relay every
authorization requests to the Domain Controller: it never has to neither see
nor store the real passwords.
Note that NTLMv1 is based on cryptography that by today standards is very weak.
Ensure that your clients always use NTLMv2. PyAuthenNTLM2 handles equally well
all the various NTLM variants (such as NTLMv2 Session, and NTLMv2).
Requirements
============
* Mod-python [4]
* Python 2.x
* Apache 2.x
Test was carried out with:
- a server with mod-python 3.3.1, Apache 2.2, and Python 2.6.
- clients with Internet Explorer 7/8, Firefox 7.0, and Chrome.
Installation
============
python setup.py install
Usage
=====
Usage is best shown by an example of Apache configuration:
<Directory /var/lib/some_directory>
AuthType NTLM
AuthName WDOMAIN
require valid-user
PythonAuthenHandler /usr/local/lib/python2.6/dist-packages/pyntlm.py
PythonOption Domain WDOMAIN
PythonOption PDC 192.1.2.45
PythonOption BDC 192.1.2.46
# Bypass authentication for local clients.
# Comment these lines if they should authenticate too.
Order deny,allow
Deny from all
Allow from 127.0.0.1
Satify any
</Directory>
All non-local clients trying to access a URI mapped under the directory
/var/lib/some_directory will be asked for credentials valid in the Windows
Domain WDOMAIN. The user name to enter need to be in the format:
wdomain\useridentifier (for instance windom\jbrown).
Local clients (that is, those connecting from 127.0.0.1) will not be presented
with any request for authentication.
The following options exist:
* AuthType NTLM Always specify it like this.
* require valid-user Always specify it like this.
* AuthName [domain] Replace [domain] with the domain name to
present to users in the pop-up dialog.
* PythonAuthenHandler [pyntlm.py] Replace [pyntlm.py] with the complete,
absolute path to the pyntlm.py script.
* PythonOption Domain [domain] Replace [domain] with the Windows domain
name (uppercase).
* PythonOption PDC [pdc] Replace [pdc] with the address of the
Primary Domain Controller (either IP or DNS
name).
* PythonOption BDC [bdc] Replace [bdc] with the address of the Backup
Domain Controller (either IP or DNS name).
This entry is optional.
Apache needs to be configured to send keep alives (directive 'KeepAlive On').
Logging
=======
All logs will show up in the Apache log file.
Thanks
======
Microsoft for the large amount of technical specifications about NTLM and SMB
it disclosed [1].
Eric Glass for his long article about NTLM [2]. In several ways, it is more
complete and precise than [1].
Gerald Ritcher and Shannon Eric Peevey for AuthenNTLM [3], which inspired this
module.
Contacts
========
Send an email to Legrandin <[email protected]> or drop a
message at https://github.com/Legrandin/PyAuthenNTLM2.
References
==========
[1] http://msdn.microsoft.com/en-us/library/gg258393%28v=PROT.13%29.aspx
[2] http://davenport.sourceforge.net/ntlm.html
[3] http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm
[4] http://www.modpython.org
TODO
====
Add sample NTLM client, so that you can test without a browser.
Right now, PyAuthenNTLM2 is authoritative. It can be improved to allow to work along with other schemes, like Basic.
Since mod-python is not that active anymore, port it to modwsgi.
Extend it so that it can be used also for group authorization, where groups are defined in AD.
Add support for lighttpd.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.