将NTLM Active Directory用户数据检索到没有IIS的Rails

时间:2022-06-06 02:57:47

I believe that we can allow Firefox to sent NTLM data to SharePoint sites to do automatic authentication, and I think that this is doable with IIS.

我相信我们可以允许Firefox将NTLM数据发送到SharePoint站点进行自动身份验证,我认为这对IIS来说是可行的。

I'd like to do the same thing with an internal Rails site.

我想用内部Rails站点做同样的事情。

Does anyone know of way that I could authenticate NTLM type user information through a Apache/mongrel setup (provided of course that it's already running on a Windows box inside of an Active Directory domain)?

有没有人知道我可以通过Apache / mongrel设置验证NTLM类型的用户信息(当然,它已经在Active Directory域内的Windows机器上运行)?

7 个解决方案

#1


2  

I'm assuming you've already worked out which HTTP headers you need to send in order to get firefox and IE to send back the NTLM authentication stuff, and are just needing to handle that on the server side?

我假设你已经解决了你需要发送哪些HTTP头,以便让firefox和IE发送回NTLM身份验证的东西,并且只需要在服务器端处理它?

You could use some of ruby's win32 libraries to access the underlying windows authentication functions which handle the NTLM.

您可以使用某些ruby的win32库来访问处理NTLM的底层Windows身份验证函数。

I'd suggest the path of least resistance might be to see if there is a COM component which can do the authentication for you, and if so, to use it using the Win32OLE ruby library.

我建议阻力最小的路径可能是看是否有一个可以为你进行身份验证的COM组件,如果有,可以使用Win32OLE ruby​​库来使用它。

If there's no COM component, you might be able to find something in one of those other libraries which can invoke the native win32 methods for you.

如果没有COM组件,您可能能够在其中一个库中找到可以为您调用本机win32方法的内容。

If you can't find that, you'd have to write a ruby C extension. I've done this on linux, and extending ruby is pretty easy, but you may find the microsoft authentication API's a bit painful.

如果你找不到,你必须写一个ruby C扩展。我在linux上做过这个,扩展ruby非常简单,但你可能会发现微软认证API有点痛苦。

Hope that gets you started on the right track :-)

希望能让你开始走上正轨:-)

#2


10  

I created tutorial on how to install patched mod_ntlm module for Apache on Linux and how to pass NTLM authenticated username to Rails and how create Rails session from that. So as a result you do not need Windows server for running Rails application.

我创建了关于如何在Linux上为Apache安装修补的mod_ntlm模块以及如何将NTLM经过身份验证的用户名传递给Rails以及如何从中创建Rails会话的教程。因此,您不需要Windows服务器来运行Rails应用程序。

There you can find also how to enable automatic NTLM authentication in Firefox — enter "about:config" in location field and then search for "network.automatic-ntlm-auth.trusted-uris". There you can enter servers for which you would like to use automatic NTLM authentication.

在那里你还可以找到如何在Firefox中启用自动NTLM身份验证 - 在位置字段中输入“about:config”,然后搜索“network.automatic-ntlm-auth.trusted-uris”。在那里,您可以输入要使用自动NTLM身份验证的服务器。

#3


4  

Bit of extra info in case anyone stumbles across this.

一些额外的信息,以防任何人偶然发现这一点。

I wanted to do something which I thought should be pretty simple - extract the users windows username using NTLM from a Rails app running on Mongrel/Windows (InstantRails actually). Having written the basic code manage the various handshaking operations (using the great NTLMRuby library at http://rubyforge.org/projects/rubyntlm/) and having got it to work wonderfully in Firefox I was somewhat frustrated to find IE not working.

我想做一些我认为应该非常简单的事情 - 使用运行在Mongrel / Windows上的Rails应用程序(实际上是InstantRails)使用NTLM提取用户窗口用户名。编写基本代码后,管理各种握手操作(使用http://rubyforge.org/projects/rubyntlm/上的优秀NTLMRuby库)并让它在Firefox中运行得非常好,我发现IE无法正常工作有点沮丧。

Mongrel doesn't support keep-alives during the type1/2/3 message exchange (at least natively, I believe there's a hack/fix for it), which IE demands and Firefox gets by without.

