[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Windows Authentication

From: Seth de l'Isle <seth.delisle_at_ge.com>
Date: 2004-09-07 20:10:37 CEST

On Sun, Sep 05, 2004 at 05:36:22AM +0200, Branko ??ibej wrote:
> You can get a similar effect on Unix with mod_auth_pam and pam_smb
> (there used to be a mod_auth_ntlm, but IIRC it's defunct now), however
> it doesn't understand the Windows-specific handshake -- in other words,
> it just checks the basic auth tokens against an NT domain controller.

I evaluated mod_auth_pam and pam_smb, as well as using mod_auth_ldap
against active directory. mod_auth_ldap proved to require less setup.

I didn't find a good example of apache authenticating against active
directory, so maybe my configuration would be useful to others:

    <Directory />
                    Options FollowSymLinks
                    AllowOverride None
                    Order deny,allow
                    AuthType Basic
                    AuthLDAPURL "ldaps://mydomain.com:389/dc=mydomain,dc=com?sAMAccountName"
                    AuthLDAPBindDN "cn=Seth Delisle,ou=IT Administration,dc=mydomain,dc=com"
                    AuthLDAPBindPassword XXYYXXYYZZ
                    AuthName Restricted
                    Require valid-user
    </Directory>

Note that you need an AuthLDAPBindDN enty that resolves to a user with
permissions to browse the active directory, and that the first cn= is not the
same string that you would use to log into a windows box, it's described as the
"Display Name" when using window's mmc domain-users "snap-in."

The Apache2 docs describe the configuration directives in detail:
http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html

  • application/pgp-signature attachment: stored
Received on Tue Sep 7 20:12:30 2004

This is an archived mail posted to the Subversion Users mailing list.