| Name | NTLM Authenticator |
|---|---|
| Version | 1.5.1 |
| Product Versions | Confluence v2.3 to v2.8.0 |
| Author(s) | Daniel Pavel, Stefan Farthofer, Elliot Braham, Andy Brook |
| Homepage | here, there is also a FAQ |
| Price | Free |
| License | BSD |
| Support | Supported (by Atlassian) only with the Sharepoint Connector for Confluence |
| Source | http://svn.atlassian.com/svn/public/contrib/confluence/libraries/ntlmauth/trunk |
| Download | stable 1.5, latest version stable 1.5.1 , unstable 1.5.2-snapshot (depends on ldaputils-1.0.12-SNAPSHOT.jar) |
| IssueTracking | http://developer.atlassian.com/jira/browse/NTLM |
Description/Features
A NTLM authenticator for Confluence using the Confluence's LDAP User Management. It also creates authenticated users, all authenticated users are automatically registered with the confluence-users group. Based heavily on Daniel Pavel's NTLM Authentication for JIRA. It depends on another library, the LDAP Util library that provides LDAP access via configurations within osuser.xml or atlassian-user.xml
Install
In order to do this you need to have LDAP authentication setup and working (hint: forget NTLM until basic LDAP authentication is working!). See LDAP User Management for more details.
To install the Confluence ntlmauth package, you need to perform the following steps after enabling Confluence's LDAP User Management.
Standalone vs Deployed war
How you configure a plugin will differ between the Tomcat standalone and the deployed war. The standalone version requires you to make changes in confluence/WEB-INF/... whereas The deployed version (where you have the source and can build your own war's) has the convention to put changes into edit-webapp/WEB-INF... , the instructions below will just refer to WEB-INF, whichever is applicable to you.
 |
Please back up your configuration files before modifying them. |
Get the main ntlm JAR
Download the latest ntlmauth jar from above, add it to the WEB-INF/lib folder.
Get the dependent JAR's
This plugin has two dependencies that need to be added to the WEB-INF/lib folder:
- jcifs - get latest (was jcifs-1.2.24.jar) from http://jcifs.samba.org/src/ (get the jar, or unpack from an archive)
- ldaputil - get latest (was 1.0.11) from http://svn.atlassian.com/svn/public/contrib/confluence/libraries/ldaputil/jars (this needs to have a property file modified, see later)
Update the web.xml file
For stand-alone instances, just edit the file (you backed it up right?). For build war's, copy confluence/WEB-INF/web.xml to edit-webapp/WEB-INF/. , edits there then override the default.
Now add the following at the end of the list of filters:
<filter>
<filter-name>ntlm</filter-name>
<filter-class>com.jnj.confluence.NTLMFilter</filter-class>
</filter>
Additionally you need to add a filter mapping for the NTLM filter just before the "login" filter mapping:
<filter-mapping>
<filter-name>ntlm</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Update the seraph-config.xml file
Change the authenticator in your confluence/WEB-INF/classes/seraph-config.xml file by replacing the existing authenticator element with:
<authenticator class="com.jnj.confluence.NTLMAwareAuthenticator"/>
LDAP Utils configuration
Although you don't have to specify any LDAP configuration per-se, some choices are available, such as 'atlassian-user' (default) or 'osuser' configured; if you want to change anything you need to unpack the ldaputil jar and edit ldaputils.properties.
TODO:// need to update this to reflect current code
Unpack the ldaputil JAR and edit the ldaputil.properties file, At the very least you will need to specify the ldaputil.ldap.searchBase property, the ldapAttribute keys should reflect your LDAP schema, or atlassian-user.xml config. Repack the jar, overwrite the original
| Key | Default | Description |
|---|---|---|
| ldaputil.providerType | atlassian-user | use atlassian user config |
| ldaputil.osuser.providerClass | com.opensymphony.user.provider.ldap.LDAPCredentialsProvider | the provider class containing the ldap configuration in osuser.xml |
| ldaputil.ldap.searchBase | REQUIRED | along the lines of 'DC=something, DC=other' |
| ldaputil.ldap.emailLdapAttribute | Mail, this is AD specific, configure as appropriate | |
| ldaputil.ldap.userIdLdapAttribute | sAMAccountName | User account ID, this is AD specific, configure as appropriate |
| ldaputil.ldap.firstNameAttribute | givenName | First Name, this is AD specific, configure as appropriate |
| ldaputil.ldap.lastNameAttribute | sn | Surname, this is AD specific, configure as appropriate |
| ldaputil.ldap.narrowingFilterExpression | (objectclass=user) | this can be used to restrict the ldap lookup |
| ldaputil.ldap.fullNameFormat | 0 | Lastname, Firstname |
| ldaputil.ldap.forceUserIDCase | 2 | reflect stored value |
| ldaputil.ldap.subtreeScope | 2 | subtree scope |
Restarting
For tomcat you should just be able to restart Confluence. For built war's, you naturally have to rebuild and redeploy the war.
