httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "César Leonardo Blum Silveira" <cesa...@gmail.com>
Subject Re: Kerberos/LDAP/Active Directory
Date Mon, 18 Aug 2008 13:52:03 GMT
On Thu, Aug 14, 2008 at 2:02 PM, Dan White <dwhite@olp.net> wrote:
> John Hosie wrote:
>>
>> Is there any module for Apache that will help in performing
>> authentication/authorization on web services using an Active Directory
>> "registry"? In our environment, when a user logs into their Windows
>> workstation through Active Directory, I understand they are given a Kerberos
>> ticket. I understand that there is a way for this ticket to be passed
>> (through client application code, sent with a URL) to the Apache server
>> module that is providing the service used by the user. I understand that
>> there should be a way to use that ticket to 1) ensure that the user is who
>> they say they are; 2) check to see if the user is in the group (arbitrary)
>> that is allowed to come to this application. I've also been told that using
>> LDAP to go to Active Directory is the right way to do the server side (Linux
>> based) functions, while the Windows environment has their own way to put the
>> client side together.
>>  Is there an example of how do do this somewhere in C code?
>>  What packages need to be installed on the server?
>>
>
> mod_auth_kerb will let you authenticate an Active Directory user, assuming
> you have everything set up correctly (warning, it's a fairly steep learning
> curve).
>

There's also mod_spnego
(http://sourceforge.net/project/showfiles.php?group_id=82781), which
works Unix and Windows.

> I don't know how to test for group membership with that module, but you
> might be able to additionally use mod_authnz_ldap (require-group) to
> accomplish that.
>
> - Dan
>



-- 
César L. B. Silveira
http://www.cesarbs.org/blog

Mime
View raw message