You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Eric Ladner <er...@gmail.com> on 2004/11/07 15:57:10 UTC
[users@httpd] Authentication question and ideas requested.
Got a problem.. Need some help..
I have an Apache web server running on a UNIX machine at work.
Naturally, the corporate guys are all up in arms and are nit-picking
every little thing that's wrong with it saying that we should trash it
and migrate to IIS.
I could hold them off if I could overcome the biggest gripe they have
about it: TRANSPARENT integration with Active Directory
authentication.
The biggest missing piece is group authentication with the AD servers
for security. Currently there are content areas on the web server
that are restricted to local site access only for various reasons.
The place where this breaks down is when people from the local site
travel to other sites, they are unable to access the local content
because the security is based on IP ranges for the local site and they
are now sitting somewhere besides the local site.
I've looked around at several NTLM and SMB authorization modules, but
I haven't been able to pull anything out of the hat yet. The biggest
gap (that I think exists, anyway) is that most of the modules I've
looked at don't support authentication against an AD Group (i.e. a
directory is accessible by anybody in the NT group "Site Engineers" or
something, and Fred, being a member of "Site Engineers" has access to
the content of that particular directory no matter where he is
currently in the corporation).
Also, all of the stuff I've looked at so far either provides NTLM
transparent auth, with no AD authentication backend or AD
authentication without the NTLM transparent frontend part.
Has anybody come up with a solution with this? IS there a solution to this?
Basically, here's my dream scenario:
Directory secured to group access. .htaccess contains something like this:
[authentication stuff.. blah, blah]
NTLMGroup SomeNTGroup SomeOtherNtGroup
Require valid-user
The usage pattern would be something like this:
User Fred, belonging to "SomeNTGroup" access a private directory on
the web server. The server is delivered, via NTLM, his desktop login
credentials. The server (or an authentication module) sees that
authentication is required and looks for a valid-user. Since there
is nothing specified but a group requirement, Fred's group membership
is queried and checked against the specified groups. The AD server
returns "OK", so the access is permitted.
Save my Apache server!
--
Eric Ladner
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication question and ideas requested.
Posted by Ralf Glauberman <rg...@michaeli-gymnasium.de>.
sorry, but i don't belive there is a way to use ldap-group without using
mod_auth_ldap, it simply has nothing to do with smb and ntlm. and you won't
be able to use mod_auth_ldap without an account to log into the ad. so, your
only way seems to be getting a service-account, no rights, just login and
read the ad. see it this way: every computer in the domain has a
machine-account wich is nothing different. the only way to get around this
won't help you either because it meens granting read-access to the ad for
everyone. but it will be even saver than using iis. talk to them and try to
get the account man, i really don't think there is another way.
ralf
----- Original Message -----
From: "Eric Ladner" <er...@gmail.com>
To: <us...@httpd.apache.org>
Sent: Sunday, November 07, 2004 7:22 PM
Subject: Re: [users@httpd] Authentication question and ideas requested.
> On Sun, 7 Nov 2004 18:04:01 +0100, Ralf Glauberman
> <rg...@michaeli-gymnasium.de> wrote:
>>
>> you have to use a service-account to search for the user, the
>> password-verification is done with the username&password the user
>> entered.
>> why is it impossible to create a service-account for this?
>>
>
> Corporate policy. Service accounts = Spawn of satan. Or so they are
> led to believe. Basically they are plugging up every possible
> venerability (except for the fact they still run Windows) by not
> implementing any extra functionality at all.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication question and ideas requested.
Posted by Eric Ladner <er...@gmail.com>.
On Sun, 7 Nov 2004 18:04:01 +0100, Ralf Glauberman
<rg...@michaeli-gymnasium.de> wrote:
>
> you have to use a service-account to search for the user, the
> password-verification is done with the username&password the user entered.
> why is it impossible to create a service-account for this?
>
Corporate policy. Service accounts = Spawn of satan. Or so they are
led to believe. Basically they are plugging up every possible
venerability (except for the fact they still run Windows) by not
implementing any extra functionality at all.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication question and ideas requested.
Posted by Ralf Glauberman <rg...@michaeli-gymnasium.de>.
you have to use a service-account to search for the user, the
password-verification is done with the username&password the user entered.
why is it impossible to create a service-account for this?
----- Original Message -----
From: "Eric Ladner" <er...@gmail.com>
To: <us...@httpd.apache.org>
Sent: Sunday, November 07, 2004 4:37 PM
Subject: Re: [users@httpd] Authentication question and ideas requested.
> Unfortunately, I can't use mod_auth_ldap because the NT weenies in the
> corp won't allow anonymous credential verification against their AD
> servers (i.e. you have to have a username and password to check
> somebody's username and password).
>
> Unless you know a way around this without having to create a service
> account (which the NT weenies won't let me do, either) or dropping my
> username/password in a file every 90 days.
