Great. Thanks for these. I'd like to see it included in the next TC release 2008/11/14 Christophe Dupriez : > Hi again Tomcat Developpers! > > (Message re-re-re-sent because attached files did not went through the MailList management program and then Outlook resent an old version of my message): SORRY! > > The patch file is accessible: > http://www.destin.be/tomcat/NtlmAuthentication.patch > > The new authenticator class is accessible: > http://www.destin.be/tomcat/NtlmAuthenticator.java > > I wanted to: > * centralize the parameterization of user authentication at the container level; > * have a simple NTLM authentication for intranet users; > * be able to run Tomcat in a Microsoft Active Directory network where the server is secured (absolutely no login allowed to regular users) > > There is a Microsoft "specification" (bug?) by which all LDAP binds are evaluated on the Domain Server (like if the user was attempting to login on the Domain Server). > It would be better to have binds evaluated as if they were originating from the LDAP client machine (the Tomcat Server). > > To circumvent this, I have been obliged to remove the binding (the password checking) but to ensure that it is NTLM (and nothing else) which provides the username. > The users are therefore automatically logged with the username used to log on their PC. > > The attached patch is for current Apache Tomcat sources (6.0.18). > > It adds: > An NTLM Authenticator: nothing to configure except in the web.xml of each application: > > NTLM > ThisIsApassword > > The realm-name is the "password" which ensures that authentication is done by NTLM and no other method. > A very long password is strongly recommended. > A modified JNDI Realm with new parameters: > preAuthenticatedPassword="ThisIsApassword" > This to suppress password checking if preAuthenticatedPassword is provided. > userIdentification="userPrincipalName" provides a standardized username, whatever the retrieved user name (case of complex userSearch patterns) > userNamePrefix and userNameSuffix > This to suppress a prefix and/or a suffix from username before returning it to the application: good to suppress domain identification, etc. > When you user complex userSearch pattern, this can be very useful. Example: > userSearch="(|(sAMAccountName={0})(userPrincipalName={0}@domain.com)(userPrincipalName={0}))" > userIdentification="userPrincipalName" userNamePrefix="domain\" userNameSuffix="@domain.com" > > Hopes this can be useful to the community! > > Please do not hesitate to ask me what I should do to make this contribution perennial. > > Wishing you a very nice weekend, > > Christophe Dupriez > Centre Antipoisons - Antigifcentrum > C/o Hôpital Central de la Base Reine Astrid > Rue Bruyn - 1120 Bruxelles - Belgique > tel 32-(0)2.264.96.36 fax 32-(0)2.264.96.46 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org