Topic: seamless authentication

[Chris R]

I've been having problems finding anyone with the same setup as me that can help.

I have Apache2.2.3 installed (from this site) and PHP5.2 running on Win2K3.

I'm working on a new Intranet site at work and one of the things I need to do is seamless authentication. To make things even more complicated the users are stored in Active Directory.

So I need a way to do seamless authentication with PHP, Apache and AD.

Has anyone done this before or can you provide and links, sites, tutorials, books, messages carved in rock... anything that could help me?

Thanks for any help.

[James Blond]

You need to load
mod_authnz_ldap

http://httpd.apache.org/docs/2.2/de/mod/mod_authnz_ldap.html



or with PHP

http://www.php.net/ldap

[Chris R]

oooh that's a lot of reading.

before I dig too deep does it offer seamless authentication? That's the most important thing for me at the moment.

Also does the "mod_authnz_ldap.so" module that comes with the Apache download from this site work ok? Do I need to do anything with it?

[James Blond]

That modul is in all releases of Apache 2.2.x
You anly have to load that in the httpd.conf

LoadModule mod_authnz_ldap modules/mod_authnz_ldap.so

and there where you want that access

require ldap-user bjenson fuser jmanager


I know that reading manuals sucks sometime. But you should do.

[pnllan]

Definitely read the manual, especially considering the environment you are implementing this.

Here are links that discuss and show Apache, PHP, and Active Directory integration:

http://thomas-howard.com/Reference/Articles/Apache+AD/

http://www.developer.com/lang/php/article.php/3100951

[Chris R]

Thanks for the help.

I'll be sure to read the links provided when I'm back at work.

[Chris R]

ok, i'm stuck. I don't really know where to begin with this. I've found out I need to use NTLM to provide seamless logins on Windows.

From what I understand NTLM sits on top of HTTP and grabs the Windows login info before the HTTP box appears. is that correct? this is something IIS uses and because of demand had been ported over to Apache. Now the problem is the official mod_ntml has been dead for about 2 years. It doesn't work on Apache2.2.

So Does anyone else do anything like this?

I'm in a jam here. The next best thing I could think of was to use Perl. I found a help file on the Drupal site (i'm not using Drupal just so you know) found here: http://drupal.org/node/44718

Now I like this apporch that it uses a .htaccess file to do authentication with Perl. And I also found this script called adLDAP that I think I can use after the user has logged on. found here: http://adldap.sourceforge.net/

I just don't understand how I could get the users login name. I keep seeing "REMOTE_USER" but again I have no idea.

ok, so I'm making a giant mess of this. I know.

just for referance here is my setup

Windows 2003
Apache 2.2.3
PHP 5.2.0

I think it would make more sense just to stick with IIS at this point in time.

[James Blond]

Why don't you want to use the native apache module?
http://httpd.apache.org/docs/2.2/de/mod/mod_authnz_ldap.html
That module is up to date and it works.

Or if you prefer a php solution http://www.scit.wlv.ac.uk/~jphb/sst/php/extra/ldap.html (example 2)

[Chris R]

ok i'm confused now.

I'm sure if I take a break and come back to it i'll see how stupid i've been but I don't get this.

does mod_authnz_ldap offer NTLM like logins where the user does not need to enter their username again if the've already logged into Windows?

if so how would i then get there username to use on the site? using something like $_SERVER['REMOTE_USER']?

sorry to be such a dumbass, i'm having real trouble taking all this in.

[rbeede]

The following module works great for doing NTLM (IE doesn't prompt for password) login against a Windows domain (also works for non-domain):

http://sourceforge.net/projects/mod-auth-sspi

It only works on Apache running under Windows. To get who logged on your cgi script should look in the environment for the variable REMOTE_USER

[Gayal Rupasinghe]

Hello,

Like Chris I am also a victim in this scenario.

I am trying to get Single Sign On (Seamless Authentication) Apache 2.2.x works with NTLM Authentication so that my existing Windows Domain users can access the company intranet with their Active Directory Credentials.

According to my research there are 4 solution. They are;

1. Use of official mod_ntml module which has been dead for about 2 years
2. Use of Kerberos module
3. mod_auth_sspi
4. mod_authnz_ldap.so

Let me discuss the drawbacks i faced.

1. mod_ntml needs perl installed. when trying to run Makefile...it failed. Then i have to compile Apache..it also failed because compile needed apx file to retrieve version info and that file is not in my box.

2. I didnt try out kerberos yet..will let u know ASAP when i try it.

3. When i use SSPI..meaning copied the SSPI.so file from the URL put it into the modules folder and change the Httpd.conf with the following directive LoadModule sspi_auth_module modules/mod_auth_sspi.so i cant no longer start/stop/restart Apache Server. I get the following error.

"The Requested operation has failed"

4. Use of LDAP was ok but did not worked properly.
After configuration now i get a Permission Denied Error message instead of Page Cannot be Displayed.

-------------------------------------------------------------------------------------
Anyway i just want to know wuts the most suitable method to implement SSO on Apache without pain and less compiling stuff.

[justinroyce]

I'm on the exact same environment and am currently setting up SSL. Next is AD and SSO...

While I'm currently reading through all of the documentation posted, I've been fighting with this web server for awhile due to various issues between MySQL5, PHP5 w/ Apache2+SSL, I'm beginning to wonder how long this fight is going to keep up...

Has anyone found a reasonable way of setting all this up without hours of frustration and tears that Apache usually requires?

If I happen to stumble on a setup, I'll post it here if someone else hasn't.

[Gayal Rupasinghe]

It worked.

I used mod_auth_sspi. Unfortunately this works with Apache2 installed on Win Machines only.

-
Gayal Rupasinghe

[rotsen]

Did anyone solve the NTLM/AD single Sign on?

Thanks,

Rotsen

[James Blond]

For me it works with mod_auth_sspi