NTLM is the protocol that Internet Explorer uses to automatically log a user in to a site using the OS login credentials. There are lots of intranet applications that do this within an organization. What’s neat is that it’s not just limited to Internet Explorer and IIS.
First off, FireFox can do NTLM as well. In version 1.0, you need to navigate to
about:config and find
network.automatic-ntlm-auth.trusted-uris. Give it a value such as a domain (guyton.net) that you trust with your OS login credentials. Multiple hosts can be entered, sep. by commas. After that, automatic logins!
Note that to do this in IE, you need to go to Internet Options – Security – Local Intranet (or Trusted Sites) and add the host substring there (though it might need *.guyton.net or something similar).
OK, so enough about the browsers, what about the back-end servers? Since we like UNIX here, we aren’t gonna touch IIS. Apache 2 is our favorite way to go, and two methods exist:
- mod_ntlm – an apache module that can be loaded on a per-site basis
- Apache::AuthenNTLM – a perl piece that runs in mod_perl
So far I’ve experimented with the first one, and it seems to work OK. After half a day it seems that the website gets pretty slow in responding, so I suspect a memory leak.
I plan on trying the second one out tomorrow. It seems to support multiple domains and PDCs/BDCs for each, and returns the domain as well as the userid in the REMOTE_USER env var, which I need.
These should theoretically authenticate with samba as well, which can get data from an LDAP server. This is nice because the whole thing can be implemented with FireFox, Samba, Apache, and OpenLDAP, thus completely eliminating reliance on Microsoft products (other than OS login) while still providing single sign-on capabilities.