httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Clayton Hicklin" <chick...@gmail.com>
Subject Re: [users@httpd] Pass-through LDAP authentication with Internet Explorer and Active Directory
Date Tue, 16 Sep 2008 21:05:53 GMT
On Tue, Sep 16, 2008 at 4:00 PM, André Warnier <aw@ice-sa.com> wrote:

> Clayton Hicklin wrote:
>
>> On Tue, Sep 16, 2008 at 3:37 PM, Eric Covener <covener@gmail.com> wrote:
>>
>>  So, it looks like I need mod_setenvif, right?  Could anybody write a
>>>>>
>>>> quick
>>>
>>>> directive that would look at REMOTE_USER to see if there is a backslash
>>>>> ("\"), and if there is, set the same variable to everything following
>>>>>
>>>> the
>>>
>>>> backslash?  I think this would solve my problem.  I would rather use
>>>>> mod_authnz_ldap that  mod_auth_sspi as it is included with Apache and
>>>>> is
>>>>> well-supported.
>>>>>
>>>> The authentication/authorization modules don't read from the
>>> REMOTE_USER environment variable.
>>>
>>> --
>>> Eric Covener
>>> covener@gmail.com
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>>  Well, where are they getting their info?  This is what I'm getting in
>> the
>> error log:
>>
>> [5028] auth_ldap authenticate: user WHQ_NT_DOMAIN\\ch017001 authentication
>> failed; URI /scpmanager/ [User not found][No Such Object]
>>
>> Clearly domain\user is getting passed to the authn/authz modules from IE
>> somehow or another.
>>
>>  This is getting interesting.  How indeed ?
> Is there a way to trace the headers being sent back and forth during this
> authentication phase, at the Apache level ? We're talking IE as a browser
> here, so Firefox add-ons don't count.
>
> If not, assuming that server has perl and mod_perl available, I could put
> together a quick access handler that does that.
> (as mentioned before, I have a stake in a solution too).
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
In this case, Apache is running on Windows.  Although it could be loaded,
perl and mod_perl are not available at the moment.  I'm beginning to think
we're chasing our tails.  IE is going to pass the credentials in NTLM
format, I believe.  Even if we got the username right, I'm thinking maybe
the password won't be readable by mod_authn_ldap.  I don't know.

-- 
Clayton Hicklin
chicklin@gmail.com

Mime
View raw message