Re: Use Windows 2000 User Authentication for Apache
From: Marcel Weber (mmweber@ncpro.com)Date: 10/15/02
- Next message: Wild Wizard: "Re: Should I give passwords to server ids?"
- Previous message: those who know me have no need of my name: "Re: Adobe GoLive speaks only FTP .. suggestions?"
- In reply to: Joachim Feise: "Re: Use Windows 2000 User Authentication for Apache"
- Next in thread: percy: "Re: Use Windows 2000 User Authentication for Apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Oct 2002 02:22:09 +0200 From: Marcel Weber <mmweber@ncpro.com> To: jfeise@ics.uci.edu
Hi
auth_ldap works perfectly with apache and win2000. There are just some
small caveats: Windows 2000 wants a user with a valid account to connect
to the ldap server. I created a user ldapuser, that hasn't any rights in
the domain to achieve this.
I'm using this setup for 3 months now on our company's intranet.
The modules you need are: (on debian woody)
libapache_auth_ldap
In the httpd.conf put the following lines:
-----
<snip>
#httpd.conf
LoadModule auth_ldap_module /usr/lib/apache/1.3/auth_ldap.so
<Location />
Order allow,deny
allow from x.x.x.x
AuthType Basic
AuthName "Intranet"
# this is for connecting to the ad. YOUR_AD_LDAP_USER MUST be a valid AD user and find himself
# somewhere in the OU hierarchy
AuthLDAPBindDN "CN=YOUR_AD_LDAP_USER,OU=OUSystem,OU=OUAnotherLevel,DC=foo,DC=msft"
AuthLDAPBindPassword "xyz"
# This is the actual query. The member of is not necessary but an example how to check group memberships.
AuthLDAPUrl ldap://applic1.biomed.msft/dc=biomed,dc=msft?sAMAccountName?sub?(&(objectClass=*) (memberOf=CN=A_VALID_GROUP,OU=OUAN_ORGANISATION,DC=foo,DC=msft))
require valid-user
</Location>
<snip>
-----
Works perfectly AND it has one huge advantage: The SMB / NTLM authentication does not
work from other network segments, for example from the DMZ. With ldap, no problem at all.
You can authenticate your users even via the internet (is not that good an idea though
as the transfer of the passwords is not too secure ;-) Furthermore, auth_ldap
stores the queried credentials in a cache and accelerates the whole authentication
extremly.
Best regards
Marcel
Joachim Feise schrieb:
> Tim Pailthorpe wrote:
>
>> Squid proxy server (latest version) will use NT domain authentication
>> so you
>> can use Squid as a reverse proxy. Messy but it should work.
>>
>> Alernaitively (I haven't got a clue if this can be made to work but it is
>> worth a try), Win2K Domain Controllers run an LDAP server, Apache may be
>> able to use this for authentication.
>
>
> No need to go through all this trouble. There is an NTLM authentication
> module
> for Apache 1.3.x: http://modntlm.sourceforge.net/
> That apparently can authenticate against Samba or NT (I haven't tried it
> myself
> yet, though).
>
> -Joe
>
- Next message: Wild Wizard: "Re: Should I give passwords to server ids?"
- Previous message: those who know me have no need of my name: "Re: Adobe GoLive speaks only FTP .. suggestions?"
- In reply to: Joachim Feise: "Re: Use Windows 2000 User Authentication for Apache"
- Next in thread: percy: "Re: Use Windows 2000 User Authentication for Apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
