Author |
|
PipoDeClown
Joined: 20 Dec 2005 Posts: 77
|
Posted: Wed 22 Feb '12 21:57 Post subject: Will there be a mod_auth_sspi for 2.4? |
|
|
see title |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Thu 23 Feb '12 0:32 Post subject: |
|
|
I don't think so. There no develoment since a longer time. There is no longer a required function the module uses in the new Apache.
Also there are some security bugs in it.
example
Code: |
<IfModule !mod_auth_sspi.c>
LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>
<IfModule mod_auth_sspi.c>
<Location /protected/>
AuthName "A Protected Place"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIBasicPreferred On
require valid-user
</Location>
</IfModule>
|
with that configuration, try this.
When the login prompt comes up, type in nothing and just press the OK
button twice (for me it is press it twice).
When I do this, I get to the protected (supposedly) document. Moving
around from any links on that document, I just have to keep pressing
OK twice. Never do I actually need a valid username or password. If I
type in invalid data, I will never get in.
It has to do with the NT_ANNONYMOUS user in Windows, and depending on
which OS Apache is on (XP vs. Vista) depends on what I see in the
whoami script.
I haven't messed around that much with the Require statement, but
because the example config uses valid-user, and valid-user allows
bypass, I do not to put this module up at our site. |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Thu 23 Feb '12 7:35 Post subject: |
|
|
Credit given where credit due ... me
I've talked with the maintainer of this module about this bug and that is is not compatible with 2.4.x, we'll see if he ever gets around to it.
EDIT: changed "author" to "maintainer" since neither of the maintainers are the original author from what I know. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Thu 23 Feb '12 10:58 Post subject: |
|
|
glsmith wrote: | Credit given where credit due ... me
|
Yepp Gregg figured that out. I forgot to write that |
|
Back to top |
|
spsellars
Joined: 26 Feb 2012 Posts: 1 Location: US
|
Posted: Sun 26 Feb '12 13:27 Post subject: |
|
|
Are there any alternatives to mod_auth_sspi which will work with Apache 2.4 (using Integrated Windows Authentication)?
Unfortunately, requiring our intranet users to manually enter their usernames/passwords isn't an option, so the ldap module won't work for us. And the Kerberos modules only seem implemented on *nix systems.
The only alternative I can come up with for now is forwarding requests to a separate IIS server, starting a session with the AUTH_USER variable from there, and forwarding back to the original page. For obvious reasons I'd prefer not to go that route.
Hoping I'm missing an obvious alternative. Any ideas? |
|
Back to top |
|
PipoDeClown
Joined: 20 Dec 2005 Posts: 77
|
Posted: Sun 26 Feb '12 23:29 Post subject: |
|
|
i'd stick with the 2.2 where sspi is working. |
|
Back to top |
|
markw
Joined: 24 Nov 2011 Posts: 7 Location: UK
|
Posted: Wed 18 Jul '12 11:30 Post subject: |
|
|
Hi Folks,
We're using auth_sspi on our server but would love to move up to Apache 2.4. I was just wondering if there have been any developments in this regard yet?
Thanks! |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Wed 18 Jul '12 12:42 Post subject: |
|
|
There has, but it's far from finished and it's been two months now since the was any work done to it. |
|
Back to top |
|
markw
Joined: 24 Nov 2011 Posts: 7 Location: UK
|
Posted: Wed 18 Jul '12 12:50 Post subject: |
|
|
glsmith wrote: | There has, but it's far from finished and it's been two months now since the was any work done to it. |
OK, thanks for the update. Out of interest is there a public page where we can check this status? Also is there anything we could do to support their work? |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Wed 18 Jul '12 20:15 Post subject: |
|
|
Actually, to be honest, I am just assuming it's going to be 2.4 compatible. The one dev that did the 2.0.5-beta is moving to the authnz style (what the difference is I do not know) and since 2.4 is out, I would hope it's going to be 2.4 compatable.
http://mod-auth-sspi.svn.sourceforge.net/viewvc/mod-auth-sspi/branches/mod_authnz_sspi/
I talked to one of the maintainer's of record for this and he's busy with libCurl at the moment, there's a new release of that coming I guess, then he wants a break.
I'll keep hinting to him about this thought since my server that I keep some modules on, this one is the most downloaded (a few a day). |
|
Back to top |
|
markw
Joined: 24 Nov 2011 Posts: 7 Location: UK
|
Posted: Fri 20 Jul '12 11:21 Post subject: |
|
|
Ah ok, that makes sense then. Thanks for your efforts and the information. |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Fri 24 Aug '12 9:42 Post subject: |
|
|
Friday, August 24, 2012 12:44 AM PST
I should have one out sometime this weekend.
