CoreCommunity ExtensionsIncubatorDistributionsTYPO3 4.5 ProjectsTYPO3 4.6 ProjectsTYPO3 4.7 ProjectsTYPO3 6.0 ProjectsTYPO3 6.1 ProjectsTYPO3 6.2 Projects (+)
History

LDAP Integration Wiki

Configuration

ntlm binding

Installation

The easiest way to install ntlm support for your apache2 server is that you install libapache2-authenntlm-perl. All you have to do afterwise is to configure your site like this :

  <Directory /var/www/> 
        Allow from all 
        Options Indexes FollowSymLinks MultiViews 
        PerlAuthenHandler Apache2::AuthenNTLM 
        AuthType ntlm,basic 
        AuthName Basic 
        require valid-user 
        PerlAddVar ntdomain "domain.lan first_domain_controller second_domain_controller" 
        PerlSetVar defaultdomain domain.lan
        PerlSetVar splitdomainprefix 1 
  </Directory>

Thats it! Try the following to be sure it works :

Create a test.php file on your root directory with the following content:

  <?php
    echo 'User:"', $_SERVER['REMOTE_USER'],'"<br />';
    echo 'Authenticated user:"', $_SERVER['PHP_AUTH_USER'],'"';
  ?>

If the output is something like 'User:"Abcd..."' your done! Else you may check your configuration.

The complete documentation of Apache::AuthenNTLM is here : http://search.cpan.org/~speeves/Apache-AuthenNTLM-2.10/AuthenNTLM.pm

Known issues:
NTLM doesn't work with Firefox because it doesn't send any NTLM informations, so don't worry if you have to type your password when working with FF.
NTLM does work with Firefox. Go to about:config and search for network.automatic-ntlm-auth.trusted-uris. Enter the URI and you're done.

In Internet Explorer 8 you have kind of the same issue, here you have to modifiy some registries. For further information check out this page : http://ppalakollu.blogspot.com/2009/04/ie-8-ntlm-authentication-on-windows.html (Thanks to Alex for these two hints).

If you want to activate NTLM authentification with Internet Explorer 9 you may try http://technet.microsoft.com/en-us/library/dd566199%28WS.10%29.aspx

Performance improvement

As you use Apache2::AuthenNTLM the LDAP server gets a request for each page you visit, sometimes event each file that the browser downloads. This behaviour slowsdown the LDAP Server and in consequences slows down the intranet website.

In facts, it would be more interesting to get authenticated only once and then be logged in, but how?

First, copy the index.php in you typo3 root folder and rename it i.e. "login.php". At the bottom of the file add this code snippet:

$location = '/';

if($_SERVER['REDIRECT_URL']) {
        $location = $_SERVER['REDIRECT_URL'];
}

header('Location:'.$location);

Now move your authentication configuration from sites-available to the .htaccess file in your typo3 root and add this FilesMatch condition in the beginning:

<FilesMatch "^login.php$">
        Order allow,deny
        allow from all

        #PerlAuthenHandler Apache2::AuthCookieNTLM
        PerlAuthenHandler Apache2::AuthenNTLM
        AuthType ntlm,basic
        AuthName Basic
        require valid-user

        PerlAddVar ntdomain "domain.lan first_domain_controller second_domain_controller" 
        PerlAddVar ntlmdebug 1

        PerlSetVar defaultdomain domain.lan
        PerlSetVar splitdomainprefix 1
</FilesMatch>

Now, to get to this page automatically, add these lines somewhere in you .htaccess file:

RewriteCond %{HTTP_COOKIE} !fe_typo_user [NC]
RewriteCond %{REQUEST_URI} !^.+/typo3/.*
RewriteRule .* login.php [L]

Notice that you have to have mod_rewrite enabled to use this.

Explenation:
The rewrite rule is needed to send the user automatically to the login.php when no frontend cookie is set.

As the page "login.php" is loaded, the FilesMatch condition will make the authentication against the ldap server and pass the needed vars to login.php.

In login.php, all usual typo3 action will be done (so the login will) and then the user gets automatically redirected to the called page.