Thanks P. I followed your advice and it worked.
Here is what I did in case someone else is wrestling with this problem
Overview
1. disabled my Perl::AuthNTLM
2. got mod_jk communication path working between apache and tomcat
3. added auth back in
4. tested
End Point - File contents
in my apache conf (available-sites/opengrok)
---------------------------------
# Configure communications between apache and tomcat
LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
JkWorkersFile /etc/apache2/workers.properties
JkLogFile /var/log/apache2/opengrok_jk.log
JkLogLevel debug
JkMount /* my_tomcat_instance
<Location />
# Define your security here
PerlAthenHandler Apache2::AuthenNTLM
# use NTLM auth
AuthType ntlm
require valid-user
PerlAddVar requiregroup my_access_group
PerlAddVar ntdomain "MYDOMAIN pdc_ipaddr"
PerlAddVar defaultdomain MYDOMAIN
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmdebug 1
PerlSetVar ntlmauthoritative off
</Location>
in my workers properties file ---------------------------------
worker.list=my_tomcat_instance
worker.my_tomcat_instance.host=127.0.0.1
worker.my_tomcat_instance.port=8180
worker.my_tomcat_instance.type=ajp13
in my tomcat server.xml ---------------------------------
<Connector port="8180" protocol="AJP/1.3" tomcatAuthentication="false"/>
So, as P said, tomcat doesn't authneticate and Apache uses ajp to
communicate with tomcat. Thus, there is not http proxying going on and the
Perl NTLM auth module continues to work (seeing as it doesn't support
proxy).
Thanks again.
On 10/25/07, Pid <[EMAIL PROTECTED]> wrote:
>
> Peter Kahn wrote:
> > Can someone let me know how to setup NTLM authentication such that all
> > access to tomcat is restricted to users in a specific group?
> >
> > I have an instance of tomcat and it is serving several opengrok web
> apps.
> > Each opengrop app is pointing at a different source tree. I want to
> > restrict access to all of these webapps to a specific group of users.
> >
> > When I offer php based webapps and restrict them to a group of users, I
> use
> > apache2 authentication with a perl based NTLM extension. Since tomcat
> is
> > running on a different port, I tried binding tomcat to localhost or
> > loopback only and then used the proxy directive from apache2 to the
> offer
> > the applications to users on my lan. This worked, but the NTLM auth
> failed
> > when I added it in. I see my options as:
> > a) get apache auth to work via the proxy
> > b) forget apache auth and have tomcat handle the authentication.
>
> If you use the AJP connector with mod_jk (or in Apache 2.2,
> mod_proxy_ajp) you can continue to front your application with HTTPD
> NTLM authentication.
>
> Set the tomcatAuthentication connector attribute to false, as per:
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html
>
> p
>
>
> > I looked around the docs, googling here and there but most
> authentication
> > appeared to be at the individual web application level and not for the
> > entire instance.
> > - Is authentication at the entire tomcat instance level a practice
> that
> > people do?
> > - Is there a standard way to tie it into NTLM?
> >
> > So, can you send me links or advice if you happen to know of a good
> resource
> > for issue or see that I'm approaching in a needlessly difficult
> way? Thanks
> >
> >
>
>
>
--
Peter Kahn
[EMAIL PROTECTED]
[EMAIL PROTECTED], [EMAIL PROTECTED]
http://kahnstipation.blogspot.com | http://analogoustendencies.blogspot.com/
Awareness - Intention - Action
