NTLM auth module for Apache/Unix

NTLM is an authentication protocol used by Microsoft Internet Informations Server(tm) and Microsoft Internet Explorer(tm). While it is not really secure, it offers background authentication (the workstation logon credentials of users are passed through to the web server). This feature is widely used in intranets based on these Microsoft products.

This module is implementing NTLM authentication for Apache on Unix platforms. It is available free of charges under the BSD License.

Download

The source code of mod_ntlm is available for download through the Sourceforge project page.

Install

You have to be root to compile and install mod_ntlm.c successfully. You need a ready-to-run apache distribution installed. Go to the source distribution directory of mod_ntlm and enter:

make install && make restart

The Makefile is using apxs to compile and install mod_ntlm. Certain versions of apxs are known to fail unter certain versions of SuSE Linux.
It works fine for me with SuSE Linux 6.3 and Solaris 2.6, no other platforms have been tested yet.

Directives in http.conf

This directives can be placed into a virtual directory to configure mod_ntlm:

NTLMAuth on/off	enable/disable NTLM authentication
NTLMAuthoritative on/off	allow users who couldn't be authenticated to be handled by other authentication modules
NTLMDomain domain_name	Domain users should be authenticated against
NTLMServer server_name or ip_addr	Primary SMB server to authenticate users (Windows NT or Samba)
NTLMBackup server_name or ip_addr	Backup SMB server to authenticate users if primary is down
Require valid-user	Every user that is accepted by the SMB server can access this resource
Require user user_name	Only this specific user(s) are allowed. Specify one or multiple users separated by spaces

Example configuration for httpd.conf:

     AuthType NTLM
     NTLMAuth on
     NTLMAuthoritative on
     NTLMDomain UWSPDOM
     NTLMServer dc1
     NTLMBackup dc2
     Require user agal

Comments, Limitations

Basic authentication against SMB server is not supported. There are enough modules that do this and you need https to make it safe.
Internet Explorer 3.0 (broken keepalive) is not supported, it's about time to get a new browsers. Those users should have taken their computers away for using year old software.
You can produce a problem by pressing reload fast and often. The connection is forced into reset each time, and sometimes Internet Explorer is sending a msg3 to an apache process that didn't send the msg1 yet. I'm not sure weather this is an apache or Linux or IE problem. It could be resolved by caching credentials, which is unsafe and involves neat things like file locking and mmap().

Bugs, missing features

not enough tested
association of per-connection based information to r-connection is wrong this way, but not better supported in Apache 1.3.9. Let's look at 2.0, maybe there is a per-connection config?
autoconf has to be done
test on more platforms
figure out how to fetch user groups from the DC (well, wait untill SAMBA_TNG is able to do that and then borrow the code)

Feedback

Any kind of feedback is appreciated. I'm interessted in bug reports but also success stories.