search

Legrandin / PyAuthenNTLM2

PyAuthenNTLM2 is an authentication module for Apache. It validates a user by means of the NTLM protocol and a separate Domain Controller (or Active Directory server).
Other
57 stars 42 forks source link

PyAuthenNTLM2 auth skipped when PHP-FPM processing is enabled for PHP #27

Open akovacs123 opened 8 years ago

akovacs123 commented 8 years ago

Hi All,

I do not know if this is a bug or simply an Apache configuration issue. I use latest PyAuthenNTLM2 and Apache 2.4.10 (Debian Jessie stock).

Here is my problem:

  1. PyAuthenNTLM2 works nicely when I add it to my virtual host config. I get [REMOTE_USER] in my PHP scripts.
  2. When I request to pass PHP processing to FPM [REMOTE_USER] disappears from server variables.

My first idea is HTTP Authentication header is not passed to fcgi. But using the following rewrite rule does not help:

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

It provides an empty HTTP_AUTHORIZATION field. According to Apache debug logs Python processing is skipped:

[Wed Jun 22 09:56:53.261502 2016] [authz_core:debug] [pid 16270] mod_authz_core.c(835): [client 192.168.23.35:64541] AH01628: authorization result: granted (no directives)

[Wed Jun 22 09:56:53.261570 2016] [proxy_fcgi:debug] [pid 16270] mod_proxy_fcgi.c(77): [client 192.168.23.35:64541] AH01060: set r->filename to proxy:fcgi://127.0.0.1:9000/var/www/ntlm/index.sso.php

[Wed Jun 22 09:56:53.261607 2016] [proxy:debug] [pid 16270] mod_proxy.c(1155): [client 192.168.23.35:64541] AH01143: Running scheme fcgi handler (attempt 0)

[Wed Jun 22 09:56:53.261651 2016] [proxy_fcgi:debug] [pid 16270] mod_proxy_fcgi.c(786): [client 192.168.23.35:64541] AH01076: url: fcgi://127.0.0.1:9000/var/www/ntlm/index.sso.php proxyname: (null) proxyport: 0

My Apache virtual host config is:

<VirtualHost *:80>
    ServerName myserver.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/ntlm/

    RewriteEngine On
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

    ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/ntlm/$1

    <Directory /var/www/ntlm>

        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Satisfy any

        AuthType NTLM
        AuthName "NTLM Authentication"
        require valid-user
        PythonOption Require valid-user

        AddHandler mod_python .py
        PythonHandler mod_python.publisher

        PythonAuthenHandler pyntlm
        PythonOption Domain MYDOMAIN
        PythonOption PDC mypdc
        PythonOption BDC mybdc
        PythonDebug On

    </Directory>

    LogLevel debug

    ErrorLog ${APACHE_LOG_DIR}/ntlm-error.log
    CustomLog ${APACHE_LOG_DIR}/ntlm-access.log combined

</VirtualHost>

Any help is appreciated. Thank you very much.

stroobl commented 7 years ago

We have a similar issue on Debian Jessie. This might help: http://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers Still testing some config options. (The Apache version in Jessie is too low to use CGIPassAuth on)