[PATCH] mod_auth_ntlm_winbind - support for REMOTE_USER lookahead when reverse proxy

Michael Baltaks mbaltaks at gmail.com
Thu Apr 5 09:34:09 GMT 2007


Hi,

Here is a patch that allows using %{LA-U:REMOTE_USER} in rewrite rules 
when in reverse proxy mode and authenticating with mod_auth_ntlm_winbind.

It works for me with apache httpd 2.2.4 as a reverse proxy in front of a 
zope / plone server, tested with several browsers on multiple platforms.

-Michael.
-------------- next part --------------
Index: mod_auth_ntlm_winbind.c
===================================================================
--- mod_auth_ntlm_winbind.c     (revision 302)
+++ mod_auth_ntlm_winbind.c     (revision 304)
@@ -120,6 +120,7 @@
     char *auth_type;
     apr_pool_t *pool;
     int keepalives; /* used to detect redirected auths */
+    request_rec * r_main; /* track the main request if this is a subreq */
 };
 
 struct _ntlm_child_stuff {
@@ -718,6 +719,14 @@
         message_type = "KK";
     }
 
+    /* if last time was a subreq, and this isn't, start over */
+    if ( ctxt->connected_user_authenticated->r_main && !r->main )
+    {
+        message_type = "YR";
+        RDEBUG( "resetting NTLM dance" );
+    }
+    ctxt->connected_user_authenticated->r_main = r->main;
+
     /* Decode the information the WWW-Authenticate header */
     if ((client_msg = get_auth_header(r, crec, auth_type)) == NULL) {
         RDEBUG( "client did not return NTLM authentication header");


More information about the samba-technical mailing list