Enabling NTLM authentication under RHEL/Apache
Background
If you need your CGI scripts to know the remote (web client) user who is running IE under Windows, NTLM is a convenient protocol to use. The user will not need to enter his credentials. The CGI script can access the username in the REMOTE_USER environment variable.
Note that NTLMv1 is vulnerable to cracking. It was replaced with NTLMv2 in the Vista timeframe.
While there are many apparent alternatives to enable this functionality on RHEL/Apache servers, only one (at the time of this writing) cleanly supports NTLMv2 - a python module called PyAuthenNTLM2.
Install
Note that this procedure was done on a RHEL6/httpd (apache) box
Become root
yum install httpd-devel
yum install python-devel
yum install python-crypto
wget http://archive.apache.org/dist/httpd/modpython/mod_python-3.3.1.tgz
tar zxf mod_python-3.3.1.tgz
cd mod_python-3.3.1
vi src/connobject.c
change
b == APR_BRIGADE_SENTINEL(b)
to
b == APR_BRIGADE_SENTINEL(bb)
./configure --with-apxs=/usr/sbin/apxs
make
make install
cd ..
wget https://github.com/Legrandin/PyAuthenNTLM2/archive/master.zip
unzip master
cd PyAuthenNTLM2-master
python setup.py install
cd /etc/httpd/conf.d/
cat >ntlm2.conf
<Location />
AuthType NTLM
AuthName TWTELECOM
require valid-user
PythonAuthenHandler pyntlm
PythonOption Domain TWTELECOM
PythonOption PDC srvdendc5
PythonOption BDC srvdendc1
</Location>
^D
(The AuthName is whatever you want. The DCs should be near the server)
cd ../conf
vi httpd.conf
Change
KeepAlive Off
To
KeepAlive On
At the end of the LoadModules section insert
LoadModule python_module modules/mod_python.so
apachectl configtest
(fix any errors and retry before continuing)
/etc/init.d/httpd restart
(apachectl graceful doesn't quite do the job for whatever reason)
Test
cd /var/www/cgi-bin/
cat >whoami.cgi
#!/bin/sh
printf "Content-type: text/html\n\n$REMOTE_USER\n"
^D
chmod 755 whoami.cgi
On your Windows PC, using IE, open the url http://yourserver/cgi-bin/whoami.cgi
Verify that you windows username is displayed
If it isn't, follow the steps in:
https://github.com/Legrandin/PyAuthenNTLM2#troubleshooting
Important: You must completely exit IE and bring it back up with each test