Great. Thanks for these.
I'd like to see it included in the next TC release 2008/11/14 Christophe Dupriez <[EMAIL PROTECTED]>: > Hi again Tomcat Developpers! > > (Message re-re-re-sent because attached files did not went through the > MailList management program and then Outlook resent an old version of my > message): SORRY! > > The patch file is accessible: > http://www.destin.be/tomcat/NtlmAuthentication.patch > > The new authenticator class is accessible: > http://www.destin.be/tomcat/NtlmAuthenticator.java > > I wanted to: > * centralize the parameterization of user authentication at the container > level; > * have a simple NTLM authentication for intranet users; > * be able to run Tomcat in a Microsoft Active Directory network where the > server is secured (absolutely no login allowed to regular users) > > There is a Microsoft "specification" (bug?) by which all LDAP binds are > evaluated on the Domain Server (like if the user was attempting to login on > the Domain Server). > It would be better to have binds evaluated as if they were originating from > the LDAP client machine (the Tomcat Server). > > To circumvent this, I have been obliged to remove the binding (the password > checking) but to ensure that it is NTLM (and nothing else) which provides the > username. > The users are therefore automatically logged with the username used to log on > their PC. > > The attached patch is for current Apache Tomcat sources (6.0.18). > > It adds: > An NTLM Authenticator: nothing to configure except in the web.xml of each > application: > <login-config> > <auth-method>NTLM</auth-method> > <realm-name>ThisIsApassword</realm-name> > </login-config> > The realm-name is the "password" which ensures that authentication is done by > NTLM and no other method. > A very long password is strongly recommended. > A modified JNDI Realm with new parameters: > preAuthenticatedPassword="ThisIsApassword" > This to suppress password checking if preAuthenticatedPassword is provided. > userIdentification="userPrincipalName" provides a standardized username, > whatever the retrieved user name (case of complex userSearch patterns) > userNamePrefix and userNameSuffix > This to suppress a prefix and/or a suffix from username before returning it > to the application: good to suppress domain identification, etc. > When you user complex userSearch pattern, this can be very useful. Example: > userSearch="(|(sAMAccountName={0})([EMAIL PROTECTED])(userPrincipalName={0}))" > userIdentification="userPrincipalName" userNamePrefix="domain\" > userNameSuffix="@domain.com" > > Hopes this can be useful to the community! > > Please do not hesitate to ask me what I should do to make this contribution > perennial. > > Wishing you a very nice weekend, > > Christophe Dupriez > Centre Antipoisons - Antigifcentrum > C/o Hôpital Central de la Base Reine Astrid > Rue Bruyn - 1120 Bruxelles - Belgique > tel 32-(0)2.264.96.36 fax 32-(0)2.264.96.46 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
