tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 46323] New: NTLM Authentication for Microsoft Active Directory controlled Intranet
Date Tue, 02 Dec 2008 17:13:50 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=46323

           Summary: NTLM Authentication for Microsoft Active Directory
                    controlled Intranet
           Product: Tomcat 6
           Version: 6.0.18
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: NeedsReleaseNote, PatchAvailable
          Severity: enhancement
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: christophe.dupriez@poisoncentre.be


Created an attachment (id=22978)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=22978)
JNDI Realm additions. NtlmAuthenticator class will be added separately

Goals:
* centralize the parameterization of user authentication at the container
level;
* have a simple NTLM authentication for intranet users;
* be able to run Tomcat in a Microsoft Active Directory network where the
server is secured (absolutely no login allowed to regular users)

There is a Microsoft “specification” (bug?) by which all LDAP binds are
evaluated on the Domain Server (like if the user was attempting to login on the
Domain Server).

It would be better to have binds evaluated as if they were originating from the
LDAP client machine (the Tomcat Server).

To circumvent this, I have been obliged to remove the binding (the password
checking) but to ensure that it is NTLM (and nothing else) which provides the
username.

The users are therefore automatically logged with the username used to log on
their PC.

The attached patch is for current Apache Tomcat sources (6.0.18).

It adds:

1) An NTLM Authenticator: nothing to configure except in the web.xml of each
application:
   <login-config>
       <auth-method>NTLM</auth-method>
       <realm-name>ThisIsApassword</realm-name>
   </login-config> 
The realm-name is the “password” which ensures that authentication is done
by NTLM and no other method.

A very long password is strongly recommended.

2) A modified JNDI Realm with new parameters: 
* preAuthenticatedPassword=”ThisIsApassword”
This to suppress password checking if preAuthenticatedPassword is provided. 
* userIdentification=”userPrincipalName” provides a standardized username,
whatever the retrieved user name (case of complex userSearch patterns) 
* userNamePrefix and userNameSuffix
This to suppress a prefix and/or a suffix from username before returning it to
the application: good to suppress domain identification, etc.
When you user complex userSearch pattern, this can be very useful.

Example:
userSearch="(|(sAMAccountName={0})(userPrincipalName={0}@domain.com)(userPrincipalName={0}))"
userIdentification="userPrincipalName" userNamePrefix=”domain\”
userNameSuffix=”@domain.com” 

Hopes this can be useful to the community!


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message