Version History
| Version | Details |
|---|---|
| 1.3 |
|
| 1.4 |
|
| 1.5 |
|
| ? |
|
Open Issues
Atlassian Developer Network JIRA
(5 issues)
|
||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| T | Key | Summary | Assignee | Reporter | Pr | Status | Res | Created | Updated | Due |
|
NTLM-14 | Multiple Domain Malfunction | Andy Brook | Sir Blue Notes |
|
 Open
|
UNRESOLVED | Aug 26, 2008 | Aug 27, 2008 | |
|
|
NTLM-13 | NTLM works when I login on the application server it self but fails if I log in from a remote machine. | Andy Brook | David Van Ronk |
|
Open
|
UNRESOLVED | Aug 13, 2008 | Aug 24, 2008 | |
|
|
NTLM-10 | New users are not added to 'confluence-users' group automatically if already exist in the external_entities table | Andy Brook | Melly ISMIK |
|
Open
|
UNRESOLVED | Jun 25, 2008 | Aug 10, 2008 | |
|
|
NTLM-7 | NTLM configuration | Andy Brook | david |
|
Open
|
UNRESOLVED | Apr 01, 2008 | Aug 10, 2008 | |
|
NTLM-2 | make this plugin work the RPC/SOAP interface | Andy Brook | Jamie Echlin |
|
Open
|
UNRESOLVED | Sep 05, 2007 | Aug 10, 2008 | |
misc stuff
Possible problem (i.e. it doesn't (according to my experience/environment) work) with IE6. IE7 seems to work fine.
Logging
If you want to see whats going on under the hood, update the log4j.properties file in WEB-INF/classes with:
# # LDAP UTILS # log4j.logger.com.dolby.confluence.net.ldap=DEBUG, confluencelog log4j.additivity.com.dolby.confluence.net.ldap=false log4j.logger.com.dolby.confluence.net.ldap.atlassianuser=DEBUG, confluencelog log4j.additivity.com.dolby.confluence.net.ldap.atlassianuser=false log4j.logger.com.dolby.confluence.net.ldap.osuser=DEBUG log4j.additivity.com.dolby.confluence.net.osuser=false # # NTLMAUTH # log4j.logger.com.jnj.confluence=DEBUG, confluencelog log4j.additivity.com.jnj.confluence=false
Comments (167)
Mar 09, 2007
senthilraja says:
Hi, we have deployed conluence in a linux box. Will this plugin work ...Hi,
we have deployed conluence in a linux box. Will this plugin work for us?
Note:
The Linux box is currently not added to AD domains.
May 16, 2007
Elliot Braham says:
Probably. Let me know how you go\!Probably. Let me know how you go!
Apr 20, 2007
Eric Bardoux says:
Hi, I've strictly followed the instructions. Once i've finished, i've restarted ...Hi,
I've strictly followed the instructions.
Once i've finished, i've restarted Confluence. When i the go to Confluence HomePage, i still have the login page, and whatever the login i enter (hibernate or ldap one), i stay on the login page, with no error message, and no trace in the logfiles.
Any idea?
Thanks
Eric
Apr 20, 2007
Eric Bardoux says:
More strange : I try to roll back, seraph and web.xml. Restart confluence. And i...More strange :
I try to roll back, seraph and web.xml. Restart confluence. And i can't login anymore too!
May 14, 2007
Martin Cleaver says:
Should the following work in log4j.properties? It doesn't for me. I want to trac...Should the following work in log4j.properties? It doesn't for me. I want to trace parameters authentication request.
