Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Apache 2 - LDAP/Active Directory - Automatic login/authentication process

Is there a fully automated way to authentication a user using IE8+ with Apache without the user having to enter any form of credentials? Running IIS is not really an option even tho i'm running Windows.

I've found some Perl based solutions that should work but i could only get it to work on *Nix with a LOT of fuzzing around.

I'm currently using authnz_ldap_module which works great, but the users are really cranky and annoyed by having to put in their user-id and password for each new session that they open.

Any ideas?

like image 638
Torxed Avatar asked Apr 11 '12 12:04

Torxed


People also ask

How do I authenticate users using LDAP?

In order to authenticate a user with an LDAP directory you first need to obtain their DN as well as their password. With a login form, people typically enter a simple identifier such as their username or email address. You don't expect them to memorise the DN of their directory entry.

What is Active Directory and LDAP authentication?

Lightweight Directory Access Protocol (LDAP) is an application protocol for working with various directory services. Directory services, such as Active Directory, store user and account information, and security information like passwords.

What is AuthLDAPBindDN?

AuthLDAPBindDN - The LDAP entry that will be used to locate the users. AuthLDAPBindPassword - The password for the user specified above. require valid-user - This directive selects which authenticated users can access a resource. The "valid-user" value implies if the user can bind, then they are allowed.

Is LDAP a Windows authentication?

Both Windows Active Directory and LDAP can be used to allow users to connect to Serv-U by using Active Directory credentials. Additionally, LDAP allows for authentication against other LDAP servers such as Apache Directory Server and OpenLDAP.


1 Answers

I've been having the same problem myself today after eventually getting the mod_authnz_ldap module to work.

From my research thus far, I gather you can't do seamless signon with the mod_authnz_ldap module and you'll have to use mod_auth_sspi instead. I've tried this out and it seems to work as expected (on Internet Explorer anyway - you can also configure Firefox to pass through by modifying the network.automatic-ntlm-auth.trusted-uris key).

Here's the steps:

  1. Download the mod_auth_sspi module from http://sourceforge.net/projects/mod-auth-sspi/
  2. From the zip file's bin folder, copy mod_auth_sspi.so to your apache modules folder
  3. From the zip file's bin folder, copy sspipkgs.exe to your apache bin folder
  4. Edit httpd.conf so that the Directory is configured something like this:
 Alias /secure "C:/Secure"
 <Directory "C:/Secure">
 Order deny,allow
 Allow from all

 AuthType SSPI
 SSPIAuth On
 SSPIOfferBasic on
 SSPIBasicPreferred On
 SSPIAuthoritative Off
 AuthName "Login"
 SSPIDomain dc.domain

 Require valid-user
 </Directory>

Now restart Apache.

Unfortunately, after all that it's no good for me as a solution as I have multiple LDAP servers to authenticate against, but hopefully this will help you.

like image 177
misterjaytee Avatar answered Sep 25 '22 07:09

misterjaytee