>
> Thanks for the response though! Keep the ideas flowing!
>
>
> On Sun, 7 Nov 2004 16:28:16 +0100, Ralf Glauberman
> <rg...@michaeli-gymnasium.de> wrote:
>> the answer is mod_auth_ldap, it connects directly to the ad-servers and
>> does
>> the autentication supporting ad groups. it also supports multiple DCs, so
>> you can have redundancy. if you have further questions, just ask.
>> Ralf
>>
>>
>>
>> ----- Original Message -----
>> From: "Eric Ladner" <er...@gmail.com>
>> To: <us...@httpd.apache.org>
>> Sent: Sunday, November 07, 2004 3:57 PM
>> Subject: [users@httpd] Authentication question and ideas requested.
>>
>> > Got a problem.. Need some help..
>> >
>> > I have an Apache web server running on a UNIX machine at work.
>> > Naturally, the corporate guys are all up in arms and are nit-picking
>> > every little thing that's wrong with it saying that we should trash it
>> > and migrate to IIS.
>> >
>> > I could hold them off if I could overcome the biggest gripe they have
>> > about it: TRANSPARENT integration with Active Directory
>> > authentication.
>> >
>> > The biggest missing piece is group authentication with the AD servers
>> > for security. Currently there are content areas on the web server
>> > that are restricted to local site access only for various reasons.
>> > The place where this breaks down is when people from the local site
>> > travel to other sites, they are unable to access the local content
>> > because the security is based on IP ranges for the local site and they
>> > are now sitting somewhere besides the local site.
>> >
>> > I've looked around at several NTLM and SMB authorization modules, but
>> > I haven't been able to pull anything out of the hat yet. The biggest
>> > gap (that I think exists, anyway) is that most of the modules I've
>> > looked at don't support authentication against an AD Group (i.e. a
>> > directory is accessible by anybody in the NT group "Site Engineers" or
>> > something, and Fred, being a member of "Site Engineers" has access to
>> > the content of that particular directory no matter where he is
>> > currently in the corporation).
>> >
>> > Also, all of the stuff I've looked at so far either provides NTLM
>> > transparent auth, with no AD authentication backend or AD
>> > authentication without the NTLM transparent frontend part.
>> >
>> > Has anybody come up with a solution with this? IS there a solution to
>> > this?
>> >
>> > Basically, here's my dream scenario:
>> >
>> > Directory secured to group access. .htaccess contains something like
>> > this:
>> >
>> > [authentication stuff.. blah, blah]
>> > NTLMGroup SomeNTGroup SomeOtherNtGroup
>> > Require valid-user
>> >
>> > The usage pattern would be something like this:
>> >
>> > User Fred, belonging to "SomeNTGroup" access a private directory on
>> > the web server. The server is delivered, via NTLM, his desktop login
>> > credentials. The server (or an authentication module) sees that
>> > authentication is required and looks for a valid-user. Since there
>> > is nothing specified but a group requirement, Fred's group membership
>> > is queried and checked against the specified groups. The AD server
>> > returns "OK", so the access is permitted.
>> >
>> > Save my Apache server!
>> > --
>> > Eric Ladner
>> >
>> > ---------------------------------------------------------------------
>> > The official User-To-User support forum of the Apache HTTP Server
>> > Project.
>> > See <URL:http://httpd.apache.org/userslist.html> for more info.
>> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> > " from the digest: users-digest-unsubscribe@httpd.apache.org
>> > For additional commands, e-mail: users-help@httpd.apache.org
>> >
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> --
> Eric Ladner
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication question and ideas requested.
Posted by Eric Ladner <er...@gmail.com>.
Unfortunately, I can't use mod_auth_ldap because the NT weenies in the
corp won't allow anonymous credential verification against their AD
servers (i.e. you have to have a username and password to check
somebody's username and password).
Unless you know a way around this without having to create a service
account (which the NT weenies won't let me do, either) or dropping my
username/password in a file every 90 days.
Thanks for the response though! Keep the ideas flowing!
On Sun, 7 Nov 2004 16:28:16 +0100, Ralf Glauberman
<rg...@michaeli-gymnasium.de> wrote:
> the answer is mod_auth_ldap, it connects directly to the ad-servers and does
> the autentication supporting ad groups. it also supports multiple DCs, so
> you can have redundancy. if you have further questions, just ask.
> Ralf
>
>
>
> ----- Original Message -----
> From: "Eric Ladner" <er...@gmail.com>
> To: <us...@httpd.apache.org>
> Sent: Sunday, November 07, 2004 3:57 PM
> Subject: [users@httpd] Authentication question and ideas requested.
>
> > Got a problem.. Need some help..
> >
> > I have an Apache web server running on a UNIX machine at work.