Also, it is not clear as to whether I must be using IIS (I am) and what options in IIS should be selected (e.g. Integrated Windows Authentication)
May 15, 2007
Elliot Braham says:
Hi Martin, I'm using this on Confluence 2.3.3 Standalone with LDAP User ma...Hi Martin,
I'm using this on Confluence 2.3.3 Standalone with LDAP User managament without any issues. I've never tried it on IIS.
Regards, Elliot
May 16, 2007
Andy Brook says:
I have Confluence 2.5.1, running in jboss405 (my normal, proven server), running...I have Confluence 2.5.1, running in jboss405 (my normal, proven server), running on a 32bit Ubuntu 6.10 VM. Using the plugin in combination with
Using the attached JAR I get a stack on the server. In not fully conversant with jcifs or NTLM but have dome some LDAP work. I'm under the impression this plugin only currently works if confluence is deployed on a Windows box
and is not usable on any other platform.
My Stack with the default ntlmauth jar
1:18:39,703 WARN SMBHelper Could not connect to localhost's Windows authentication source! 11:18:39,704 ERROR [action] Servlet.service() for servlet action threw exception java.lang.NullPointerException at jcifs.smb.SmbTransport.matches(SmbTransport.java:150) at jcifs.smb.SmbTransport.getSmbTransport(SmbTransport.java:49) at jcifs.smb.SmbTransport.getSmbTransport(SmbTransport.java:38) at jcifs.smb.SmbSession.getChallenge(SmbSession.java:145) at com.jnj.confluence.SMBHelper.getDCChallenge(SMBHelper.java:136) at com.jnj.confluence.NTLMWebHelper.doNTLM(NTLMWebHelper.java:91) at com.jnj.confluence.NTLMFilter.doFilter(NTLMFilter.java:125) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at com.atlassian.confluence.util.ClusterHeaderFilter.doFilter(ClusterHeaderFilter.java:35) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at com.atlassian.johnson.filters.JohnsonFilter.doFilter(JohnsonFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at org.springframework.orm.hibernate.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:172) at com.atlassian.spring.filter.FlushingSpringSessionInViewFilter.doFilterInternal(FlushingSpringSessionInViewFilter.java:29) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:122) at com.atlassian.core.filters.ProfilingAndErrorFilter.doFilter(ProfilingAndErrorFilter.java:27) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at com.atlassian.confluence.util.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:25) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at com.atlassian.core.filters.gzip.GzipFilter.doFilter(GzipFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:37) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)I took the source code and after failing miserably to figure out how to load a properties file in JBOSS, hardwired a hostname field pointing to our network AD server. Logging in with a XP/Firefox combo (ie YES the authentication bit worked) prompted me for a user/pass, subsequent launches re-require a login (isn't NTLM supposed to fix that?).
Even more strange is using XP/IE6 to the same server, IE6 doesnt present me with a login box and shows me the confluence front page with the option to login. Also, when this same user, a non-existing user (in confluence) but existing in AD, tried to login, they were told they couldn't login (ie the confluence-user auto-add bit doesnt appear to work either).
This plugin seems to be heading in the right direction but I cant get it to do something useful. If anyone has a positive experience Id like to hear it.
Theres no issue tracking link on this item so this will have to do for now. It just does not work in my (pretty typical) environment
Comments?
May 16, 2007
Elliot Braham says:
Hi Andy, Firefox doesn't handle NTLM very well. Check out this page to get NTLM ...Hi Andy,
Firefox doesn't handle NTLM very well. Check out this page to get NTLM to work on Firefox: http://www.testingreflections.com/node/view/1365
With IE it should handle the login automatically. There is a small bug that if you go directly to the /dashboard.action it doesn't log you in but a refresh does. You can alway go to the / and it will log you in.
If a user is not in confluence-users it will add them
I think you've basically got it working, if you say that it logs you in after typing in the username/password on Firefox.
Let me know how you go trying http://confluence-server/ (or whatever) in IE.
Regards, Elliot
Jan 22, 2008
Andy Brook says:
Hi Elliot, For starters, I now have fully functional NTLM authentication for co...Hi Elliot,
For starters, I now have fully functional NTLM authentication for confluence for Windows and Linux/Firefox clients (thanks for the link)
I did have to customize the code a little and there are few funnies I found along the way, which I'll list here for others. for anyone else playing with.
