NTLM

From Request Tracker Wiki
Jump to navigation Jump to search

The following document will allow you to setup authentication against a windows domain using mod_perl and AuthenHTLM

Follow the steps given below for getting NTLM authentication working.

1. Install/Configure mod_perl under Apache - (and get it working of-course)
2. Download the following files for doing NTLM authentication (the following files worked for us)
       * For Fedora Core systems download the module from
       http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm
       * For Debian Linux systems, download the module from
       http://search.cpan.org/~speeves/Apache-AuthenNTLM-2.10

3. Install the module

    tar xvfz Apache*AuthenNTLM*.tgz
    cd Apache*AuthenNTLM*
    perl Makefile.PL
    make
    make test
    make install

4. Edit the Apache configuration and enable KeepAlive

    KeepAlive On

   Restart your Apache server.

5. Configure apache to do the authentication. For example in .htaccess add

   # Enable the Authentication module
   PerlAuthenHandler Apache2::AuthenNTLM

   #                    domain      pdc         bdc
   # Domain : Your windows domain
   # pdc : Primary Domain Controller
   # bdc : Backup Domain controller.
   #
   # Note : Multiple domains can be specified.

   PerlAddVar ntdomain  "OURDOMAIN  domainpdc domainsdc"

   # What should be the default domain
   PerlSetVar defaultdomain OURDOMAIN

   # The user names are in the form "OURDOMAIN\user_name". Let us split it.
   PerlSetVar splitdomainprefix 1

   # Set the debug variables
   PerlSetVar ntlmdebug 0
   PerlSetVar ntlmauthoritative off


   More documentation is available in the accompanying README file in the tarball or the following link

   Once this is done, the domain user is populated as REMOTE_USER in the http server variables,
   which can be picked up by any application for doing authentication.


 6. Configure RT for external web authentication. In RT_SiteConfig.pm:

    Set($WebExternalAuth , '1');
    Set($WebFallbackToInternalAuth , '1');
    Set($WebExternalGecos , undef);
    Set($WebExternalAuto , '1');

 7. # Configure the apache virtual host to use mod_ntlm for authentication:

 <VirtualHost *>
    ServerName rt.example.com
    DocumentRoot /opt/rt3
    AddHandler fastcgi-script fcgi
    Alias /NoAuth/Images/ /opt/rt3/share/html/NoAuth/images/
    ScriptAlias / /opt/rt3/bin/mason_handler.fcgi/
    <Directory "/opt/rt3">
         AddDefaultCharset UTF-8
         SetHandler fastcgi-script
         AuthName "Request Tracker"
         AuthType ntlm,basic
         require valid-user
    </Directory>

    <Location /REST/1.0/NoAuth>
         satisfy any
         allow from all
    </Location>
    <Location /NoAuth>
         satisfy any
         allow from all
    </Location>
    <Location /NoAuth/images>
         SetHandler default-handler
    </Location>

 </VirtualHost>

 8. Restart Apache

 9. Add the URL of your RT apache vhost to either the "trusted sites" or "intranet sites" zone of Internet Explorer.


You can do this on a site-wide basis via the Group Policy Object for your domain controller:

 1. Run "MMC" from Start->Run
 2. From the "Console" menu, select "Add/Remove Snap-in"
 3. From the "Add/Remove Snap-in" dialog, hit the "Add" button.
 4. Select "Group Policy" and hit "Add". This will bring up the "Select Group Policy" wizard.
 5. Hit the "Browse..." button, then select the Default Domain Policy for your domain and hit OK.
 6. Hit the "Finish" button in the Select Group Policy wizard, then the "Close" button on the "Add
    Standalone Snap-in" dialog, then the "OK" button of the "Add/Remove Snap-in" dialog.
 7. From the Default Domain Policy root, browse down to: User Configuration -> Windows Settings ->
    Internet Explorer Maintenence -> Security, and double-click on the "Security Zones and Content
    Ratings" object.
 8. From the "Security Zones and Content Settings" tab, select the "Import the current security
    zones and privacy settings" radio button and click the "Modify Settings" button.
 9. This will bring up the GPO version of the "Internet Properties" control panel. Select either
    the "Local Intranet" or "Trusted Sites" zone as appropriate for your organization and hit the
    "Sites" button in order to add your RT vhost to that zone. If your RT vhost is not SSL-secured,
    you will need to un-check the "Require server verification" checkbox before adding the site.
    adding a domain to trusted sites
10. Hit "OK" to close the "Internet Properties" panel, and then "OK" to close the "Security Zones and
    Content Ratings" panel. You can then close the entire MMC console.
11. Your end-users may need to reboot for the Group Policy to be applied to them.

If you add AutoCreateFromExternalUserInfo to this you will be able to allow users to create and modify and view tickets from the website.

Special thanks to http://blank.org/memory/output/rt-ad-sso.html and drupal.org/node/44718

Sites from which I pieced together the information to get this document