Aegir-1.0.3 and NTLM authentication

Fri 8th April 2005 07:10 EEST

The Aegir CMS is unable to do single sign-on with NTLM authentication. This is due to the fact that Aegir natively uses Nemein_Authentication library, which in turn does not understand Midgard's basic authentication (that is also utilized by NTLM authentication).

To force Aegir to support single sign-on together with NTLM, the following changes must be made (DISCLAIMER: The changes have been tested with a Aegir-1.0.3 installation. I tested Aegir with both NTLM authentication and regular Nemein_Authentication, and found that everything were working properly. However, the tests included only articles and attachments - there may be some other hidden problems elsewhere. So, keep another admin interface handy in case your Aegir brakes!):

• Turn on authentication in the Aegir host record. NOTE: I'm using sitegrouped Aegir (www.example.com:8001/aegir) and have SG0 Aegir (www.example.com:8002/aegir_sg0) available under separate host.

• Modify Nemein_Authentication library

  • Snippet: /Nemein_Authentication/Functions

    • function auth_by_cookies()

       // Disable cookie checking when the basic auth is in use and user is set, place this right in the beginning
       if ($GLOBALS['midgard']->auth && $GLOBALS['midgard']->user) {
           return false;
       }
      

• Modify Aegir libraries

  • Snippet: /AegirCore/lib/auth

    // Provide alternative authentication routine for the basic auth, add this right after if ($logout) clause
    } elseif ($GLOBALS['midgard']->auth) {
        $aegir_user = mgd_get_person($GLOBALS['midgard']->user);
        $mgd_login['uid'] = $aegir_user->id;
    }
    

  • Snippet: /AegirCore/lib/auth_functions

    • function aegir_sitegroup_reauth($sitegroup)

      // Provide fallback routine for the basic auth, place this right in the beginning
      if ($GLOBALS['midgard']->auth && $GLOBALS['midgard']->user) {
          return;
      }
      

  • Page: /Aegir CMS/rcs

    // Provide a fallback for the $currentuser check
    if (!$currentuser) {
        if (!$currentuser = mgd_get_person($GLOBALS['midgard']->user)) {
            quitit();
        }
    }
    // Provide fallback for the basic auth
    if (strtolower($currentuser->username) != strtolower($set["username"])
        && !$currentuser) {
        echo "cookie problem?";
        exit;
    }
    

After the changes you can point your browser directly to to http://www.example.com/aegir/newframeset/ to get single sign-on authentication. In case you want to compare your code, I made an RTF file that shows changed parts of code in bold.

Update 2005-04-25: The link to the RTF had a typo. Thanks Solt!