Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 27796 invoked from network); 14 Nov 2008 12:56:04 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 14 Nov 2008 12:56:04 -0000 Received: (qmail 30730 invoked by uid 500); 14 Nov 2008 12:56:08 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 30696 invoked by uid 500); 14 Nov 2008 12:56:08 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 30685 invoked by uid 99); 14 Nov 2008 12:56:08 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Nov 2008 04:56:08 -0800 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [81.246.0.42] (HELO mail.poisoncentre.be) (81.246.0.42) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Nov 2008 12:54:48 +0000 Subject: NTLMAuthenticator for Apache Tomcat 6.0.18 (Intranet within a Microsoft domain) (NtlmAuthenticator.java included) Date: Fri, 14 Nov 2008 13:55:17 +0100 Message-ID: <4569E88F-770A-4ABE-BC4F-1FD291898A30@poisoncentre.be> From: "Christophe Dupriez" To: "dev@tomcat.apache.org" Reply-To: christophe.dupriez@poisoncentre.be Cc: "louis.van.cauwelaert@poisoncentre.be" MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=MIXED-MIME-13919171-4664-delim X-Virus-Checked: Checked by ClamAV on apache.org --MIXED-MIME-13919171-4664-delim Content-Type: multipart/alternative; boundary=ALTERNATIVE-MIME-13919171-7711-delim --ALTERNATIVE-MIME-13919171-7711-delim Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" Hi! I wanted to: * centralize the parameterization of user authentication at the c= ontainer level; * have a simple NTLM authentication for intranet users; * be able to run Tomcat in a Microsoft Active Directory network w= here the server is secured (absolutely no login allowed to regula= r users) There is a Microsoft "specification" (bug?) by which all LDAP bin= ds are evaluated on the Domain Server (like if the user was attem= pting to login on the Domain Server). It would be better to have binds evaluated as if they were origin= ating from the LDAP client machine (the Tomcat Server). To circumvent this, I have been obliged to remove the binding (th= e password checking) but to ensure that it is NTLM (and nothing e= lse) which provides the username. The users are therefore automatically logged with the username us= ed to log on their PC. The attached patch is for current Apache Tomcat sources (6.0.18).= It adds: An NTLM Authenticator: nothing to configure except in the web.xml= of each application: NTLM ThisIsApassword The realm-name is the "password" which ensures that authenticatio= n is done by NTLM and no other method. A very long password is strongly recommended. A modified JNDI Realm with new parameters: preAuthenticatedPassword=3D"ThisIsApassword" This to suppress password checking if preAuthenticatedPassword is= provided. userIdentification=3D"userPrincipalName" provides a standardized=20= username, whatever the retrieved user name (case of complex userS= earch patterns) userNamePrefix and userNameSuffix This to suppress a prefix and/or a suffix from username before re= turning it to the application: good to suppress domain identifica= tion, etc. When you user complex userSearch pattern, this can be very useful= . Example: userSearch=3D"(|(sAMAccountName=3D{0})(userPrincipalName=3D{0}@do= main.com)(userPrincipalName=3D{0}))" userIdentification=3D"userPrincipalName" userNamePrefix=3D"domain= \" userNameSuffix=3D"@domain.com" Hopes this can be useful to the community! Please do not hesitate to ask me if something can be done to make= this contribution perennial. Wishing you a very nice day, Christophe Dupriez Centre Antipoisons - Antigifcentrum C/o H=F4pital Central de la Base Reine Astrid Rue Bruyn - 1120 Bruxelles - Belgique tel 32-(0)2.264.96.36 fax 32-(0)2.264.96.46 --ALTERNATIVE-MIME-13919171-7711-delim Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="iso-8859-1" Message

Hi Tomcat Developpers!

 

(Message resent with missing NtlmAuthenticator.java)

 

I wanted to:

* centralize the parameterization of user authentication at the con= tainer level;

* have a simple NTLM authentication for intranet users;

* be able to run Tomcat in a Microsoft Active Directory network where the s= erver is secured (absolutely no login allowed to regular users)

 

There is a Microsoft “specification” (bug?) by which all LD= AP binds are evaluated on the Domain Server (like if the user was attempting t= o login on the Domain Server).

It would be better to have binds evaluated as if they were originati= ng from the LDAP client machine (the Tomcat Server).

 

To circumvent this, I have been obliged to remove the binding (the p= assword checking) but to ensure that it is NTLM (and nothing else) which=20= provides the username.

The users are therefore automatically logged with the username used t= o log on their PC.

 

The attached patch is for current Apache Tomcat sources (6.0.18).

 

It adds:

  • An NTLM Authenticator: nothing to configure except in the web.x= ml of each application:
       <login-config>
           <auth-method>NTLM</auth-method>
           <realm-name>ThisI= sApassword</realm-name>
       </login-config>

The realm-name is the “password&= #8221; which ensures that authentication is done by NTLM and no other method.

A very long password is strongly recom= mended.

  • A modified JNDI Realm with new parameters:
    • =
    • preAuthenticatedPassword=3D= ”ThisIsApassword”
      This to suppress password checking if preAuthenticatedPassw= ord is provided.
    • userIdentification=3DR= 21;userPrincipalName” provides a standardized username, whatever the retrieved us= er name (case of complex userSearch patterns)
    • userNamePrefix and userNameSuffix
      This to suppress a prefix and/or a suffix from username bef= ore returning it to the application: good to suppress domain identificati= on, etc.
      When you user complex userSearch pattern, this can be very=20= useful. Example:
      userSearch=3D"(|(sAMAccountName=3D{0= })(userPrincipalName=3D{0}@domain.com)(userPrincipalName=3D{0}))&= quot;
      userIdentification=3D"userPrincipalName" userName= Prefix=3D”domain\” userNameSuffix=3D”@domain.com”

 

Hopes this can be useful to the community!

 

Please do not hesitate to ask me what I should do to make this contribut= ion perennial.

 

Wishing you a very nice weekend,

 

Christophe Dupriez

Centre Antipoisons - Antigifcentrum

C/o H=F4pital Central de la Base Reine Astrid

   Rue Bruyn - 1120 Bruxelles - Belgique

tel 32-(0)2.264.96.36 fax 32-(0)2.264.96.46

--ALTERNATIVE-MIME-13919171-7711-delim-- --MIXED-MIME-13919171-4664-delim Content-Type: text/plain; charset=us-ascii --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org --MIXED-MIME-13919171-4664-delim--