httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Ladner <>
Subject [users@httpd] Authentication question and ideas requested.
Date Sun, 07 Nov 2004 14:57:10 GMT
Got a problem.. Need some help..

I have an Apache web server running on a UNIX machine at work. 
Naturally, the corporate guys are all up in arms and are nit-picking
every little thing that's wrong with it saying that we should trash it
and migrate to IIS.

I could hold them off if I could overcome the biggest gripe they have
about it:  TRANSPARENT integration with Active Directory

The biggest missing piece is group authentication with the AD servers
for security.  Currently there are content areas on the web server
that are restricted to local site access only for various reasons. 
The place where this breaks down is when people from the local site
travel to  other sites, they are unable to access the local content
because the security is based on IP ranges for the local site and they
are now sitting somewhere besides the local site.

I've looked around at several NTLM and SMB authorization modules, but
I haven't been able to pull anything out of the hat yet.  The biggest
gap (that I think exists, anyway) is that most of the modules I've
looked at don't support authentication against an AD Group (i.e. a
directory is accessible by anybody in the NT group "Site Engineers" or
something, and Fred, being a member of "Site Engineers" has access to
the content of that particular directory no matter where he is
currently in the corporation).

Also, all of the stuff I've looked at so far either provides NTLM
transparent auth, with no AD authentication backend or AD
authentication without the NTLM transparent frontend part.

Has anybody come up with a solution with this?  IS there a solution to this?

Basically, here's my dream scenario:

Directory secured to group access.  .htaccess contains something like this:

[authentication stuff.. blah, blah]
NTLMGroup  SomeNTGroup SomeOtherNtGroup
Require    valid-user

The usage pattern would be something like this:

User Fred, belonging to "SomeNTGroup" access a private directory on
the web server.  The server is delivered, via NTLM, his desktop login
credentials.  The server (or an authentication module) sees that
authentication is required and looks for a valid-user.    Since there
is nothing specified but a group requirement, Fred's group membership
is queried and checked against the specified groups.  The AD server
returns "OK", so the access is permitted.

Save my Apache server!
Eric Ladner

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message