Skip to content

NTLM Authenticator for CakePHP 4 Authentication plugin

License

Notifications You must be signed in to change notification settings

fawno/NTLMAuthenticator

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GitHub license GitHub release Packagist Packagist Downloads GitHub issues GitHub forks GitHub stars

NTLM Authenticator for CakePHP 4 Authentication plugin

This plugin provides an NTLM Authenticator for CakePHP 4 authentication plugin.

Table of contents

Requirements

Optional:

TOC

Installation

Install this plugin into your application using composer:

  • Add fawno/ntlm-authentication package to your project:
      composer require fawno/ntlm-authentication
  • Load the NTLMAuthenticator in your Application.php:
    use Fawno\NTLM\Authenticator\NTLMAuthenticator;
  • Load the NTLMAuthenticator in your Authentication Service (Application.php):
    // Load the authenticators. Session should be first.
    $service->loadAuthenticator('Authentication.Session');
    
    $service->loadAuthenticator(NTLMAuthenticator::class, [
        'domains' => [],
    ]);

TOC

Configuration

exampledomain short domain name

example.com full domain name

Apache with SSPI NTLM based authentication module (mod_authn_ntlm)

Only routes with /login are authenticated with NTLM

webroot\.htaccess:

<If "%{THE_REQUEST} =~ m#GET .*/login(\?.*)? HTTP.*#">
	AuthName "Example App"
	AuthType SSPI
	NTLMAuth On
	NTLMAuthoritative On
	NTLMDomain exampledomain
	NTLMOmitDomain Off     # keep domain name in userid string
	NTLMOfferBasic On      # let non-IE clients authenticate
	NTLMBasicPreferred Off # should basic authentication have higher priority
	NTLMUsernameCase lower
	Require valid-user
</If>
<Else>
	AuthType None
	Require all granted
</Else>

#Order allow,deny
#Allow from 192.168.0.0/16
Satisfy all

TOC

NTLMAuthenticator

NTLM Authenticator can query through LDAP for user membership. This information is stored in the session and can be used for authorization (ACL).

$service->loadAuthenticator(NTLMAuthenticator::class, [
    'domains' => [
        'exampledomain' => [
            'ldap' => [
                'srv' => 'active-directory.example.com',
                'user' => base64_encode('[email protected]'),
                'pass' => base64_encode('UserPassword'),
                'dn' => 'OU=Departaments, DC=example, DC=com',
                'dn_users' => 'CN=Users, DC=example, DC=com',
            ],
            'config' => [
                'some_key' => 'some_data',
            ],
        ],
        'exampledomain2' => [
            'ldap' => [
                'srv' => 'active-directory.example2.com',
                'user' => base64_encode('[email protected]'),
                'pass' => base64_encode('UserPassword2'),
                'dn' => 'OU=Departaments, DC=example2, DC=com',
                'dn_users' => 'CN=Users, DC=example2, DC=com',
            ],
            'config' => [
                'some_key' => 'some_data',
            ],
        ],
    ],
]);

The configured credentials should have query-only access to the LDAP service and no other privileges within the domain.

config array is optional data can be stored in session auth data. It allows configuring the logo of the organization and other data common to the users of a domain that the application needs to use.

The application does not have any access to validated user passwords, all NTLM authentication is negotiated between the Apache server and the browser.

TOC