Automatyczna autoryzacja do serwisu WWW (apache) na podstawie konta w Active directory

Link do modułu:

http://sourceforge.net/project/showfiles.php?group_id=4906&package_id=75281

Musimy zmienic pare plików: session.inc.c, smblib.inc.c, smbencrypt.inc.c, rfcnb-util.inc.c, smblib-util.inc.c.

#cd smbval

zmieniamy: session.inc.c, smblib.inc.c, rfcnb-util.inc.c, oraz smblib-util.inc.c.

#include <malloc.h>

na:

#include <stdlib.h>

w pliku: smbencrypt.inc.c

#include <sys/vfs.h>

na:

#include <sys/param.h>
#include <sys/mount.h>

w pliku: mod_ntlm.c:

apr_pool_sub_make(&sp,p,NULL);

na:

apr_pool_create_ex(&sp,p,NULL,NULL);

w pliku: smblib.inc.c

static int SMBlib_errno;
static int SMBlib_SMB_Error;

na:

int SMBlib_errno;
int SMBlib_SMB_Error;

oraz:

static SMB_State_Types SMBlib_State;

na:

SMB_State_Types SMBlib_State;

w Makefile (dla apache2 i debiana)

install: all
       $(APXS) -i -a -n 'ntlm' mod_ntlm.so

na:

install: all
       $(APXS) -i -a -n 'ntlm' .libs/mod_ntlm.so

oraz

APACHECTL=/etc/rc.d/apache

To:

APACHECTL=/usr/sbin/apache2ctl

oraz:

APXS=apxs

na:

APXS=apxs2

kompilujemy

make install

i dodajemy wpisy dla moduły:

echo "LoadModule ntlm_module /usr/lib/apache2/modules/mod_ntlm.so" > /etc/apache2/mods-available/ntlm.load

a2enmod ntlm

konfigurujemy apache2. dla katalogu lub lokacji, czyli Directory lub Location dorzucamy:

AuthType NTLM
NTLMAuth on
NTLMAuthoritative on
NTLMDomain TWOJA.DOMENA
NTLMServer podstawowy.kontroler.domeny
NTLMBackup zapasowy.kontroler.domeny
Require valid-user

W systemie vista oraz Windows 7 w rejestrze musimy dorzucic wpis DWORD

LmCompatibilityLevel na 1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

Aby logowanie było mozłiwe automatycznie dla komputerów w ActiveDirectory bez podawania loginu i hasla musimy w przegladarce ustawic:

firefox -> w pasku adresu wpisujemy about:config wpisujemy w wyszukiwarke opcji : network.auto

i w opcji

network.automatic-ntlm-auth-trusted-uris

dodajemy nasz sajt http://nasza.www

ie -> narzedzia -> internetowe opcje -> zabezpieczenia

wybieramy lokalny intranet klikamy w guzik witryny a potem zaawansowane i podajemy adres naszego sajtu http://nasza.www i akceptujemy potem klikamy poziom niestandardowy i zmieniamy: różne -> dostep do zrodla danych poprzez domeny: włącz

znalazlem skrypt w sieci w php do sprawdzenia tego. skrypt zostal troszke zmodyfikowany gdyz tez poprawnie nie dzialal w oryginale:

<?php

/***********************************************************************
*    PHP NTLM GET LOGIN
*    Version 0.2
* ====================================================
*
* Copyright (c) 2004 Nicolas GOLLET (Nicolas.gollet@secusquad.com)
* Copyright (c) 2004 Flextronics Saint-Etienne
*
* This program is free software. You can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License.
*
***********************************************************************/

/*
L'identification par NTLM se fait en 6 etape :

etape: | type:      | Info echange
-------|----------------|--------------------------------------------------
    1   | C --> S       | GET ...                               legende : C = Client
-------|----------------|--------------------------------------------------                     S = Serveur
    2   | C <-- S   | 401 Unauthorized
         |              | WWW-Authenticate: NTLM
-------|----------------|--------------------------------------------------
    3   | C --> S       | GET ...
         |              | Authorization: NTLM <base64-encoded type-1-message>
-------|----------------|--------------------------------------------------
    4   | C <-- S   | 401 Unauthorized
         |              | WWW-Authenticate: NTLM <base64-encoded type-2-message>
-------|----------------|--------------------------------------------------
    5   | C --> S       | GET ...
         |              | Authorization: NTLM <base64-encoded type-3-message>
-------|----------------|--------------------------------------------------
    6   | C <-- S        | 200 Ok
-------|----------------|--------------------------------------------------

*/

$headers = apache_request_headers();    // Recuperation des l'entetes client

if($headers['Authorization'] == NULL){              //si l'entete autorisation est inexistante
    header( "HTTP/1.0 401 Unauthorized" );          //envoi au client le mode d'identification
    header( "WWW-Authenticate: NTLM" );         //dans notre cas le NTLM
    exit;                           //on quitte

};

if(isset($headers['Authorization']))                //dans le cas d'une authorisation (identification)
{
    if(substr($headers['Authorization'],0,5) == 'NTLM '){   // on verifit que le client soit en NTLM

        $chaine=$headers['Authorization'];

        $chaine=substr($chaine, 5);             // recuperation du base64-encoded type1 message
        $chained64=base64_decode($chaine);      // decodage base64 dans $chained64

        if(ord($chained64{8}) == 1){
        //          |_ byte signifiant l'etape du processus d'identification (etape 3)

        // verification du drapeau NTLM "0xb2" a l'offset 13 dans le message type-1-message :
        if (ord($chained64[13]) != 130){
        echo "Votre navigateur Internet n'est pas compatible avec le NTLM, utiliser IE...Merci";
        exit;
        }
            $retAuth = "NTLMSSP";
            $retAuth .= chr(0);
            $retAuth .= chr(2);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(40);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(1);
            $retAuth .= chr(130);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(2);
            $retAuth .= chr(2);
            $retAuth .= chr(2);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);
            $retAuth .= chr(0);

            $retAuth64 =base64_encode($retAuth);        // encode en base64
            $retAuth64 = trim($retAuth64);          // enleve les espaces de debut et de fin
            header( "HTTP/1.0 401 Unauthorized" );      // envoi le nouveau header
            header( "WWW-Authenticate: NTLM $retAuth64" );  // avec l'identification supplementaire
            exit;

        }

        else if(ord($chained64{8}) == 3){
        //               |_ byte signifiant l'etape du processus d'identification (etape 5)

        // on recupere le domaine

        $lenght_domain = (ord($chained64[31])*256 + ord($chained64[30])); // longueur du domain
        $offset_domain = (ord($chained64[33])*256 + ord($chained64[32])); // position du domain.
        $domain = substr($chained64, $offset_domain, $lenght_domain); // decoupage du du domain

        //le login
        $lenght_login = (ord($chained64[39])*256 + ord($chained64[38])); // longueur du login.
        $offset_login = (ord($chained64[41])*256 + ord($chained64[40])); // position du login.
        $login = substr($chained64, $offset_login, $lenght_login); // decoupage du login

        // l'host
        $lenght_host = (ord($chained64[47])*256 + ord($chained64[46])); // longueur de l'host.
        $offset_host = (ord($chained64[49])*256 + ord($chained64[48])); // position de l'host.
        $host = substr($chained64, $offset_host, $lenght_host); // decoupage du l'host

        echo "Domain is  : $domain";
        echo "
Login is : $login";
        echo "
pass is : $password";
        echo "
host is  : $host";

        }

    }

}

?>