You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modules-dev@httpd.apache.org by John Hosie <ap...@live.com> on 2008/08/14 16:25:20 UTC
Kerberos/LDAP/Active Directory
Is there any module for Apache that will help in performing authentication/authorization on web services using an Active Directory "registry"? In our environment, when a user logs into their Windows workstation through Active Directory, I understand they are given a Kerberos ticket. I understand that there is a way for this ticket to be passed (through client application code, sent with a URL) to the Apache server module that is providing the service used by the user. I understand that there should be a way to use that ticket to 1) ensure that the user is who they say they are; 2) check to see if the user is in the group (arbitrary) that is allowed to come to this application. I've also been told that using LDAP to go to Active Directory is the right way to do the server side (Linux based) functions, while the Windows environment has their own way to put the client side together.
Is there an example of how do do this somewhere in C code?
What packages need to be installed on the server?
Is there sample client code?
_________________________________________________________________
Reveal your inner athlete and share it with friends on Windows Live.
http://revealyourinnerathlete.windowslive.com?locale=en-us&ocid=TXT_TAGLM_WLYIA_whichathlete_us
Re: Kerberos/LDAP/Active Directory
Posted by César Leonardo Blum Silveira <ce...@gmail.com>.
On Thu, Aug 14, 2008 at 2:02 PM, Dan White <dw...@olp.net> wrote:
> John Hosie wrote:
>>
>> Is there any module for Apache that will help in performing
>> authentication/authorization on web services using an Active Directory
>> "registry"? In our environment, when a user logs into their Windows
>> workstation through Active Directory, I understand they are given a Kerberos
>> ticket. I understand that there is a way for this ticket to be passed
>> (through client application code, sent with a URL) to the Apache server
>> module that is providing the service used by the user. I understand that
>> there should be a way to use that ticket to 1) ensure that the user is who
>> they say they are; 2) check to see if the user is in the group (arbitrary)
>> that is allowed to come to this application. I've also been told that using
>> LDAP to go to Active Directory is the right way to do the server side (Linux
>> based) functions, while the Windows environment has their own way to put the
>> client side together.
>> Is there an example of how do do this somewhere in C code?
>> What packages need to be installed on the server?
>>
>
> mod_auth_kerb will let you authenticate an Active Directory user, assuming
> you have everything set up correctly (warning, it's a fairly steep learning
> curve).
>
There's also mod_spnego
(http://sourceforge.net/project/showfiles.php?group_id=82781), which
works Unix and Windows.
> I don't know how to test for group membership with that module, but you
> might be able to additionally use mod_authnz_ldap (require-group) to
> accomplish that.
>
> - Dan
>
--
César L. B. Silveira
http://www.cesarbs.org/blog
Re: Kerberos/LDAP/Active Directory
Posted by Dan White <dw...@olp.net>.
John Hosie wrote:
> Is there any module for Apache that will help in performing authentication/authorization on web services using an Active Directory "registry"? In our environment, when a user logs into their Windows workstation through Active Directory, I understand they are given a Kerberos ticket. I understand that there is a way for this ticket to be passed (through client application code, sent with a URL) to the Apache server module that is providing the service used by the user. I understand that there should be a way to use that ticket to 1) ensure that the user is who they say they are; 2) check to see if the user is in the group (arbitrary) that is allowed to come to this application. I've also been told that using LDAP to go to Active Directory is the right way to do the server side (Linux based) functions, while the Windows environment has their own way to put the client side together.
>
> Is there an example of how do do this somewhere in C code?
>
> What packages need to be installed on the server?
>
mod_auth_kerb will let you authenticate an Active Directory user,
assuming you have everything set up correctly (warning, it's a fairly
steep learning curve).
I don't know how to test for group membership with that module, but you
might be able to additionally use mod_authnz_ldap (require-group) to
accomplish that.
- Dan