mod_ntlm2 on Apache 2.2.x
The development of the NTLM plugin (Microsoft's proprietary protocol for connecting with Active Directory and allow Single Sign On through IIS and Internet Explorer) for Apache has pretty much stalled since 2004. A few minor updates have been made by Michael Chai and although they seem to work fine with Apache 2.0.x (haven't tested though) the same cannot be said about Apache 2.2.x.
It took me a while to make it compile and I had to fix some problems with the code so it works with Apache 2.2 (namely, replacing some deprecated apr_pool_sub_make() calls by apr_pool_create_ex().
So, if you need to install mod_ntlm2 on Apache 2.2, here's the detailed guide.
First, start by downloading my patched version of the latest mod_ntlm2. I will not continue updating it so if one major update shows up this package might me outdated. For the time being it should work fine (mod_ntlm shows no signals of resurrection whatsoever).
Now depending on your Linux distribution the following may vary. apache2-prefork-dev and gcc-3.4 are the tools required for compiling it. In Debian/Ubuntu you can easily install them by
-
$ apt-get update
-
-
$ apt-get -y install apache2-prefork-dev gcc-3.4
Now, let's temporarily change the default compiler to gcc 3.4
-
$ ln -fs /usr/bin/gcc-3.4 /usr/bin/gcc
Now you should be apple to compile the module with
-
$ apxs2 -i -a -c mod_ntlm.c
Finally, run the following commands
-
$ sudo make clean
-
$ sudo echo "LoadModule ntlm_module /usr/lib/apache2/modules/mod_ntlm.so"> /etc/apache2/mods-available/ntlm.load
-
$ sudo a2enmod ntlm
-
$ sudo mv /etc/apache2/httpd.conf /etc/apache2/httpd.conf.old
-
$ sudo touch /etc/apache2/httpd.conf
-
$ sudo /etc/init.d/apache2 force-reload
-
$ sudo ln -fs /usr/bin/gcc-4.0 /usr/bin/gcc
It should be working now!
thanx for your modified script. you saved my day. :)
Thanks, good work.
Wow, this is great! Thanks for the comprehensive instructions.
great, worked on the first try
Important note: to make this module work on Apache 2.2 on a CentOS 5.1 we had to modify the default option of “KeepAlive Off” to “KeepAlive On” on httpd.conf, without it the authentication won’t work with no apparent reason (and no log on the error_log). On Ubuntu it is turned On by default.
Great work, it’s the only module for Linux+Apache 2.2 that we could successfully implement.
This is great work! thanks!
I am having some trouble to get it to work with IE7. The browser seems to try twice (I saw this using Wireshark) then it prompts for the username and password.
It goes through fine after I enter.
On firefox, it works correctly without prompting me for password.
There is something amiss as IE7/firefox have no trouble to talk to the sharepoint server.
Any thoughts?
Thanks!
Thanks this worked great. I had one problem though. when i used this authentication, it was not putting the user info in the header. I used this for SSO on Plone. I resolved the problem and it works great.
what i did was edit “mod_ntlm.c”. every instance in the file that had “r->proxyreq”, i replaced with “r->proxyreq && 0″.
if this is ok with you, can you modify you code one more time for others can use.
Installed the module and it works great. I noticed on the logs that there are 2 401 401 for every request. We set the keepalive on but are a bit concerned about the traffic. Any thoughts as to why this is happening?