logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: seamless authentication
Author
Chris R



Joined: 26 Sep 2006
Posts: 10
Location: England

PostPosted: Mon 06 Nov '06 16:54    Post subject: seamless authentication Reply with quote

I've been having problems finding anyone with the same setup as me that can help.

I have Apache2.2.3 installed (from this site) and PHP5.2 running on Win2K3.

I'm working on a new Intranet site at work and one of the things I need to do is seamless authentication. To make things even more complicated the users are stored in Active Directory.

So I need a way to do seamless authentication with PHP, Apache and AD.

Has anyone done this before or can you provide and links, sites, tutorials, books, messages carved in rock... anything that could help me?

Thanks for any help.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Mon 06 Nov '06 18:25    Post subject: Reply with quote

You need to load
mod_authnz_ldap

http://httpd.apache.org/docs/2.2/de/mod/mod_authnz_ldap.html



or with PHP

http://www.php.net/ldap
Back to top
Chris R



Joined: 26 Sep 2006
Posts: 10
Location: England

PostPosted: Mon 06 Nov '06 19:53    Post subject: Reply with quote

oooh that's a lot of reading.

before I dig too deep does it offer seamless authentication? That's the most important thing for me at the moment.

Also does the "mod_authnz_ldap.so" module that comes with the Apache download from this site work ok? Do I need to do anything with it?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Mon 06 Nov '06 21:36    Post subject: Reply with quote

That modul is in all releases of Apache 2.2.x
You anly have to load that in the httpd.conf

LoadModule mod_authnz_ldap modules/mod_authnz_ldap.so

and there where you want that access

require ldap-user bjenson fuser jmanager


I know that reading manuals sucks sometime. But you should do.
Back to top
pnllan



Joined: 05 Dec 2005
Posts: 221

PostPosted: Tue 07 Nov '06 0:44    Post subject: Reply with quote

Definitely read the manual, especially considering the environment you are implementing this.

Here are links that discuss and show Apache, PHP, and Active Directory integration:

http://thomas-howard.com/Reference/Articles/Apache+AD/

http://www.developer.com/lang/php/article.php/3100951
Back to top
Chris R



Joined: 26 Sep 2006
Posts: 10
Location: England

PostPosted: Tue 07 Nov '06 1:28    Post subject: Reply with quote

Thanks for the help.

I'll be sure to read the links provided when I'm back at work.
Back to top
Chris R



Joined: 26 Sep 2006
Posts: 10
Location: England

PostPosted: Tue 07 Nov '06 12:17    Post subject: Reply with quote

ok, i'm stuck. I don't really know where to begin with this. I've found out I need to use NTLM to provide seamless logins on Windows.

From what I understand NTLM sits on top of HTTP and grabs the Windows login info before the HTTP box appears. is that correct? this is something IIS uses and because of demand had been ported over to Apache. Now the problem is the official mod_ntml has been dead for about 2 years. It doesn't work on Apache2.2.

So Does anyone else do anything like this?

I'm in a jam here. The next best thing I could think of was to use Perl. I found a help file on the Drupal site (i'm not using Drupal just so you know) found here: http://drupal.org/node/44718

Now I like this apporch that it uses a .htaccess file to do authentication with Perl. And I also found this script called adLDAP that I think I can use after the user has logged on. found here: http://adldap.sourceforge.net/

I just don't understand how I could get the users login name. I keep seeing "REMOTE_USER" but again I have no idea.

ok, so I'm making a giant mess of this. I know.

just for referance here is my setup

Windows 2003
Apache 2.2.3
PHP 5.2.0

I think it would make more sense just to stick with IIS at this point in time.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Tue 07 Nov '06 12:35    Post subject: Reply with quote

Why don't you want to use the native apache module? Shocked
http://httpd.apache.org/docs/2.2/de/mod/mod_authnz_ldap.html
That module is up to date and it works.

Or if you prefer a php solution http://www.scit.wlv.ac.uk/~jphb/sst/php/extra/ldap.html (example 2)
Back to top
Chris R



Joined: 26 Sep 2006
Posts: 10
Location: England

PostPosted: Tue 07 Nov '06 12:53    Post subject: Reply with quote

ok i'm confused now.

