DokuWiki

It's better when it's simple

User Tools

Site Tools


Sidebar

Translations of this page?:

Learn about DokuWiki

Advanced Use

Corporate Use

Our Community


Follow us on Facebook, Twitter and other social networks.

auth:ntlm

NTLM Authentication Backend

This page describes how to set up NTLM (i.e. Windows NT-based) authentication for DokuWiki running on Apache. As an added bonus, the second half of this page describes what you need to do to enable Firefox to “see” this configuration.

Note: For obvious reasons, this document assumes a DokuWiki install on Windows (perhaps using EasyPHP , XAMPP or Bitnami DokuWiki Stack)

Setup NTLM authentication for Apache

  • First, get the Apache NTLM module from this location. After you've downloaded it, unzip it, and extract the mod_ntlm.so shared object from the /Release folder. Copy this into the /modules directory in your Apache installation.
  • The file my_cfg.txt that is packaged with the NTLM module has instructions for configuring Apache. Copy the following section from my_cfg.txt into your httpd.conf file:
# Add to your httpd.conf
 
LoadModule ntlm_module modules/mod_ntlm.so
 
#
# Configuration for mod_ntlm
<IfModule mod_ntlm.c>
    <Location /protected/>
        AuthName "A Protected Place"
        AuthType NTLM
        NTLMAuth On
        NTLMAuthoritative On
        NTLMOfferBasic On
        NTLMBasicPreferred
        require valid-user
    </Location>
</IfModule>
# End of mod_ntlm.
  • While you're at it, you might also want to make sure that your site is accessible from other machines on the intranet. Make sure that Apache is listening on an IP address other than 127.0.0.1. You should at least have the IP address of the machine on which Apache is running. Also, you should make sure that the host name is something other than localhost

Configure DokuWiki to use NTLM authentication

  • Modify the .htaccess file in the DokuWiki root as follows (you can place this at the top of the file):
## Enable this to restrict editing to logged in users only 
AuthType NTLM 
NTLMAuth On 
NTLMAuthoritative on 
 
require valid-user
  • Make a copy of the acl.auth.php.dist file in the /conf directory, and rename it to acl.auth.php.
  • Edit the conf/dokuwiki.php file (or local.php if you use one) and set the authentication options as follows:
$conf['useacl']      = 1;               //Set this to 1 to enable ACLs
$conf['authtype']    = 'ntlm';          //Change this to 'ntlm'
$conf['passcrypt']   = 'md5';           //Change this to md5. It's smd5 by default
  • Modify the inc/auth.php file as follows (you're adding a check for NTLM authentication)
// do the login either by cookie or provided credentials
if($conf['useacl']){
	if($auth){
		if (!isset($_REQUEST['u'])) $_REQUEST['u'] = '';
		if (!isset($_REQUEST['p'])) $_REQUEST['p'] = '';
		if (!isset($_REQUEST['r'])) $_REQUEST['r'] = '';
    // add this snippet
		if ($conf['authtype'] == 'ntlm')
		{
			$_REQUEST['u'] = getRemoteUserNice();
			$_REQUEST['p'] = "";
			$_REQUEST['r'] = "";
		}
    // end of snippet
 
		// if no credentials were given try to use HTTP auth (for SSO)
		if(empty($_REQUEST['u']) && empty($_COOKIE[DOKU_COOKIE]) && !empty($_SERVER['PHP_AUTH_USER'])){
			$_REQUEST['u'] = $_SERVER['PHP_AUTH_USER'];
			$_REQUEST['p'] = $_SERVER['PHP_AUTH_PW'];
		}
  }
}
  • Add the following code to your inc/common.php file, at the end of the file:
// this is a hack for ntlm_module (http://www.gknw.net/development/apache/apache-1.3/win32/modules/)
// for some reason it only sets env variable REMOTE_USER but not // $_SERVER['REMOTE_USER'] 
 
function getRemoteUser() {
  if ($_SERVER['REMOTE_USER'])
    return $_SERVER['REMOTE_USER'];
  return getenv('REMOTE_USER');
}
 
function niceNtlmUserName($userName)
{
  return preg_replace("/^.+\\\\/", "", $userName);
}
 
// NTLM user name is in the form "domain\\user", this
// function converts it to just "user"
function getRemoteUserNice()
{
    return  niceNtlmUserName(getRemoteUser());
}
 
