quarta-feira, 15 de julho de 2015

Configuring NTLMaps

My server.cfg sample

#========================================================================
[GENERAL]

LISTEN_PORT:5865

# If you want APS to authenticate you at WWW servers using NTLM then just leave this
# value blank like PARENT_PROXY: and APS will connect to web servers directly.
# You can specify more than one proxy by leaving a space between each one, and
# APS will detect when one fails and automatically fail-over to the next. EG:
#PARENT_PROXY:first_proxy second_proxy third_proxy
# And NOTE that NTLM cannot pass through another proxy server.
PARENT_PROXY:yourproxy_IP

PARENT_PROXY_PORT:yourproxy_Port

# APS will poll the upstream proxy and attempt to fail-over to a new one if it doesn't
# get a response within an appropriate time frame.  The amount of time that it will
# wait for a response before attempting fail-over is specified, in seconds, below:
PARENT_PROXY_TIMEOUT:15

# Set to 1 if you want to grant this authorization service to clients from other computers.
# NOTE: all the users from other hosts that will be using you copy of APS for authentication
# will be using your credentials in NTLM auth at the remote host.
ALLOW_EXTERNAL_CLIENTS:1

# If you want to allow some other but not all computers to use your proxy for authorization,
# just set ALLOW_EXTERNAL_CLIENTS:0 and put friendly IP addresses here.
# Use space as a delimiter.
# NOTE that special addesses don't work here (192.168.3.0 for example).
FRIENDLY_IPS:

# Requested URLs are written to "url.log" file. May be useful.
URL_LOG:1

# When a network service listens for connections, there is a maximum number of connection
# attempts to that service that the underlying OS will allow to backlog waiting for a response
# before the OS will start dropping new connection attempts with 'Connection refused'.  The
# standard method of determining the maximum number of backlogged connections is to use the
# SOMAXCONN constant, which is supposed to represent the maximum number that an OS will support
# (for example, 5 on Windows 2000 Pro, and 200 on Windows 2000 server).  However, because this
# is a statically compiled value in a Python distribution, usually this instead represents the
# the most conservative value (5 on all Windows platforms, and 128 on the GNU/Linux variant I
# tried).  So if you are running (for example) a massively threaded/parallel download manager,
# the default value of, say, 5, or whatever SOMAXCONN happens to be set to, may be too low and
# cause some connections to fail.  The value below can be set to any integer (it seems that
# Python just silently caps values above the hard limit for the underlying platform), or it can
# be set to the special value of SOMAXCONN (i.e. MAX_CONNECTION_BACKLOG:SOMAXCONN), to use
# whatever this value happens to be set to in your Python build.  Setting this higher than
# necessary may cause APS to consume more memory than you needed to.
MAX_CONNECTION_BACKLOG:5

#========================================================================
[CLIENT_HEADER]

# This section describes what and how the server should change in the clients headers.
# Made in order to prevent parent proxy from seeing that you are using wget instead of IE5.5

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

# for windows 2000 emulation ;)
# User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT5)

# You can uncomment these chages in client's header to mimic IE5+ better, but in this case
# you may expirience problems with *.html if your client does not really handle compression.
#Accept-Encoding: gzip, deflate

#========================================================================
[NTLM_AUTH]

# Optional value, if leaved blank then APS will use gethostname() to determine
# host's name.
# NOTE1: If you Linux host name differs from Windows host name then it may be that
#        MS server wont recognize you host at all and wont grant you access
#        to resources requested. Then you have to use this option and APS will use
#        this name in NTLM negotiations.
# NOTE2: There are several reports that you can successfully use "foreign" host name
#        here. Say, if user may access a resource from 'host1' and may not from 'host2'
#        then there is a chance that APS running on 'host2' with NT_HOSTNAME:host1 will
#        be able to be granted access to the restricted resource. However use this on
#        you own risk as such a trick may be considered as a hack or something.
NT_HOSTNAME:

# Windows Domain.
# NOTE: it is not full qualified internet domain, but windows network domain.
NT_DOMAIN:yourdomain

# What user's name to use during authorization. It may differ form real current username.
# If you enable NTLM_TO_BASIC, below, you can either leave this blank or simply
# hash it out.
USER:youruserdomain

# Password. Just leave it blank here and server will request it at the start time,
# or, if you enable NTLM_TO_BASIC, below, you can either leave this blank or simply
# hash it out, and you *won't* be prompted for a password at start time.
PASSWORD:yourpasswordinblank

# These two options replace old FULL_NTLM option.
# NTLM authentication consists virtually of two parts: LM and NT. Windows95/98 use
# only LM part, WindowsNT/2000 can use NT and LM or just NT part.
# Almost always using just LM part will be enough. I had several reports
# about LM and NT requirement and no about just NT.
# So try to setup 1, 1 only if you have enough reasons to do so and when you understand
# what you are doing.
# 0, 0 is an illegal combination
# NOTE: if you change these options then you have to setup flag option accordingly.
LM_PART:1
NT_PART:1

# Highly experimental option. See research.txt for details.
# LM - 06820000
# NT - 05820000
# LM + NT - 07820000
NTLM_FLAGS: 07820000

# This option makes APS try to translate NTLM authentication to very usual "Basic"
# scheme. Almost all http clients know it. With this option set to 1 user will be requested
# by his browser to enter his credentials and these username and password will be used by
# APS for NTLM authentication at MS Proxy server or Web server.
# In such a case different users can use one runnig APS with their own credentials.
# NOTE1: currently translation works so it allows only one try for entering
#        username/password. If you make a mistake you will have to restart you browser.
# NOTE2: With debug:1 basic username/password will be written in log file in clear
#        text format. I could try hide it, but the basic scheme is so weak that anybody
#        who had access to APS would be able to get it.
NTLM_TO_BASIC:1

#========================================================================
[DEBUG]

# Set this to 1 if you want to see debug info in many log files. One per connection.
DEBUG:0

# Set this to 1 to get even more debug info.
BIN_DEBUG:0

# Set this to 1 to see some strange activity on screen. Actually you won't want it.
SCR_DEBUG:0

# Not actually a debug option but gives you some details on authentication process
# into *.auth logs. Also see research.txt.
AUTH_DEBUG:0



Postar um comentário