Return-Path: 
 <users-return-80273-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 57449 invoked from network); 18 Apr 2008 18:24:02 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 18 Apr 2008 18:24:02 -0000
Received: (qmail 45533 invoked by uid 500); 18 Apr 2008 18:23:53 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 44593 invoked by uid 500); 18 Apr 2008 18:23:51 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 44582 invoked by uid 99); 18 Apr 2008 18:23:51 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Apr 2008 11:23:51 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of listacctc@gmail.com
 designates 64.233.184.224 as permitted sender)
Received: from [64.233.184.224] (HELO wr-out-0506.google.com) (64.233.184.224)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Apr 2008 18:23:06 +0000
Received: by wr-out-0506.google.com with SMTP id 57so517775wri.12
        for <users@httpd.apache.org>; Fri, 18 Apr 2008 11:23:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding;
        bh=wolIZUHiDVvuDQiVKPoHqEa9z3YYFgIOvrFhUt7FSR0=;
        b=FvMUF1N5xpSo1L5TAwiqPE7QZHQ5ETuGphpxNiq18UH6KoZM4W/ngLTX/sj24rYo7f8MIJDe5VTKLDWhP8873pMLaf77fU8zLDk5SYWpDUrvbl0Ay4JVLClgFeh+SaH/ZrlP/9iBV0YcO9ybqwvGXJtRcMJLM/XhEJJRepJxxE8=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding;
        b=LkWCLeP7kaijawdyfrliPlEMZOn3m49koy8z8cnfmW6hCzkd0ssUJL43oa3OiW8YfGfmZek+ZUk8A1Xe84t8pSvQQr2fREjGWEYBz/kSdzCpmgJGCVvhQGTD/97c4YYOzwPANq0vKiPqaifN22ZcWl20HDavq9klEgF572ZKtZs=
Received: by 10.114.196.1 with SMTP id t1mr3006601waf.80.1208542998341;
        Fri, 18 Apr 2008 11:23:18 -0700 (PDT)
Received: from ?10.64.64.128? ( [164.44.67.4])
        by mx.google.com with ESMTPS id 6sm560303ywn.4.2008.04.18.11.23.15
        (version=SSLv3 cipher=RC4-MD5);
        Fri, 18 Apr 2008 11:23:17 -0700 (PDT)
Message-ID: <4808E70D.1010405@gmail.com>
Date: Fri, 18 Apr 2008 14:23:09 -0400
From: Tod <listacctc@gmail.com>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: users@httpd.apache.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: [users@httpd] Apache SSO using NTLM, LDAP ?

This has to be a frequently requested feature.  There seems to be so 
much written and done with it over the years that I wonder if some sort 
of standard process has emerged.

I have an apache2 web server and the need to seamlessly (hence SSO in 
title) authenticate and pass through IE6 clients.  mod_ntlm seems to fit 
the bill but now there is a more recent mod_auth_sspi that I wonder 
isn't more feasible.

I'm going to have a population of about 10K users hitting the web server 
  which translates into a lot of hits/second.  The web site I'm working 
on is not proxied and is not optimized for performance.  Its the 
hardware's brute force that is keeping things running smoothly, in my 
estimation.

I'd like to avoid injecting a performance problem, especially during 
authentication, that could add up to a lot of unsatisfied users in a 
very short period of time.

I also have the option (which I prefer) of using an LDAP directory to 
accomplish the authentication but the requirement of pass through 
authentication for IE still exists, as well as the performance hurdle.

So my questions are:

- Is mod_ntlm able to fit the bill and not incur a huge performance hit?
- Would mod_auth_sspi be a better solution using the same requirements?
- Is there a way I can authenticate users seamlessly using mod_auth_ldap?
- Is there maybe another solution, either apache mod or otherwise, 
someone can suggest that will fit the bill?


Thanks in advance!

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org