This plugin provides an NTLM Authenticator for CakePHP 4 authentication plugin.
- PHP >= 7.2.0
- Apache 2.4 SSPI NTLM based authentication module (mod_authn_ntlm)
- CakePHP >= 4.3.0
- CakePHP Authentication >= 2.0
Optional:
- ext-ldap (LDAP php extension)
Install this plugin into your application using composer:
- Add
fawno/ntlm-authentication
package to your project:composer require fawno/ntlm-authentication
- Load the NTLMAuthenticator in your
Application.php
:use Fawno\NTLM\Authenticator\NTLMAuthenticator;
- Load the NTLMAuthenticator in your Authentication Service (
Application.php
):// Load the authenticators. Session should be first. $service->loadAuthenticator('Authentication.Session'); $service->loadAuthenticator(NTLMAuthenticator::class, [ 'domains' => [], ]);
exampledomain
short domain name
example.com
full domain name
Apache with SSPI NTLM based authentication module (mod_authn_ntlm)
Only routes with /login
are authenticated with NTLM
webroot\.htaccess
:
<If "%{THE_REQUEST} =~ m#GET .*/login(\?.*)? HTTP.*#">
AuthName "Example App"
AuthType SSPI
NTLMAuth On
NTLMAuthoritative On
NTLMDomain exampledomain
NTLMOmitDomain Off # keep domain name in userid string
NTLMOfferBasic On # let non-IE clients authenticate
NTLMBasicPreferred Off # should basic authentication have higher priority
NTLMUsernameCase lower
Require valid-user
</If>
<Else>
AuthType None
Require all granted
</Else>
#Order allow,deny
#Allow from 192.168.0.0/16
Satisfy all
NTLM Authenticator can query through LDAP for user membership. This information is stored in the session and can be used for authorization (ACL).
$service->loadAuthenticator(NTLMAuthenticator::class, [
'domains' => [
'exampledomain' => [
'ldap' => [
'srv' => 'active-directory.example.com',
'user' => base64_encode('[email protected]'),
'pass' => base64_encode('UserPassword'),
'dn' => 'OU=Departaments, DC=example, DC=com',
'dn_users' => 'CN=Users, DC=example, DC=com',
],
'config' => [
'some_key' => 'some_data',
],
],
'exampledomain2' => [
'ldap' => [
'srv' => 'active-directory.example2.com',
'user' => base64_encode('[email protected]'),
'pass' => base64_encode('UserPassword2'),
'dn' => 'OU=Departaments, DC=example2, DC=com',
'dn_users' => 'CN=Users, DC=example2, DC=com',
],
'config' => [
'some_key' => 'some_data',
],
],
],
]);
The configured credentials should have query-only access to the LDAP service and no other privileges within the domain.
config
array is optional data can be stored in session auth data.
It allows configuring the logo of the organization and other data common to the users of a domain that the application needs to use.
The application does not have any access to validated user passwords, all NTLM authentication is negotiated between the Apache server and the browser.