Mongrel在type1 / 2/3消息交换期间不支持keep-alives(至少在本地,我相信有一个黑客/修复它),IE要求和Firefox没有。

So authenticating a Rails server running on Windows against a remote NTLM service (e.g. Sharepoint or another web site) is reasonably straight forward, but authenticating an IE browser against a Rails server running on Windows not so much with Mongrel. IIS would be an option, as might be basic Apache with FastCGI. The former feels a bit clunky and the latter won't be as fast as Mongrel.

因此,针对远程NTLM服务(例如,Sharepoint或其他网站)对在Windows上运行的Rails服务器进行身份验证是相当简单的,但是针对在Windows上运行的Rails服务器而不是使用Mongrel来验证IE浏览器。 IIS可能是一个选项,可能是使用FastCGI的基本Apache。前者感觉有点笨拙而后者不会像杂种一样快。

#4


2  

You could also use the Apache ntlm module, which should pass a header onwards to your application with the username of the authenticated user. That module looks a bit old, but suggests some other modules that may suit your needs.

您还可以使用Apache ntlm模块,该模块应使用经过身份验证的用户的用户名将标头向前传递到您的应用程序。该模块看起来有点旧,但建议一些其他模块可能适合您的需求。

#5


2  

Old question I know but I came across this looking for a similar answer.

老问题我知道,但我遇到了这个寻找类似的答案。

you could use the methods described here (http://blog.rayapps.com/2008/12/02/ntlm-windows-domain-authentication-for-rails-application/). However mod_ntlm is for windows authentication on a UNIX/linux machine. mod_auth_sspi is what you'll need for winNT authentication from apache under windows.

你可以使用这里描述的方法(http://blog.rayapps.com/2008/12/02/ntlm-windows-domain-authentication-for-rails-application/)。但是,mod_ntlm用于UNIX / Linux机器上的Windows身份验证。 mod_auth_sspi是你在windows下使用apache进行winNT身份验证所需要的。

#6


2  

This particular project looks promising and is looking for contributors:

这个特殊项目看起来很有前景,正在寻找贡献者:

I haven't yet tried this out. For the moment I plan on implementing Raimonds' solution as it appears to have a lot of success.

我还没试过这个。目前我计划实施Raimonds的解决方案,因为它似乎取得了很大的成功。

#7


0  

Check out Waffle. It provides SSO on Windows to Java servers using Win32 API. There're a number of implemented filters (servlet, tomcat valve, spring-security).

看看华夫饼干。它使用Win32 API在Windows上为Java服务器提供SSO。有许多实现的过滤器(servlet,tomcat阀,弹簧安全)。

#1


2  

I'm assuming you've already worked out which HTTP headers you need to send in order to get firefox and IE to send back the NTLM authentication stuff, and are just needing to handle that on the server side?

我假设你已经解决了你需要发送哪些HTTP头,以便让firefox和IE发送回NTLM身份验证的东西,并且只需要在服务器端处理它?

You could use some of ruby's win32 libraries to access the underlying windows authentication functions which handle the NTLM.

您可以使用某些ruby的win32库来访问处理NTLM的底层Windows身份验证函数。

I'd suggest the path of least resistance might be to see if there is a COM component which can do the authentication for you, and if so, to use it using the Win32OLE ruby library.

我建议阻力最小的路径可能是看是否有一个可以为你进行身份验证的COM组件,如果有,可以使用Win32OLE ruby​​库来使用它。

If there's no COM component, you might be able to find something in one of those other libraries which can invoke the native win32 methods for you.

如果没有COM组件,您可能能够在其中一个库中找到可以为您调用本机win32方法的内容。

If you can't find that, you'd have to write a ruby C extension. I've done this on linux, and extending ruby is pretty easy, but you may find the microsoft authentication API's a bit painful.

如果你找不到,你必须写一个ruby C扩展。我在linux上做过这个,扩展ruby非常简单,但你可能会发现微软认证API有点痛苦。

Hope that gets you started on the right track :-)

希望能让你开始走上正轨:-)

#2


10  

I created tutorial on how to install patched mod_ntlm module for Apache on Linux and how to pass NTLM authenticated username to Rails and how create Rails session from that. So as a result you do not need Windows server for running Rails application.

