httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan White <>
Subject Re: Kerberos/LDAP/Active Directory
Date Thu, 14 Aug 2008 17:02:01 GMT
John Hosie wrote:
> Is there any module for Apache that will help in performing authentication/authorization
on web services using an Active Directory "registry"? In our environment, when a user logs
into their Windows workstation through Active Directory, I understand they are given a Kerberos
ticket. I understand that there is a way for this ticket to be passed (through client application
code, sent with a URL) to the Apache server module that is providing the service used by the
user. I understand that there should be a way to use that ticket to 1) ensure that the user
is who they say they are; 2) check to see if the user is in the group (arbitrary) that is
allowed to come to this application. I've also been told that using LDAP to go to Active Directory
is the right way to do the server side (Linux based) functions, while the Windows environment
has their own way to put the client side together.
> Is there an example of how do do this somewhere in C code?
> What packages need to be installed on the server?

mod_auth_kerb will let you authenticate an Active Directory user, 
assuming you have everything set up correctly (warning, it's a fairly 
steep learning curve).

I don't know how to test for group membership with that module, but you 
might be able to additionally use mod_authnz_ldap (require-group) to 
accomplish that.

- Dan

View raw message