httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf Glauberman" <rglauber...@michaeli-gymnasium.de>
Subject Re: [users@httpd] Authentication question and ideas requested.
Date Sun, 07 Nov 2004 17:04:01 GMT
you have to use a service-account to search for the user, the 
password-verification is done with the username&password the user entered. 
why is it impossible to create a service-account for this?

----- Original Message ----- 
From: "Eric Ladner" <eric.ladner@gmail.com>
To: <users@httpd.apache.org>
Sent: Sunday, November 07, 2004 4:37 PM
Subject: Re: [users@httpd] Authentication question and ideas requested.


> Unfortunately, I can't use mod_auth_ldap because the NT weenies in the
> corp won't allow anonymous credential verification against their AD
> servers (i.e. you have to have a username and password to check
> somebody's username and password).
>
> Unless you know a way around this without having to create a service
> account (which the NT weenies won't let me do, either) or dropping my
> username/password in a file every 90 days.
>
> Thanks for the response though!  Keep the ideas flowing!
>
>
> On Sun, 7 Nov 2004 16:28:16 +0100, Ralf Glauberman
> <rglauberman@michaeli-gymnasium.de> wrote:
>> the answer is mod_auth_ldap, it connects directly to the ad-servers and 
>> does
>> the autentication supporting ad groups. it also supports multiple DCs, so
>> you can have redundancy. if you have further questions, just ask.
>> Ralf
>>
>>
>>
>> ----- Original Message -----
>> From: "Eric Ladner" <eric.ladner@gmail.com>
>> To: <users@httpd.apache.org>
>> Sent: Sunday, November 07, 2004 3:57 PM
>> Subject: [users@httpd] Authentication question and ideas requested.
>>
>> > Got a problem.. Need some help..
>> >
>> > I have an Apache web server running on a UNIX machine at work.
>> > Naturally, the corporate guys are all up in arms and are nit-picking
>> > every little thing that's wrong with it saying that we should trash it
>> > and migrate to IIS.
>> >
>> > I could hold them off if I could overcome the biggest gripe they have
>> > about it:  TRANSPARENT integration with Active Directory
>> > authentication.
>> >
>> > The biggest missing piece is group authentication with the AD servers
>> > for security.  Currently there are content areas on the web server
>> > that are restricted to local site access only for various reasons.
>> > The place where this breaks down is when people from the local site
>> > travel to  other sites, they are unable to access the local content
>> > because the security is based on IP ranges for the local site and they
>> > are now sitting somewhere besides the local site.
>> >
>> > I've looked around at several NTLM and SMB authorization modules, but
>> > I haven't been able to pull anything out of the hat yet.  The biggest
>> > gap (that I think exists, anyway) is that most of the modules I've
>> > looked at don't support authentication against an AD Group (i.e. a
>> > directory is accessible by anybody in the NT group "Site Engineers" or
>> > something, and Fred, being a member of "Site Engineers" has access to
>> > the content of that particular directory no matter where he is
>> > currently in the corporation).
>> >
>> > Also, all of the stuff I've looked at so far either provides NTLM
>> > transparent auth, with no AD authentication backend or AD
>> > authentication without the NTLM transparent frontend part.
>> >
>> > Has anybody come up with a solution with this?  IS there a solution to
>> > this?
>> >
>> > Basically, here's my dream scenario:
>> >
>> > Directory secured to group access.  .htaccess contains something like
>> > this:
>> >
>> > [authentication stuff.. blah, blah]
>> > NTLMGroup  SomeNTGroup SomeOtherNtGroup
>> > Require    valid-user
>> >
>> > The usage pattern would be something like this:
>> >
>> > User Fred, belonging to "SomeNTGroup" access a private directory on
>> > the web server.  The server is delivered, via NTLM, his desktop login
>> > credentials.  The server (or an authentication module) sees that
>> > authentication is required and looks for a valid-user.    Since there
>> > is nothing specified but a group requirement, Fred's group membership
>> > is queried and checked against the specified groups.  The AD server
>> > returns "OK", so the access is permitted.
>> >
>> > Save my Apache server!
>> > --
>> > Eric Ladner
>> >
>> > ---------------------------------------------------------------------
>> > The official User-To-User support forum of the Apache HTTP Server 
>> > Project.
>> > See <URL:http://httpd.apache.org/userslist.html> for more info.
>> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> > For additional commands, e-mail: users-help@httpd.apache.org
>> >
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server 
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> -- 
> Eric Ladner
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message