我创建了关于如何在Linux上为Apache安装修补的mod_ntlm模块以及如何将NTLM经过身份验证的用户名传递给Rails以及如何从中创建Rails会话的教程。因此,您不需要Windows服务器来运行Rails应用程序。

There you can find also how to enable automatic NTLM authentication in Firefox — enter "about:config" in location field and then search for "network.automatic-ntlm-auth.trusted-uris". There you can enter servers for which you would like to use automatic NTLM authentication.

在那里你还可以找到如何在Firefox中启用自动NTLM身份验证 - 在位置字段中输入“about:config”,然后搜索“network.automatic-ntlm-auth.trusted-uris”。在那里,您可以输入要使用自动NTLM身份验证的服务器。

#3


4  

Bit of extra info in case anyone stumbles across this.

一些额外的信息,以防任何人偶然发现这一点。

I wanted to do something which I thought should be pretty simple - extract the users windows username using NTLM from a Rails app running on Mongrel/Windows (InstantRails actually). Having written the basic code manage the various handshaking operations (using the great NTLMRuby library at http://rubyforge.org/projects/rubyntlm/) and having got it to work wonderfully in Firefox I was somewhat frustrated to find IE not working.

我想做一些我认为应该非常简单的事情 - 使用运行在Mongrel / Windows上的Rails应用程序(实际上是InstantRails)使用NTLM提取用户窗口用户名。编写基本代码后,管理各种握手操作(使用http://rubyforge.org/projects/rubyntlm/上的优秀NTLMRuby库)并让它在Firefox中运行得非常好,我发现IE无法正常工作有点沮丧。

Mongrel doesn't support keep-alives during the type1/2/3 message exchange (at least natively, I believe there's a hack/fix for it), which IE demands and Firefox gets by without.

Mongrel在type1 / 2/3消息交换期间不支持keep-alives(至少在本地,我相信有一个黑客/修复它),IE要求和Firefox没有。

So authenticating a Rails server running on Windows against a remote NTLM service (e.g. Sharepoint or another web site) is reasonably straight forward, but authenticating an IE browser against a Rails server running on Windows not so much with Mongrel. IIS would be an option, as might be basic Apache with FastCGI. The former feels a bit clunky and the latter won't be as fast as Mongrel.

因此,针对远程NTLM服务(例如,Sharepoint或其他网站)对在Windows上运行的Rails服务器进行身份验证是相当简单的,但是针对在Windows上运行的Rails服务器而不是使用Mongrel来验证IE浏览器。 IIS可能是一个选项,可能是使用FastCGI的基本Apache。前者感觉有点笨拙而后者不会像杂种一样快。

#4


2  

You could also use the Apache ntlm module, which should pass a header onwards to your application with the username of the authenticated user. That module looks a bit old, but suggests some other modules that may suit your needs.

您还可以使用Apache ntlm模块,该模块应使用经过身份验证的用户的用户名将标头向前传递到您的应用程序。该模块看起来有点旧,但建议一些其他模块可能适合您的需求。

#5


2  

Old question I know but I came across this looking for a similar answer.

老问题我知道,但我遇到了这个寻找类似的答案。

you could use the methods described here (http://blog.rayapps.com/2008/12/02/ntlm-windows-domain-authentication-for-rails-application/). However mod_ntlm is for windows authentication on a UNIX/linux machine. mod_auth_sspi is what you'll need for winNT authentication from apache under windows.

你可以使用这里描述的方法(http://blog.rayapps.com/2008/12/02/ntlm-windows-domain-authentication-for-rails-application/)。但是,mod_ntlm用于UNIX / Linux机器上的Windows身份验证。 mod_auth_sspi是你在windows下使用apache进行winNT身份验证所需要的。

#6


2  

This particular project looks promising and is looking for contributors:

这个特殊项目看起来很有前景,正在寻找贡献者:

I haven't yet tried this out. For the moment I plan on implementing Raimonds' solution as it appears to have a lot of success.

我还没试过这个。目前我计划实施Raimonds的解决方案,因为它似乎取得了很大的成功。

#7


0  

Check out Waffle. It provides SSO on Windows to Java servers using Win32 API. There're a number of implemented filters (servlet, tomcat valve, spring-security).

看看华夫饼干。它使用Win32 API在Windows上为Java服务器提供SSO。有许多实现的过滤器(servlet,tomcat阀,弹簧安全)。