This week I was working with a Client that had a pretty common requirement found in Intranets: seamless login for users authenticated in the domain. This is possible to achieve as long as the server is able to connect to the domain controller and recognize credentials used in the machine. I was able to achieve NTLM integration using the available perl module, however it does not support NTLM2 which is used since Windows Vista. Therefore I ended up using a python module.
Here is the method used to achieve it:
Requirements
- Apache (version used 2.2)
- Python
- Mod Python (http://archive.apache.org/dist/httpd/modpython/mod_python-3.3.1.tgz)
- Python Apache Authentication Module (https://github.com/Legrandin/PyAuthenNTLM2)
- Drupal LDAP Module (http://drupal.org/project/ldap) (version used 7.x-1.x)
Install
First installed apxs
yum install httpd-devel
Installed python-devel
yum --install python-devel
Downloaded and configured mod_python (http://archive.apache.org/dist/httpd/modpython/mod_python-3.3.1.tgz)
./configure --with-apxs=/usr/bin/apxs make make install
Edit /etc/httpd/conf/httpd.conf
LoadModule python_module modules/mod_python.so
Downloaded and installed PythonNTLM Authenticate module.
python setup.py install -f
Appended to /etc/httpd/conf/httpd.conf
<Directory "/user/login/sso"> AuthType NTLM AuthName WDOMAIN require valid-user PythonAuthenHandler pyntlm PythonOption Domain group.net PythonOption PDC group.net PythonOption BDC group.net # Bypass authentication for local clients. # Comment these lines if they should authenticate too. Order deny,allow Deny from all Allow from 127.0.0.1 Satisfy any </Directory>
At this point if you point your browser to http://yoursitename.com/user/login/sso it should either ask you for username or password or recognize you as authenticated in the domain.
A good method to verify if everything is working is access a page with phpinfo information and verify that the variable $_SERVER['remote_user'] is well defined.
After achieving server NTLM authentication the only remaining bit is done directly by the LDAP module which contains a submodule that handles the authentication in Drupal (LDAP SSO).
- See more at: http://hernani.pt/blog/configuring-drupal-ntlm-using-ldap-module#sthash.0A9cHk6v.dpuf