httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Ladner <eric.lad...@gmail.com>
Subject Re: [users@httpd] Authentication question and ideas requested.
Date Sun, 07 Nov 2004 15:37:53 GMT
Unfortunately, I can't use mod_auth_ldap because the NT weenies in the
corp won't allow anonymous credential verification against their AD
servers (i.e. you have to have a username and password to check
somebody's username and password).

Unless you know a way around this without having to create a service
account (which the NT weenies won't let me do, either) or dropping my
username/password in a file every 90 days.

Thanks for the response though!  Keep the ideas flowing!


On Sun, 7 Nov 2004 16:28:16 +0100, Ralf Glauberman
<rglauberman@michaeli-gymnasium.de> wrote:
> the answer is mod_auth_ldap, it connects directly to the ad-servers and does
> the autentication supporting ad groups. it also supports multiple DCs, so
> you can have redundancy. if you have further questions, just ask.
> Ralf
> 
> 
> 
> ----- Original Message -----
> From: "Eric Ladner" <eric.ladner@gmail.com>
> To: <users@httpd.apache.org>
> Sent: Sunday, November 07, 2004 3:57 PM
> Subject: [users@httpd] Authentication question and ideas requested.
> 
> > Got a problem.. Need some help..
> >
> > I have an Apache web server running on a UNIX machine at work.
> > Naturally, the corporate guys are all up in arms and are nit-picking
> > every little thing that's wrong with it saying that we should trash it
> > and migrate to IIS.
> >
> > I could hold them off if I could overcome the biggest gripe they have
> > about it:  TRANSPARENT integration with Active Directory
> > authentication.
> >
> > The biggest missing piece is group authentication with the AD servers
> > for security.  Currently there are content areas on the web server
> > that are restricted to local site access only for various reasons.
> > The place where this breaks down is when people from the local site
> > travel to  other sites, they are unable to access the local content
> > because the security is based on IP ranges for the local site and they
> > are now sitting somewhere besides the local site.
> >
> > I've looked around at several NTLM and SMB authorization modules, but
> > I haven't been able to pull anything out of the hat yet.  The biggest
> > gap (that I think exists, anyway) is that most of the modules I've
> > looked at don't support authentication against an AD Group (i.e. a
> > directory is accessible by anybody in the NT group "Site Engineers" or
> > something, and Fred, being a member of "Site Engineers" has access to
> > the content of that particular directory no matter where he is
> > currently in the corporation).
> >
> > Also, all of the stuff I've looked at so far either provides NTLM
> > transparent auth, with no AD authentication backend or AD
> > authentication without the NTLM transparent frontend part.
> >
> > Has anybody come up with a solution with this?  IS there a solution to
> > this?
> >
> > Basically, here's my dream scenario:
> >
> > Directory secured to group access.  .htaccess contains something like
> > this:
> >
> > [authentication stuff.. blah, blah]
> > NTLMGroup  SomeNTGroup SomeOtherNtGroup
> > Require    valid-user
> >
> > The usage pattern would be something like this:
> >
> > User Fred, belonging to "SomeNTGroup" access a private directory on
> > the web server.  The server is delivered, via NTLM, his desktop login
> > credentials.  The server (or an authentication module) sees that
> > authentication is required and looks for a valid-user.    Since there
> > is nothing specified but a group requirement, Fred's group membership
> > is queried and checked against the specified groups.  The AD server
> > returns "OK", so the access is permitted.
> >
> > Save my Apache server!
> > --
> > Eric Ladner
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 


-- 
Eric Ladner

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message