Rack-ntlm

Description

Rack middleware for transparent authentication with NTLM.

This is a fork from lukefx/rack-ntlm on Github. This makes the Rack middleware a gem and uses net/ldap to search the user against an ActiveDirectory server.

This is work in progress, so contributions are welcome.

Known Limitations (TO-DOs):

Dependencies

Usage (with Rails):

On your config/environment.rb:

config.gem 'rubyntlm', :lib => 'net/ntlm'
config.gem 'net-ldap', :lib => 'net/ldap'
config.gem 'rack-ntlm'

config.middleware.use "Rack::Ntlm", {
  :uri_pattern => /\/login/                       # (default = /\//) (any URL)
  :host => '<Active Directory hostname>',
  :port => 389,                                   # default = 389
  :base => 'Base namespace for LDAP search',
  :search_filter => '(dn=%1)'                     # default = (sAMAccountName=%1)
  :auth => {
    :username => '<username to bind to LDAP>',
    :password => '<password to bind to LDAP>'
  }
}

Then run:

rake gems:install
rake gems:unpack (optional, if you want to vendor the gem)

Example

When a client needs to authenticate itself to a proxy or server using the NTLM scheme then the following 4-way handshake takes place (only parts of the request and status line and the relevant headers are shown here; “C” is the client, “S” the server):

1: C –> S GET …

2: C <– S 401 Unauthorized

WWW-Authenticate: NTLM

3: C –> S GET …

Authorization: NTLM <base64-encoded type-1-message>

4: C <– S 401 Unauthorized

WWW-Authenticate: NTLM <base64-encoded type-2-message>

5: C –> S GET …

Authorization: NTLM <base64-encoded type-3-message>

6: C <– S 200 Ok

Copyright © 2009-2010 [Rack-Ntlm], released under the MIT license