I'm sure if I take a break and come back to it i'll see how stupid i've been but I don't get this.

does mod_authnz_ldap offer NTLM like logins where the user does not need to enter their username again if the've already logged into Windows?

if so how would i then get there username to use on the site? using something like $_SERVER['REMOTE_USER']?

sorry to be such a dumbass, i'm having real trouble taking all this in.
Back to top
rbeede



Joined: 11 Jan 2006
Posts: 1

PostPosted: Thu 30 Nov '06 16:33    Post subject: Good NTLM (single sign-on) for Apache 2.2 & Windows Reply with quote

The following module works great for doing NTLM (IE doesn't prompt for password) login against a Windows domain (also works for non-domain):

http://sourceforge.net/projects/mod-auth-sspi

It only works on Apache running under Windows. To get who logged on your cgi script should look in the environment for the variable REMOTE_USER
Back to top
Gayal Rupasinghe



Joined: 28 Dec 2006
Posts: 3
Location: Sri Lanka

PostPosted: Thu 28 Dec '06 12:50    Post subject: Reply with quote

Hello,

Like Chris I am also a victim in this scenario.

I am trying to get Single Sign On (Seamless Authentication) Apache 2.2.x works with NTLM Authentication so that my existing Windows Domain users can access the company intranet with their Active Directory Credentials.

According to my research there are 4 solution. They are;

1. Use of official mod_ntml module which has been dead for about 2 years
2. Use of Kerberos module
3. mod_auth_sspi
4. mod_authnz_ldap.so

Let me discuss the drawbacks i faced.

1. mod_ntml needs perl installed. when trying to run Makefile...it failed. Then i have to compile Apache..it also failed because compile needed apx file to retrieve version info and that file is not in my box.

2. I didnt try out kerberos yet..will let u know ASAP when i try it.

3. When i use SSPI..meaning copied the SSPI.so file from the URL put it into the modules folder and change the Httpd.conf with the following directive LoadModule sspi_auth_module modules/mod_auth_sspi.so i cant no longer start/stop/restart Apache Server. I get the following error.

"The Requested operation has failed"

4. Use of LDAP was ok but did not worked properly.
After configuration now i get a Permission Denied Error message instead of Page Cannot be Displayed.

-------------------------------------------------------------------------------------
Anyway i just want to know wuts the most suitable method to implement SSO on Apache without pain and less compiling stuff.
Back to top
justinroyce



Joined: 10 Jan 2007
Posts: 1

PostPosted: Wed 10 Jan '07 15:31    Post subject: AD & SSO Reply with quote

I'm on the exact same environment and am currently setting up SSL. Next is AD and SSO...

While I'm currently reading through all of the documentation posted, I've been fighting with this web server for awhile due to various issues between MySQL5, PHP5 w/ Apache2+SSL, I'm beginning to wonder how long this fight is going to keep up...

Has anyone found a reasonable way of setting all this up without hours of frustration and tears that Apache usually requires?

If I happen to stumble on a setup, I'll post it here if someone else hasn't.
Back to top
Gayal Rupasinghe



Joined: 28 Dec 2006
Posts: 3
Location: Sri Lanka

PostPosted: Fri 19 Jan '07 7:36    Post subject: mod_auth_sspi Reply with quote

It worked.

I used mod_auth_sspi. Unfortunately this works with Apache2 installed on Win Machines only.

-
Gayal Rupasinghe
Back to top
rotsen



Joined: 02 Feb 2009
Posts: 1

PostPosted: Mon 02 Feb '09 7:03    Post subject: Reply with quote

Did anyone solve the NTLM/AD single Sign on?

Thanks,

Rotsen
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Mon 02 Feb '09 14:09    Post subject: Reply with quote

For me it works with mod_auth_sspi
Back to top


Reply to topic   Topic: seamless authentication View previous topic :: View next topic
Post new topic   Forum Index -> Apache