httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Clayton Hicklin" <chick...@gmail.com>
Subject Re: [users@httpd] Pass-through LDAP authentication with Internet Explorer and Active Directory
Date Tue, 16 Sep 2008 18:30:32 GMT
On Tue, Sep 16, 2008 at 1:27 PM, Prasanna Ram Venkatachalam <
vpram86@gmail.com> wrote:

> I guess there is SSPIOmitDomain directive which can be turned Off, to
> include the domain as well along with user name.
>
> (in mod_auth_sspi)
> Regards
> Prasanna Ram
>
>
> On Tue, Sep 16, 2008 at 11:53 PM, Clayton Hicklin <chicklin@gmail.com>wrote:
>
>> On Tue, Sep 16, 2008 at 1:22 PM, Clayton Hicklin <chicklin@gmail.com>wrote:
>>
>>> On Tue, Sep 16, 2008 at 10:58 AM, Davide Bianchi <davide@onlyforfun.net>wrote:
>>>
>>>> Clayton Hicklin wrote:
>>>> > I have LDAP authentication against Active Directory working perfectly
>>>> in
>>>> > Firefox, but my problem is with IE.  IE automatically passes through
>>>> the
>>>> > username and password so once you are logged into the domain, you
>>>> don't
>>>> > have to type it in again.
>>>>
>>>> See if this http://www.soft-land.org/articoli/sso
>>>> can help you out.
>>>>
>>>> Davide
>>>>
>>>> --
>>>> How about some patent on "(a+b)^2 == a^2 + 2ab + b^2"?  Choose free
>>>> software!
>>>>   -- Laurent Szyster
>>>>
>>>> ---------------------------------------------------------------------
>>>> The official User-To-User support forum of the Apache HTTP Server
>>>> Project.
>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>> Thanks for the link.  I should've mentioned my Apache server is running
>>> on Windows.  I don't think modntlm works on Windows.  They suggest using
>>> mod_auth_sspi, which is what I started with, and it worked pretty well, but
>>> it has a weird bug that causes Apache not to send all POST data from forms
>>> unless you wait a few seconds to click submit.  Strange, but true.  So
>>> that's what led me to LDAP.  It is really working well except for this
>>> <domain>\ prefix issue.
>>>
>>> --
>>> Clayton Hicklin
>>> chicklin@gmail.com
>>>
>>
>> Found a workaround for mod_auth_sspi.  If you are having troubles with not
>> getting POST data with mod_auth_sspi and Internet Explorer, you can turn on
>> the pre-1.0.4 behavior with:
>>
>> SSPIPerRequestAuth On
>>
>>
>> Still don't know how to handle the IE + LDAP domain prefix issue, but this
>> module will work for me.
>> --
>> Clayton Hicklin
>> chicklin@gmail.com
>>
>
>
>
> --
> Prasanna Ram
>


The setup that works for me with mod_auth_sspi is:

AuthName "blah blah blah"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIPerRequestAuth On
SSPIOfferBasic on
Require group DOMAIN\group1
Require group DOMAIN\group2
Require group DOMAIN\group3

This works for both IE (using NTLM) and Firefox (using BASIC
authentication).

-- 
Clayton Hicklin
chicklin@gmail.com

Mime
View raw message