fawno / ntlm-authentication
NTLM Authenticator for CakePHP 4.3
Installs: 5
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 2
Forks: 0
Open Issues: 0
Type:cakephp-plugin
Requires
- php: >=7.2
- cakephp/authentication: 2.*
- cakephp/cakephp: ^4.3
Requires (Dev)
- phpunit/phpunit: ~8.5.0 || ^9.3
Suggests
- ext-ldap: *
This package is auto-updated.
Last update: 2024-10-26 08:29:31 UTC
README
NTLM Authenticator for CakePHP 4 Authentication plugin
This plugin provides an NTLM Authenticator for CakePHP 4 authentication plugin.
Table of contents
Requirements
- PHP >= 7.2.0
- Apache 2.4 SSPI NTLM based authentication module (mod_authn_ntlm)
- CakePHP >= 4.3.0
- CakePHP Authentication >= 2.0
Optional:
- ext-ldap (LDAP php extension)
Installation
Install this plugin into your application using composer:
- Add
fawno/ntlm-authentication
package to your project:composer require fawno/ntlm-authentication
- Load the NTLMAuthenticator in your
Application.php
:use Fawno\NTLM\Authenticator\NTLMAuthenticator;
- Load the NTLMAuthenticator in your Authentication Service (
Application.php
):// Load the authenticators. Session should be first. $service->loadAuthenticator('Authentication.Session'); $service->loadAuthenticator(NTLMAuthenticator::class, [ 'domains' => [], ]);
Configuration
exampledomain
short domain name
example.com
full domain name
Apache with SSPI NTLM based authentication module (mod_authn_ntlm)
Only routes with /login
are authenticated with NTLM
webroot\.htaccess
:
<If "%{THE_REQUEST} =~ m#GET .*/login(\?.*)? HTTP.*#"> AuthName "Example App" AuthType SSPI NTLMAuth On NTLMAuthoritative On NTLMDomain exampledomain NTLMOmitDomain Off # keep domain name in userid string NTLMOfferBasic On # let non-IE clients authenticate NTLMBasicPreferred Off # should basic authentication have higher priority NTLMUsernameCase lower Require valid-user </If> <Else> AuthType None Require all granted </Else> #Order allow,deny #Allow from 192.168.0.0/16 Satisfy all
NTLMAuthenticator
NTLM Authenticator can query through LDAP for user membership. This information is stored in the session and can be used for authorization (ACL).
$service->loadAuthenticator(NTLMAuthenticator::class, [ 'domains' => [ 'exampledomain' => [ 'ldap' => [ 'srv' => 'active-directory.example.com', 'user' => base64_encode('user@example.com'), 'pass' => base64_encode('UserPassword'), 'dn' => 'OU=Departaments, DC=example, DC=com', 'dn_users' => 'CN=Users, DC=example, DC=com', ], 'config' => [ 'some_key' => 'some_data', ], ], 'exampledomain2' => [ 'ldap' => [ 'srv' => 'active-directory.example2.com', 'user' => base64_encode('user@example2.com'), 'pass' => base64_encode('UserPassword2'), 'dn' => 'OU=Departaments, DC=example2, DC=com', 'dn_users' => 'CN=Users, DC=example2, DC=com', ], 'config' => [ 'some_key' => 'some_data', ], ], ], ]);
The configured credentials should have query-only access to the LDAP service and no other privileges within the domain.
config
array is optional data can be stored in session auth data.
It allows configuring the logo of the organization and other data common to the users of a domain that the application needs to use.
The application does not have any access to validated user passwords, all NTLM authentication is negotiated between the Apache server and the browser.