TWiki on Ubuntu with Windows Authentication

The idea here is to avoid users having to log in again to the TWiki site - since most users are on Windows client PCs, you can simply have Apache authenticate them based on their Windows login (using protocols called NTLM, related to file sharing / SMB, and LDAP, related to Active Directory).

It is based on a posting by HieuLeTrung to GettingWindowsLoginPassedToTwiki - I haven't tested it myself yet, and this area is generally not well understood or easy to set up. I have updated the details from that posting to add some sudo commands and to move the Apache restart to the end.

To confirm: which version of Ubuntu this covers - posted 16 Mar 2008 so I would hope it's a recent one such as Gutsy 7.10.

Part 1 - mod_authnz_ldap with Ubuntu 7.10 and Apache2.2

I'm using Ubuntu 7.10 and the Apache2 module, mod_authnz_ldap - here is the config:

• Enable the mod_authnz_ldap module

      $ sudo a2enmod authnz_ldap
      $ sudo /etc/init.d/apache2 restart

• Add the authentication into twiki_httpd.conf - customise this to fit your LDAP / Active Directory setup:

      AuthBasicProvider ldap
      AuthType Basic
      AuthzLDAPAuthoritative off
      AuthLDAPURL "ldap://ldap.cybersoft.vn:389/OU=GCS Staff,DC=cybersoft,DC=vn?sAMAccountName?sub?(objectClass=user)" NONE
      AuthLDAPBindDN "myusername@CYBERSOFT.VN"
      AuthLDAPBindPassword mypassword

• With the above config, all you need is to replace the ldap://ldap.cybersoft.vn:389/OU=GCS Staff,DC=cybersoft,DC=vn with your correct LDAP root and update AuthLDAPBindDN, AuthLDAPBindPassword with a correct binding username/password (if any)
• If your domain controller didn't require username/password for binding, you can remove those options.

-- HieuLeTrung - 16 Mar 2008

Part 2 - mod_ntlm with Ubuntu 7.10 and Apache2.2

This part makes Apache authenticate a Windows user for TWiki access, using the NTLM protocol. See NtlmForSolaris10 for some detail on the compile and install step, this should also apply to Ubuntu, particularly the comment near the end about use on Debian, as this is close to Ubuntu.

• Compile and Install the Apache2 module, mod_ntlm
  • Download mod_ntlm from http://modntlm.sourceforge.net/
  • Extract and run the make install command
  • You might need to fix the mod_ntlm to be compiled with Apache 2.2
    • mod_ntlm.c

// apr_pool_sub_make(&sp,p,NULL);
// Replace the apr_pool_sub_make with apr_pool_create_ex
   apr_pool_create_ex(&sp, p, NULL, NULL);

• • • Makefile

# install the shared object file into Apache
install: all
   $(APXS) -i -a -n 'ntlm' mod_ntlm.la

• Enable the mod_ntlm in Apache2, by putting the following into httpd.conf

      LoadModule ntlm_module /usr/lib/apache2/modules/mod_ntlm.so

• Add the authentication into twiki_httpd.conf

      AuthType NTLM
      NTLMAuth on
      NTLMAuthoritative off
      NTLMDomain cybersoft.vn
      NTLMServer hue.cybersoft.vn

• • Replace cybersoft.vn with your correct domain
  • Replace hue.cybersoft.vn with your domain controller server
• Restart Apache2 to take effect

      $ sudo /etc/init.d/apache2 restart

NOTE:

• You need to set KeepAlive to On in order to make mod_ntlm works
• If you are using SSL, you also need to remove the following line in the ssl.conf file

# SetEnvIf User-Agent ".*MSIE.*" \
#              nokeepalive ssl-unclean-shutdown \
#              downgrade-1.0 force-response-1.0

-- HieuLeTrung - 16 Mar 2008

Other resources:

• TransparentAuthentication - good overview of all the various options including NTLM
• NtlmForSolaris10 - simple recipe for TWikiOnSolaris, may also work for Ubuntu and Debian

This page relates to TWikiOnUbuntu but may apply to other TWikiOnLinux platforms, particularly TWikiOnDebian.

-- Contributors: RichardDonkin - 24 Mar 2008

Discussion

@Main.HieuLeTrung: Thanks for the updates - sounds like it is working OK. Any comments on whether the NTLM or LDAP method works best?

-- RichardDonkin - 29 Jun 2008