User Authentication On Cygwin, using Apache

Basic Authentication (.htaccess)

Basic Authentication is a built in feature for Apache. It should be possible to get it to work using the generic TWikiInstallationGuide instructions (also see TWikiUserAuthentication).

However I (matt) have been unable to get this option to work. I would appreciate hearing if anybody is using .htaccess authentication successfully (actually the same goes for all of the options).

Also see AuthenticationProblem

SSL: Secure Sockets Layer

Follow the instructions for setting up SSL and Apache available with your distribution (ie: it has nothing to do with TWiki). If the Apache is SSL enabled, it should "just work" with Twiki. You may need client-side certificates installed for each user, so that the certificate authenticates the user (rather than a password).

Note that SSL works in conjunction with other authentication methods, it is not in and of itself an authenticator. See AuthenticateWithSSL

mod_auth_ntsec

http://www.cygwin.com/cygwin-ug-net/ntsec.html - The design goal of the ntsec patch was to get a more UNIX like permission structure based upon the security features of Windows NT. Eg. The users have already logged in to an NT intranet, lets just ask their machine for their name quietly, there is no need for another user-password challenge.

See also IntranetDoubleAuthentication

How do I get Apache to utilize ntsec?

There is an Apache module for it (source code attached).

If your Apache distribution doesn't come with ntsec, you'll have to compile it (source code is attached).

Move mod_auth_ntsec.dll to the .../apache/libexec directory, and add the line

   LoadModule ntsec_auth_module   libexec/mod_auth_ntsec.dll

Joachim, does this mean you have actually compiled and installed it? Or is what you typed above just the standard procedure for Apache uncompiled modules? - mw

It's the standard procedure - I haven't installed it. I have taken a look at the source code though. - jd

(Module order is probably important but I don't have a clue which order is the right one.)

Background information: Apache tries various authentication modules in order until one of the modules recognizes the user. I don't know whether that authentication order is load order or something else. - jd

No extra configuration for TWiki should be necessary, cgis generally rely on the http server to find out who's at the other end of the line.

does this mean the REMOTEUSER variable should be automatically populated by mod_auth_ntsec simply by loading the module? -mw

That's my current understanding of the issues. - jd

CAMP is available at http://apache.dev.wapme.net/packages/

Note that CAMP is overkill unless you plan to install software that needs MySQL or PHP (TWiki uses neither).

-- MattWilkie - 02 Nov 2001
-- JoachimDurchholz - 16 Nov 2001
-- MattWilkie - 16 Nov 2001
-- JoachimDurchholz - 17 Nov 2001

Is ntsec stable for use?

Have been in further correspondance with the author. It seems there is something not right with mod_auth_ntsec and even if I knew what I was doing, it wouldn't work. He's working on it now.

-- MattWilkie - 09 Nov 2001

Follow Up, in ThreadMode

Stipe has updated mod_auth_ntsec:

> I got a change this weekend to work on the module and uploaded the current version to http://apache.dev.wapme.net/modules
> Please have a try and comment on it.

And has even found the time for a little bit of documentation (thanks Stipe!):

Usage: Include this module if you want to check userid and password credentials against your local NT accounts.

Install: To compile the module using the apxs tool please use the following command within your shell

$ /usr/local/apache/bin/apxs -DCYGWIN_W32API \
   -c mod_auth_ntsec.c -o mod_auth_ntsec.dll

Defining CYGWIN_W32API is needed due to the fact that we need to exclude W32API declarations in os/cygwin/os.h if we use them inside this module.

Configuration Directives:

Auth_ntsec [On|Off] - enable or disable ntsec based authentication
Auth_ntsec_Authoratative [On|Off]- allow access control to be passed to lower authentication modules

Supported require arguments:

require user ...
require valid-user
require file-owner

I'm supposed to be on a 6 month leave of absence right now, so I don't know how much time I'll have to test this new version.

-- MattWilkie - 03 Dec 2001

I have been unable to get ntsec to work, most likely because the user accounts are on a domain server while the webserver is a mere member server, and thus does not have any local user accounts. It would be interesting to see if ntsec does work on a webserver which is also Primary or Backup Domain Controller.

In any case, for those who might have a system configuration with local user accounts, try this type httpd.conf of entry:

   <Location /private>
      Auth_ntsec On
      Auth_ntsec_Authoritative On
      AuthType Basic
      AuthName "a realm (the domain?)"
      Order Deny,allow
      deny from all
      Require valid-user
   </Location>

Good luck!

-- MattWilkie - 04 Dec 2001

whups!

:red face: My ignorance is showing. If it wasn't clear before I'm dazed and confused, there should be no doubt now. : )

Stipe was overheard attempting to educate matt:

>> Let me know if the "AuthType Basic" issue would solve your problem.
>
> Nope. :shrug:. I've gone about as far as I can go at this time I
> think. This is my last week in the office until spring, maybe by
> then it will work. : )
>
> take care and thank you for your efforts, -matt

how about restricting a <Directory> or using a .htaccess file, which works at least for me with local NT accounts.

I haven't tried any <Location> restriction yet.

UUUPPPsss, I got something: You wrote:

>* created a <Location> block in httpd.conf:
> <Location /private>
> Auth_ntsec On
> Auth_ntsec_Authoritative On
> SetHandler cgi-script
> Order Deny,Allow
> Deny from all
> Require valid-user
> </Location>

even if Adding "AuthType Basic" this block means (because of mod_access) that access ordering is denying and then allowing. You specified "deny from all", which means every IP client is denied, and you didn't specify "allow from {xy}", which means you will allways be denied here.

Are you messing mod_access and mod_auth directives?

The directives "order, deny from, allow from" are IP based restrictions to URIs. If you want a combination from IP based restrictions and user athentication in the form of:

1. check if the client is from a known IP, then give access
2. if not, then ask for user credentials and then give access

you will have to use

  ...
  Order deny,allow
  Deny from all
  Allow from localhost
  AuthType basic
  Auth_ntsec on
  Satisfy any
  ...

the "satisfy any" block will be used to "construct" the if statement between 1. and 2.

This should work Matt! -- drop me a note.

Stipe

-- MattWilkie - 05 Dec 2001