For anyone wanting to do similar things, I had it compiling happily in eclipse (no maven2 build yet!), The dependencies seem to have got listed under screenshots above:
Code changes required:
In order to point the NTLMAwareAuthenticator to my local windows Active Driectory box I needed to rework the SMBHelper static block to provide a server-name, the existing code does some Interface enumerations I don't fully understand, which always returns localhost, which wont work for most people. My modified code is below, I would have used a properties file but I'm temporarily defeated by jboss class-loaders! ), the Enumeration stuff is basically bypassed if the server is set:
Things to remember /bugs
1. Firefox (any platform) requires a configuration setting to allow NTLM to provoke firefox into putting up a Basic Auth login box, this then needs to have the 'DOMAIN\user' and 'password' combo set for the domain against which we are authenticating. To restate, setting up firefox for NTLM, in short is done through 'about:config', filter on 'ntlm' and modify 'network.automatic-ntlm-auth.trusted-uris' to include the hostname of the server running confluence.
2. When the NTLMAuthenticator is in place it was not possible to initialize a fresh confluence install, I got the following in the server log whether using a Linux/Firefox or XP/IE combo browser (interesting stuff towards the bottom):
May 22, 2007
Andy Brook says:
Ive had requests for the actual source code, Ill post here for anyone wanting to...Ive had requests for the actual source code, Ill post here for anyone wanting to point to an LDAP (eg Active Directory) server on another server. It will need to be built, and SMBHelper must be updated to reflect your server. If somone can show me how to load a properties file with the servername in then great, I tried a few routes but got bored.
See attached jar : [Updated Source Jar|^updatedSourceForRemoteLDAPserver.jar] that has been used on a linux server pointing to an AD authenticator successfully. Great work by the author, Im surprised Atlassian isn't taking this in as part of their authenticator lilne up....
May 22, 2007
Eric Bardoux says:
The good thing would be to use the ldap server that is already set up in the atl...The good thing would be to use the ldap server that is already set up in the atlassian-users.xml file.
Anyway, thanks for your work, i will check if i can have it working in my environment.
Jun 04, 2007
Neil Middleton says:
We are having issues with this and getting the error: ERROR \http999Proces...We are having issues with this - and getting the error:
ERROR [http-999-Processor22] [com.jnj.confluence.NTLMWebHelper] doNTLM logon failed: A duplicate name exists on the network.
I've no idea if it's relevant or not, but our JIRA install is on http://jiraserver:999 and confluence is http://jiraserver:999/confluence \\
Jun 19, 2007
Andy Brook says:
Re: Duplicate name. This is a little cryptic, but what Ive seen is that if you ...Re: Duplicate name.
This is a little cryptic, but what Ive seen is that if you use a dns alias for your ldap server, eg to save hard coding one in your app you use 'myldapserver' and add a local hosts entry to point to the correct one, well, apparently, this fact causes a duplicate name exception to be thrown during the NTLM conversation. My fix: use the hostname, even though my original LDAP configuration in atlassian-user.xml worked with this, the NTLM did not.
Re:atlassian-user.xml
Um, yea, this code didn't do the 'auto create an authenticated user' thing, leveraged someones code for that and added it here. I've done that, and am about 1/2 a day away from added the LDAP lookup code to parse the atlassian-user.xml file.
We should try to put this stuff under source control somewhere, I can't remember if Atlassian offers this or not... I'll be sure to post when all is working, probably next few days, for anyone who's interested, and to keep my end of the OpenSource bargain.
Jun 25, 2007
Andy Brook says:
NTLM Authenticator User creator groupjoiner OK here is the final update to the o...NTLM Authenticator + User creator + group-joiner
OK here is the final update to the original code, based on this projects code it does the following:
Notable source changes:
I didn't need the network interface detection code/ couldn't figure out the point of it so I've commented it out. Other changes relate to plumbing for LDAP derived configuration for SMB auth server and code stuff like bracketing, logging and documentation.
Summary
This provides a 0 effort process for new users - they just go there and get created. It solves all my current security headaches, especially for security configuration migration, where I really don't want to key in hundreds of users. A test server I used this on just lists users who don't exist (yet) by their ID rather than name. Once they have logged in, the cross reference can be made and all works as expected.
