httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Clayton Hicklin" <chick...@gmail.com>
Subject Re: [users@httpd] Pass-through LDAP authentication with Internet Explorer and Active Directory
Date Tue, 16 Sep 2008 21:02:58 GMT
This is a "trusted" site, which, according to the Windows Integrated
Authentication docs, means that IE will happily send the authentication
credentials, but I would be more inclined to think that they will just not
be in the right format for mod_authnz_ldap to handle.  What's weird is that
it is definitely getting the domain\username part of it.

Maybe it just won't work.  I got mod_auth_sspi working with a workaround, so
maybe I'll just go that route.

On Tue, Sep 16, 2008 at 3:51 PM, André Warnier <aw@ice-sa.com> wrote:

> André Warnier wrote:
>
>> Eric Covener wrote:
>>
>>> So, it looks like I need mod_setenvif, right?  Could anybody write a
>>>>> quick
>>>>> directive that would look at REMOTE_USER to see if there is a backslash
>>>>> ("\"), and if there is, set the same variable to everything following
>>>>> the
>>>>> backslash?  I think this would solve my problem.  I would rather use
>>>>> mod_authnz_ldap that  mod_auth_sspi as it is included with Apache and
>>>>> is
>>>>> well-supported.
>>>>>
>>>>
>>> The authentication/authorization modules don't read from the
>>> REMOTE_USER environment variable.
>>>
>>>  Party pooper !
>>
>>  Clayton,
> I kind of get a feeling that Eric is right though, because a) he usually
> seems to know his stuff, and b) that would not be very secure, to say the
> least.
> That would mean that we are back to try and figure out what exactly happens
> between IE and the server, and it what circumstances exactly IE sends this
> domain\user-id thing.
>
> But maybe Eric can help there ?
> Eric, what kind of "401" does mod_authnz_ldap send to the browser when it
> needs authentication ? Basic ?
> Then I can't quite imagine Clayton's scheme working, because IE would never
> of its own device send the user's password (I don't even think it knows it).
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
Clayton Hicklin
chicklin@gmail.com

Mime
View raw message