Hi,
I'm developing an intranet application with authentication provided by
Apache::AuthCookieNTLM. Tests are working perfectly for internal users
(thank-you module authors) -- but the site must also be available to
external users through an extranet.
The requirement here is that, where a user connects internally, the
system recognises their Windows account and personalises the site
accordingly. However, when an external user visits the site, they
should be able to gain immediate access, and merely lack a username.
Consequently, I'm hoping to be able to set up authentication such that,
where NTLM (or the cookie) is available, authentication takes place,
and where it isn't available, the phase merely returns OK.
Here's the config I'm using to test this:
PerlModule Apache::AuthenNTLM
PerlModule Apache::AuthCookieNTLM
PerlModule Apache::Constants
PerlModule Apache::Registry
<Location "/ntlm">
PerlAuthenHandler Apache::AuthCookieNTLM Apache::Constants::OK
AuthType ntlm
AuthName eWok
require valid-user
PerlAddVar ntdomain "xxxx xxxx xxxx"
PerlSetVar defaultdomain xxxx
PerlSetVar ntlmdebug 1
PerlSetVar ntlmsemkey 0
PerlSetVar ntlmauthoritative off
PerlSetVar basicauthoritative off
PerlSetVar eWokName eWokLogin
SetHandler perl-script
PerlHandler Apache::Registry
</Location>
This works great for internal requests, but I still get the normal
basic authentication box appear for external requests. The debug
information for a sample external request is as follows:
AuthCookieNTLM - Looking for Cookie Name: eWokLogin
[15002] AuthenNTLM: Config Domain = xxxx
pdc = xxxx bdc = xxxx
[15002] AuthenNTLM: Config Default Domain = xxxx
[15002] AuthenNTLM: Config Fallback Domain =
[15002] AuthenNTLM: Config AuthType = ntlm AuthName = eWok
[15002] AuthenNTLM: Config Auth NTLM = 1 Auth Basic = 0
[15002] AuthenNTLM: Config NTLMAuthoritative = off
BasicAuthoritative = off
[15002] AuthenNTLM: Config Semaphore key = 23754 timeout = 2
[15002] AuthenNTLM: Config SplitDomainPrefix =
[15002] AuthenNTLM: Authorization Header <not given>
[Fri Dec 16 12:01:50 2005] [error] access to /ntlm failed for ,
reason: Bad/Missing NTLM/Basic Authorization Header for /ntlm
As you can see, I was hoping that having Apache::Constants::OK in the
stack for the AuthenHandler, setting the AuthType to "ntlm" (rather
than "ntlm,basic"), and setting both NTLMAuthoritative and
BasicAuthoritative to "off" would give me the effect that I wanted.
I've checked that $r->can_stack_handlers returns 1.
What am I missing here? Is is possible to achieve this effect without
creating a wrapper around Apache::AuthCookieNTLM? If not, what might I
need to override in order to achieve this?
Any advice, as always, would be most gratefully received.
Cheers,
Andrew.
