On Sun, Sep 05, 2004 at 05:36:22AM +0200, Branko ??ibej wrote:
> You can get a similar effect on Unix with mod_auth_pam and pam_smb
> (there used to be a mod_auth_ntlm, but IIRC it's defunct now), however
> it doesn't understand the Windows-specific handshake -- in other words,
> it just checks the basic auth tokens against an NT domain controller.
I evaluated mod_auth_pam and pam_smb, as well as using mod_auth_ldap
against active directory. mod_auth_ldap proved to require less setup.
I didn't find a good example of apache authenticating against active
directory, so maybe my configuration would be useful to others:
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
AuthType Basic
AuthLDAPURL "ldaps://mydomain.com:389/dc=mydomain,dc=com?sAMAccountName"
AuthLDAPBindDN "cn=Seth Delisle,ou=IT Administration,dc=mydomain,dc=com"
AuthLDAPBindPassword XXYYXXYYZZ
AuthName Restricted
Require valid-user
</Directory>
Note that you need an AuthLDAPBindDN enty that resolves to a user with
permissions to browse the active directory, and that the first cn= is not the
same string that you would use to log into a windows box, it's described as the
"Display Name" when using window's mmc domain-users "snap-in."
The Apache2 docs describe the configuration directives in detail:
http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html
- application/pgp-signature attachment: stored
Received on Tue Sep 7 20:12:30 2004