Basic authentication does not work

Legrandin / PyAuthenNTLM2

PyAuthenNTLM2 is an authentication module for Apache. It validates a user by means of the NTLM protocol and a separate Domain Controller (or Active Directory server).

Other

57 stars 42 forks source link

Basic authentication does not work #11

Open Legrandin opened 11 years ago

Legrandin commented 11 years ago

The 401 response never contains Basic as authentication mechanism, even when you have PyCrypto installed. This is due to the fact that "python setup.py install" does not copy ntlm_client.py over to the relevant directory.

See here for details and a fix:

https://github.com/Legrandin/PyAuthenNTLM2/commit/60896f0fb135d91944cdfd3e40f2b4d5ba691a83

esterniclos commented 10 years ago

I've tried last release, but I can't make basic auth to work. It always sends user to DC.

What happens when domain controller is down? No authentication is possible at all?

netsick commented 10 years ago

basic works for me but you have to install https://www.dlitz.net/software/pycrypto/

esterniclos commented 10 years ago

I've already installed pycripto...

root@apacheserver:~/# pip install pycrypto Requirement already satisfied (use --upgrade to upgrade): pycrypto in /usr/lib/python2.7/dist- packages Cleaning up...

I'm afraid it has to be another thing.

    \<DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
    Options FollowSymLinks
   DirectoryIndex index.php index.html
    AllowOverride All
    Order Allow,Deny
    Allow From All

    AuthName "My security domain"
    AuthType ntlm
    AuthType basic
    require valid-user
    AuthUserFile /etc/nagios3/htpasswd.users

    #NTLM:
    # ConfiguraciÃ³n de autenticaciÃ³n ntlm:                                                                              
     PythonAuthenHandler pyntlm
     # pdc : Primary Domain Controller
     PythonOption PDC 10.57.224.143
     # bdc : Backup Domain controller.
     PythonOption BDC 10.57.224.141

netsick commented 10 years ago

All I have is below and both ntlm/basic works.. I don't think you can use "AuthType basic" and point to a htpasswd file as pyntlm is handling auth via Active Directory.

AuthType NTLM AuthName MYDOMAIN require valid-user

PythonAuthenHandler pyntlm PythonOption Domain MYDOMAIN PythonOption PDC 192.168.60.3 PythonOption BDC 192.168.60.4

esterniclos commented 10 years ago

Let me ask you a question:

What happens to your virtual serveris DC's have failed?

I need to access my nagios through local users (htpasswd) if there are no DC's available.

I've got to access my nagios, as well, from clients that are not windows in domain.

Does this solution really work basic & ntlm auth for a virtual server at the same time?

netsick commented 10 years ago

If your DC's fail then yes, you will not be able to authenticate but at least in my network it is unlikely both DC's would fail. It hasn't occured yet and quite frankly you'll have bigger problems than not being able to access Nagios.

According to "The specific use case of PyAuthenNTLM2" clients don't have to be in a windows domain but their username/password do have to exist on the DC.

Perhaps someone could code up a way to use a .htpasswd file as a last resort when DC's are down.

esterniclos commented 10 years ago

Thank you for your time, I needed someone to confirm that this plugin couldn't work at the same time with htpasswd.

Lucky you that can rely on no network uncontrolled changes that can Isolate your webservers from DC's! :)

Great product, nevertheless!!