Plugin NTLM Authentication - Integration Manual v1.0.0

Credential retrieval: CredentialProvider

The plugin provides a new extension point of type org.ametys.runtime.authentication.CredentialsProvider in charge of retrieving user logins via the NTLM protocol.

Modify the file WEB-INF/param/runtime.xml to use this extension point:

<org.ametys.runtime.authentication.CredentialsProvider>org.ametys.plugins.ntlm.authentication.NTLM</org.ametys.runtime.authentication.CredentialsProvider>

<org.ametys.runtime.authentication.CredentialsProvider>org.ametys.plugins.ntlm.authentication.NTLM</org.ametys.runtime.authentication.CredentialsProvider>

<org.ametys.runtime.authentication.CredentialsProvider>org.ametys.plugins.ntlm.authentication.NTLM</org.ametys.runtime.authentication.CredentialsProvider>

The user manager is necessarily the LDAP manager (file WEB-INF/param/runtime.xml):

<org.ametys.runtime.user.UsersManager>org.ametys.runtime.plugins.core.Ldap</org.ametys.runtime.user.UsersManager>

<org.ametys.runtime.user.UsersManager>org.ametys.runtime.plugins.core.Ldap</org.ametys.runtime.user.UsersManager>

<org.ametys.runtime.user.UsersManager>org.ametys.runtime.plugins.core.Ldap</org.ametys.runtime.user.UsersManager>

Authentication manager

The extension point org.ametys.runtime.authentication.AuthenticationManager determines whether the login is authorized to connect to the application.

In the WEB-INF/param/authentication.xml you must use the org.ametys.runtime.plugins.core.authentication.HasRightAuthentication 

<authentications>
    <authentication>org.ametys.runtime.plugins.core.authentication.HasRightAuthentication</authentication>
</authentications>

<authentications>
    <authentication>org.ametys.runtime.plugins.core.authentication.HasRightAuthentication</authentication>
</authentications>

<authentications>
    <authentication>org.ametys.runtime.plugins.core.authentication.HasRightAuthentication</authentication>
</authentications>

To find out more about user authentication on Ametys and the choice of managers, visit the User authentication page.

Configuration Apache

Your Apache server configuration ( httpd.conf file) must include the following rules:

httpd.conf

# Rules for NTLM authentication by Jespa
RewriteRule .* - [E=INFO_REMOTE_ADDR:%{REMOTE_ADDR},NE]
RewriteRule .* - [E=INFO_REMOTE_PORT:%{REMOTE_PORT},NE]
RequestHeader set Jespa-Connection-Id "%{INFO_REMOTE_ADDR}e:%{INFO_REMOTE_PORT}e"

# Rules for NTLM authentication by Jespa
RewriteRule .* - [E=INFO_REMOTE_ADDR:%{REMOTE_ADDR},NE]
RewriteRule .* - [E=INFO_REMOTE_PORT:%{REMOTE_PORT},NE]
RequestHeader set Jespa-Connection-Id "%{INFO_REMOTE_ADDR}e:%{INFO_REMOTE_PORT}e"

# Rules for NTLM authentication by Jespa
RewriteRule .* - [E=INFO_REMOTE_ADDR:%{REMOTE_ADDR},NE]
RewriteRule .* - [E=INFO_REMOTE_PORT:%{REMOTE_PORT},NE]
RequestHeader set Jespa-Connection-Id "%{INFO_REMOTE_ADDR}e:%{INFO_REMOTE_PORT}e"

Please note that mod_headers must be enabled in the Apache configuration.

Test or development environment

For your test or development environment, you can download the Jespa demo library, valid for 60 days: http: //www.ioplex.com/downloads.php

Copy and paste jar jespa-1.1.x.jar into the directory WEB-INF/lib of your application.

Production deployment

For production deployment, you must purchase the paid version of Jespa by purchasing the license from IOPLEX: http://www.ioplex.com/purchase.php

Then follow the instructions at mail to update the Jespa library with the license.

Copy and paste jar jespa-1.1.x.jar into the directory WEB-INF/lib of your application.

Creating a Computer Account

After downloading Jespa, use the SetupWizard.vbs procedure to create a Computer Account in Active Directory with a name ending in $ of up to 15 characters (including $).

This account will allow access to the NETLOGON service to verify user authentication.

Set the Computer Account password using the following procedure SetComputerPasssword.vbs:
SetComputerPassword [computer_account_name]$@[domain] [password]