> > Naturally, the corporate guys are all up in arms and are nit-picking
> > every little thing that's wrong with it saying that we should trash it
> > and migrate to IIS.
> >
> > I could hold them off if I could overcome the biggest gripe they have
> > about it: TRANSPARENT integration with Active Directory
> > authentication.
> >
> > The biggest missing piece is group authentication with the AD servers
> > for security. Currently there are content areas on the web server
> > that are restricted to local site access only for various reasons.
> > The place where this breaks down is when people from the local site
> > travel to other sites, they are unable to access the local content
> > because the security is based on IP ranges for the local site and they
> > are now sitting somewhere besides the local site.
> >
> > I've looked around at several NTLM and SMB authorization modules, but
> > I haven't been able to pull anything out of the hat yet. The biggest
> > gap (that I think exists, anyway) is that most of the modules I've
> > looked at don't support authentication against an AD Group (i.e. a
> > directory is accessible by anybody in the NT group "Site Engineers" or
> > something, and Fred, being a member of "Site Engineers" has access to
> > the content of that particular directory no matter where he is
> > currently in the corporation).
> >
> > Also, all of the stuff I've looked at so far either provides NTLM
> > transparent auth, with no AD authentication backend or AD
> > authentication without the NTLM transparent frontend part.
> >
> > Has anybody come up with a solution with this? IS there a solution to
> > this?
> >
> > Basically, here's my dream scenario:
> >
> > Directory secured to group access. .htaccess contains something like
> > this:
> >
> > [authentication stuff.. blah, blah]
> > NTLMGroup SomeNTGroup SomeOtherNtGroup
> > Require valid-user
> >
> > The usage pattern would be something like this:
> >
> > User Fred, belonging to "SomeNTGroup" access a private directory on
> > the web server. The server is delivered, via NTLM, his desktop login
> > credentials. The server (or an authentication module) sees that
> > authentication is required and looks for a valid-user. Since there
> > is nothing specified but a group requirement, Fred's group membership
> > is queried and checked against the specified groups. The AD server
> > returns "OK", so the access is permitted.
> >
> > Save my Apache server!
> > --
> > Eric Ladner
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Eric Ladner
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication question and ideas requested.
Posted by Ralf Glauberman <rg...@michaeli-gymnasium.de>.
the answer is mod_auth_ldap, it connects directly to the ad-servers and does
the autentication supporting ad groups. it also supports multiple DCs, so
you can have redundancy. if you have further questions, just ask.
Ralf
----- Original Message -----
From: "Eric Ladner" <er...@gmail.com>
To: <us...@httpd.apache.org>
Sent: Sunday, November 07, 2004 3:57 PM
Subject: [users@httpd] Authentication question and ideas requested.
> Got a problem.. Need some help..
>
> I have an Apache web server running on a UNIX machine at work.
> Naturally, the corporate guys are all up in arms and are nit-picking
> every little thing that's wrong with it saying that we should trash it
> and migrate to IIS.
>
> I could hold them off if I could overcome the biggest gripe they have
> about it: TRANSPARENT integration with Active Directory
> authentication.
>
> The biggest missing piece is group authentication with the AD servers
> for security. Currently there are content areas on the web server
> that are restricted to local site access only for various reasons.
> The place where this breaks down is when people from the local site
> travel to other sites, they are unable to access the local content
> because the security is based on IP ranges for the local site and they
> are now sitting somewhere besides the local site.
>
> I've looked around at several NTLM and SMB authorization modules, but
> I haven't been able to pull anything out of the hat yet. The biggest
> gap (that I think exists, anyway) is that most of the modules I've
> looked at don't support authentication against an AD Group (i.e. a
> directory is accessible by anybody in the NT group "Site Engineers" or
> something, and Fred, being a member of "Site Engineers" has access to
> the content of that particular directory no matter where he is
> currently in the corporation).
>
> Also, all of the stuff I've looked at so far either provides NTLM
> transparent auth, with no AD authentication backend or AD
> authentication without the NTLM transparent frontend part.
>
> Has anybody come up with a solution with this? IS there a solution to
> this?
>
> Basically, here's my dream scenario:
>
> Directory secured to group access. .htaccess contains something like
> this:
>
> [authentication stuff.. blah, blah]
> NTLMGroup SomeNTGroup SomeOtherNtGroup
> Require valid-user
>
> The usage pattern would be something like this:
>
> User Fred, belonging to "SomeNTGroup" access a private directory on
> the web server. The server is delivered, via NTLM, his desktop login
> credentials. The server (or an authentication module) sees that
> authentication is required and looks for a valid-user. Since there
> is nothing specified but a group requirement, Fred's group membership
> is queried and checked against the specified groups. The AD server
> returns "OK", so the access is permitted.
>
> Save my Apache server!
> --
> Eric Ladner
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org