//Setup VIM: ex: et ts=2 enc=utf-8 :
  • In the inc/auth folder, create a new file called ntlm.class.php. Copy the following code into it and save it.
<?php
/**
 * NTLM authentication backend
 *
 * To use it:
 * - install ntlm module (e.g. mod_ntlm-1.3.zip from
 *   http://www.gknw.net/development/apache/apache-1.3/win32/modules/
 * - add the following to the .htaccess of your dokuwiki directory:
AuthType NTLMNTLMAuth on
NTLMAuthoritative on
require valid-user
 *   this will only allowed logged in and authenticated users to
 *   access pages and puts the login of the user in $REMOTE_USER env
 *   variable. This code relies on that
 * @author     Krzysztof Kowalczyk : http://blog.kowalczyk.info
 */
class auth_ntlm extends auth_basic {
 
	function auth_ntlm() {
 
// we only accept page ids for auth_plain
if(isset($_REQUEST['u']))
  $_REQUEST['u'] = cleanID($_REQUEST['u']);
}
/**
 * Check user+password [required auth function]
 *
 * @author     Krzysztof Kowalczyk : http://blog.kowalczyk.info
 * @return  bool
 */
function checkPass($user,$pass) {
 
  if (!getenv('REMOTE_USER'))
    return false;
  return true;
}
 
/**
 * Return user info [required auth function]
 *
 * Returns info about the given user needs to contain
 * at least these fields:
 *
 * name string  full name of the user
 * mail string  email addres of the user
 * grps array   list of groups the user is in
 *
 * @author     Krzysztof Kowalczyk : http://blog.kowalczyk.info
 */
function getUserData($user) {
  global $conf;
  $userInfo['name'] = niceNtlmUserName($user);
  $userInfo['mail'] = $userInfo['name'].'@solvay.com';
  $userInfo['grps'] = array($conf['defaultgroup']);
  return $userInfo;
}
 
/**
 * Create a new User [required auth function]
 *
 * Returns false if the user already exists, null when an error
 * occured and the cleartext password of the new user if
 * everything went well.
 *
 * The new user HAS TO be added to the default group by this
 * function!
 *
 * @author     Krzysztof Kowalczyk : http://blog.kowalczyk.info
 */
function createUser($user,$pass,$name,$mail){
  return false;
}
}
//Setup VIM: ex: et ts=2 enc=utf-8 :
?>

To access your site using Firefox:

See the link in the references section below

If all goes well, after you have configured Apache, DokuWiki and Firefox, open up your DokuWiki home page in Firefox, and it should detect your Windows credentials and log you in automatically. You should see your NT ID at the bottom of the screen, where it says, “Logged in as…”.

References

Additions

Using NTLM based auth and as user store the users.auth.php, you need to add the following code from plain.class.php:

    /**
     * Return user info
     *
     * Returns info about the given user needs to contain
     * at least these fields:
     *
     * name string  full name of the user
     * mail string  email addres of the user
     * grps array   list of groups the user is in
     *
     * @author  Andreas Gohr <andi@splitbrain.org>
     */
    function getUserData($user){
 
      if($this->users === null) $this->_loadUserData();
      return isset($this->users[$user]) ? $this->users[$user] : false;
    }
 
 
    function _loadUserData(){
      global $config_cascade;
 
      $this->users = array();
 
      if(!@file_exists($config_cascade['plainauth.users']['default'])) return;
 
      $lines = file($config_cascade['plainauth.users']['default']);
      foreach($lines as $line){
        $line = preg_replace('/#.*$/','',$line); //ignore comments
        $line = trim($line);
        if(empty($line)) continue;
 
        $row    = explode(":",$line,5);
        $groups = array_values(array_filter(explode(",",$row[4])));
 
        $this->users[$row[0]]['pass'] = $row[1];
        $this->users[$row[0]]['name'] = urldecode($row[2]);
        $this->users[$row[0]]['mail'] = $row[3];
        $this->users[$row[0]]['grps'] = $groups;
      }
    }

and comment the function getUserData from original ntlm.class.php

//function getUserData($user) {
//  global $conf;
//  $userInfo['name'] = niceNtlmUserName($user);
//  $userInfo['mail'] = $userInfo['name'].'@solvay.com';
//  $userInfo['grps'] = array($conf['defaultgroup']);
//  return $userInfo;
//}
auth/ntlm.txt · Last modified: 2016-01-20 08:31 by 77.40.51.212