I've built it in x86 & x64, I've tested it in x86 so far. It doesn't work on XP, that is for sure. It is working fine on my Vista x86 however. I'll be testing it on Win7 x64 maybe tomorrow (well today since it's almost 1am here). |
|
Back to top |
|
wm003
Joined: 24 Mar 2006 Posts: 88
|
Posted: Fri 24 Aug '12 10:01 Post subject: |
|
|
Great News! Thanks a lot for your effort.
Our company still has a lot of XP-developer machines until next summer (yes, we will finally upgrade to Win7!) , but as long as it works unter Windows Server 2003 (maybe not, because of XP-Kernal?) and Windows Server 2008, i am really looking forward to that, so i can finally test and migrate to apache 2.4.x
|
|
Back to top |
|
Mandeep
Joined: 18 Sep 2012 Posts: 3 Location: London
|
Posted: Tue 18 Sep '12 14:21 Post subject: mod_auth_sspi with apache2.4 - Any updates ? |
|
|
Hi glsmith and wm003,
Did anyone of you managed to get it working? I have a live server working fine with mod_auth_sppi on Apache 2.2. Its been in place for about 3 years and works like a charm.
However as part of server upkeep and maintenance, we decided to upgrade t Apache 2.4 and PHP 5.4 with new instance of mysql. One of the key requirements for intranet users is the need to auto login. Mod_auth_sspi is something I need desperately to be working with 2.4 for this upgrade to happen. Can you guys please put me in the right direction if you managed to implement this successfully!
Many Thanks
Mandeep |
|
Back to top |
|
PipoDeClown
Joined: 20 Dec 2005 Posts: 77
|
|
Back to top |
|
Mandeep
Joined: 18 Sep 2012 Posts: 3 Location: London
|
Posted: Tue 25 Sep '12 14:31 Post subject: |
|
|
Hi,
I have now managed to get it working. It needed few tweaks but finally managed to automatically log the users on to the intranet.
If anyone needs help with this, contact me.
I will soon put some config and sample code together and post it here.
Regards
Mandeep |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Tue 25 Sep '12 14:32 Post subject: |
|
|
Please post your code |
|
Back to top |
|
Mandeep
Joined: 18 Sep 2012 Posts: 3 Location: London
|
Posted: Tue 25 Sep '12 14:54 Post subject: |
|
|
So, Just to give everyone a refresher on this. With Apache 2.2 the mod_auth_sspi.so module can be used to auto login users by getting their AD credentials ( logged on user on the client machine). This method is very useful when you are working on an intranet.
With Apache2.4 this module is broken and does not work. If you are upgrading to 2.4 and need this to work, you have to make some changes. The below steps are for windows 2008 R2, Running Apache 2.4 (32 bit version)
Follow these steps to get this working:
1: Download the module from here
https://www.apachehaus.net/modules/mod_authnz_sspi/
(x86 for 32 bit and x64 for 64 bit apache)
2: Copy the mod_authnz_sspi.so from Apache24>>modules folder and place it in the modules folder of your Apache folder on your webserver
3: Under the httpd.conf file (Config file for your apache) place this line of code. Try to load this as the last module
LoadModule authnz_sspi_module modules/mod_authnz_sspi.so
4: Make sure that the following modules are uncommented
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
PS:- both the above modules are required for this to work.
5: Place the following code in your httpd.conf file
<Directory "path/to/your/secure/folder">
Options None
AllowOverride All
Order allow,deny
Allow from all
#AuthName "SSPI Protected Place"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIOmitDomain On
Require valid-user
</Directory>
6: Restart your apache servive and hopefully it should restart without any issues.
7: Now in order to recognise the user , use the following code on a php page (index/main page for internal users)
$cred = explode('\\',$_SERVER['REMOTE_USER']);
if (count($cred) == 1) array_unshift($cred, "(no domain info - perhaps SSPIOmitDomain is On)");
list($domain, $user) = $cred;
echo "You appear to be user <B>$user</B><BR/>";
echo "logged into the Windows NT domain <B>$domain</B><BR/>";
You should now be able to see the logged on user. Once this is completed you can write SQL/MYSQL queries to identify the user type and redirect them to their appropriate pages/section of the intranet. I would set the Session variables once I have identified the user and queries their information to personalise their intranet pages.
Hope this will be helpful and save people several hours of effort.
Regards
Mandeep |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Tue 25 Sep '12 15:20 Post subject: |
|
|
The auth config is the old one. The my_cfg.txt in the zip shows the new one from apache 2.4 |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Tue 25 Sep '12 22:47 Post subject: |
|
|
Nice to have some confirmation this module works, thank you!
As James said, this is the old 2.2 style access control:
Order allow,deny
Allow from all
In 2.4, that can still be used if and only if mod_access_compat is loaded (which is the default it seems), but if you start using the new style of access granting throughout your config, you can remove the access_compat module, save a shred or two of ram and probably gain a little performance since it doesn't have to be translated every request.
Require all granted
does the same in 2.4 as 2.2's
Order allow,deny
Allow from all |
|
Back to top |
|