Future stuff
Coming full circle I'm going to retro fit this stuff back to deliver the same for JIRA.
Files
As no configuration is required within the NTLM jar, I can provide a JAVA-5 compiled [Binary|^ntlm-autoreg.jar] as well as [Source|^src-ntlm-autoreg.jar].
Jun 25, 2007
Scott J. Geertgens says:
This may be redundant, but just so you're aware... the JIRA NTLM plugin actually...This may be redundant, but just so you're aware... the JIRA NTLM plugin actually already does all the above (auto-creation of users, auto-adding to jira-users (or other specified groups), etc.).
Jun 26, 2007
Andy Brook says:
Yes I have that up and running, it works fine and does what's needed. ...Yes I have that up and running, it works fine and does what's needed. My thoughts were for a zero LDAP config solution based on the osuser.xml file rather than duplicating picky LDAP stuff. The JIRA plugin is certainly more advanced and handles mulitple DOMAINS, as well as allowing per domain user creation. But thats jira and Im not that familiar with what code is JIRA specific and whats common for Confluence use.
Given Ive done the tricky bit of parsing the osuser file, creating a modified Authenticator to make use of this would provide most SME size companies with no brainer solution for what must be a common need (given my experience!) That would allow one jar to be dropped into either application and configured appropriately.
I don't really need to write it and may do so If I have the time - I may leave that extension to others.
Jun 25, 2007
Elliot Braham says:
Wow Andy\! Sounds like you've done a fantastic job. When I get a chance I'm goin...Wow Andy!
Sounds like you've done a fantastic job. When I get a chance I'm going to test it out!
Is the NTLM configuration parsed from osuser.xml or atlassian-user.xml?
Regards, Elliot
Jun 26, 2007
Andy Brook says:
Hi Elliot, It parses osuser.xml, which I think is 'current' correct me if I'm wr...Hi Elliot,
It parses osuser.xml, which I think is 'current' - correct me if I'm wrong? The code is structurally identical to the original but has been _bracketed_ (a personal hate of mine!).
I'm migrating our users from a nightmare of AD mailing lists and mangled AD group names and trying to advocate the principle of maximum authority for confluence-users, internally. This code means I have 0 manual overhead for the common case.
A source code repository would be useful for this stuff - do atlassian support this? Its not really worth sourceforging.
andy
Jun 27, 2007
Eric Bardoux says:
Well hum, euh... for a standard configuration of Confluence, all the connection ...Well hum, euh... for a standard configuration of Confluence, all the connection information to the LDAP is in the atlassian-users.xml. See below for my own example.
Great job anyway, i'm pretty sure you are close from the perfect NTLM authenticator
<atlassian-user>
<repositories>
<!
- Default confluence user repository -><!--
<osuser key="osuserRepository" name="OSUser Repository"/>
-->
<!
- LDAP repository -><ldap key="ldapRepository" name="pasteur GC" cache="true">
<host>url.pasteur.com</host>
<port>3268</port>
<securityPrincipal>CN=-----------,OU=System Accounts,OU=FR Lyon HQ,DC=pasteur,DC=aventis,DC=com</securityPrincipal>
<securityCredential>---------</securityCredential>
<securityAuthentication>simple</securityAuthentication>
<securityProtocol>plain</securityProtocol>
<baseContext>DC=aventis,DC=com</baseContext>
<baseUserNamespace>DC=aventis,DC=com</baseUserNamespace>
<baseGroupNamespace>DC=aventis,DC=com</baseGroupNamespace>
<usernameAttribute>sAMAccountName</usernameAttribute>
<userSearchFilter>(objectClass=person)</userSearchFilter>
<firstnameAttribute>givenName</firstnameAttribute>
<surnameAttribute>sn</surnameAttribute>
<emailAttribute>mail</emailAttribute>
<groupnameAttribute>cn</groupnameAttribute>
<groupSearchFilter>(objectClass=group)</groupSearchFilter>
<membershipAttribute>member</membershipAttribute>
</ldap>
<hibernate name="Hibernate Repository" key="hibernateRepository" description="Hibernate Repository" />
</repositories>
</atlassian-user>