⚠️ This gem does NOT verify the user passowrd (see issue #1)
If you need verification against Active Directory probably the best solution is this comment.
Otherwise you should have the hashed (LM, NT, etc.) version of your users' passwords and manually check the Type-3 response against them.
Transparent authentication with NTLM.
In your Gemfile add:
gem 'rack-ntlm', :git => 'git://github.com/lukefx/rack-ntlm.git'
Then add rack-ntlm to the middleware chain in config/application.rb (Rails 3)
config.middleware.use 'Rack::Ntlm', {
:uri_pattern => /\/login/ # (default = /\//) (any URL)
:host => '<Active Directory hostname>',
:port => 389, # default = 389
:base => 'Base namespace for LDAP search',
:search_filter => '(dn=%1)' # default = (sAMAccountName=%1)
:auth => {
:username => '<username to bind to LDAP>',
:password => '<password to bind to LDAP>'
}
}
Credits to @dtsato to this awesome configuration and defaults
NTLM is a transparent authentication system developed by Microsoft, it needs that your webserver use keepalive because the handshake consists in 6 steps all with the same connection.
-
C => S GET ...
-
C <= S 401 Unauthorized
WWW-Authenticate: NTLM
-
C => S GET ...
Authorization: NTLM <base64-encoded type-1-message>
-
C <= S 401 Unauthorized
WWW-Authenticate: NTLM <base64-encoded type-2-message>
-
C => S GET ...
Authorization: NTLM <base64-encoded type-3-message>
-
C <= S 200 Ok