NTLM Authorization in Active Directory via PHP under NGINX

How to organize NTLM authorization in the domain via PHP, while not asking the user with its data.


Answer 1

nginx does not support authorization in AD. This is there is a FiCrevest, but it seems like, stalled …

Accordingly, you need to delegate authorization to your script. It is taught here how to do it. It remains only to connect from the PCP script to the AD server, for example, so or any LDAP library.


Answer 2

Is it like that? O_o

$headers = apache_request_headers();     //    
if (!isset($headers['Authorization'])) { //    
  header('HTTP/1.1 401 Unauthorized');   //    
  header('WWW-Authenticate: NTLM');      //    - NTLM
  exit;                                  //   
}
//     
if (substr($headers['Authorization'],0,5) == 'NTLM ') { // ,   NTLM-
  $chain = base64_decode(substr($headers['Authorization'],5)); //   
  switch (ord($chain{8})) { //     
    case 3: //  5 -   type-3
      foreach (array('LM_resp','NT_resp','domain','user','host') as $k=>$v) {
        extract(unpack('vlength/voffset',substr($chain,$k*8+14,4)));
        $val = substr($chain,$offset,$length);
        echo "$v: ".($k<2 ? hex_dump($val) : iconv('UTF-16LE','CP1251',$val))."<br>\r\n";
      }
      exit;
    case 1: //  3 (  == 0xB2,    130). 178 -> B2  130 -> 82
        // 0x82        ,  0xB2  IE   "    "
      if (ord($chain{13}) == 0x82||ord($chain{13}) == 0xB2) { //   NTLM 0x82   13   type-1:
        $chain = "NTLMSSP\x00".// 
                 "\x02" /*   */ ."\x00\x00\x00\x00\x00\x00\x00".
                 "\x28\x00" /*    */ ."\x00\x00".
                 "\x01\x82" /*  */ ."\x00\x00".
                 "\x00\x02\x02\x02\x00\x00\x00\x00". // nonce
                 "\x00\x00\x00\x00\x00\x00\x00\x00";
        header('HTTP/1.1 401 Unauthorized');
        header('WWW-Authenticate: NTLM '.base64_encode($chain)); //   type-2
        exit;
      }
  }
}
function hex_dump($str){ //  ,    
  return substr(preg_replace('#.#se','sprintf("%02x ",ord("$0"))',$str),0,-1);
}
?>

Your Internet browser or used proxy server is incompatible with NTLM, use IE … thanks