|
Home > Archive > alt.os.linux > October 2002 > Use Windows 2000 User Authentication for Apache
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Use Windows 2000 User Authentication for Apache
|
|
|
| Dear there,
I am going to install an Apache web server on my Linux. Now, I have a
Windows 2000 Domain Controller running at my network.
My question is:
Could I use the Windows domain user authentication for my Apache user
authentication, so that I don't need to create different user account for
each user? And how if could?
Any help would be appreciated.
Thank you in advance.
Ross
| |
| =?iso-8859-1?Q?Nils_O=2E_Sel=E5sdal?= 2002-10-08, 11:24 am |
| In article <_dDo9.14794$V21.377501@news>, Ross wrote:
> Dear there,
> I am going to install an Apache web server on my Linux. Now, I have a
> Windows 2000 Domain Controller running at my network.
> My question is:
> Could I use the Windows domain user authentication for my Apache user
> authentication, so that I don't need to create different user account for
> each user? And how if could?
> Any help would be appreciated.
> Thank you in advance.
If you are using Active Directory, I don't know. If its just an "ordinary"
PDC (or whatever one calls it ), Samba and its winbind together with PAM
can do what you want.
--
Vennlig hilsen/Best Regards
Nils Olav Selåsdal
System Engineer
UtelSystems a/s
Tlf: +47 370 45 431
w w w . u t e l s y s t e m s . c o m
| |
| Tim Pailthorpe 2002-10-08, 12:24 pm |
| Squid proxy server (latest version) will use NT domain authentication so you
can use Squid as a reverse proxy. Messy but it should work.
Alernaitively (I haven't got a clue if this can be made to work but it is
worth a try), Win2K Domain Controllers run an LDAP server, Apache may be
able to use this for authentication.
Tim.
"Ross" <Ross@nospam.com> wrote in message
news:_dDo9.14794$V21.377501@news...
> Dear there,
> I am going to install an Apache web server on my Linux. Now, I have a
> Windows 2000 Domain Controller running at my network.
> My question is:
> Could I use the Windows domain user authentication for my Apache user
> authentication, so that I don't need to create different user account for
> each user? And how if could?
> Any help would be appreciated.
> Thank you in advance.
> Ross
>
>
| |
| Joachim Feise 2002-10-08, 3:24 pm |
| Tim Pailthorpe wrote:
> Squid proxy server (latest version) will use NT domain authentication so you
> can use Squid as a reverse proxy. Messy but it should work.
>
> Alernaitively (I haven't got a clue if this can be made to work but it is
> worth a try), Win2K Domain Controllers run an LDAP server, Apache may be
> able to use this for authentication.
No need to go through all this trouble. There is an NTLM authentication module
for Apache 1.3.x: http://modntlm.sourceforge.net/
That apparently can authenticate against Samba or NT (I haven't tried it myself
yet, though).
-Joe
| |
| Aix Tom 2002-10-08, 5:24 pm |
| Joachim Feise <jfeise@ics.uci.edu> wrote in
news:anvb80$p6j$1@news.service.uci.edu:
> Tim Pailthorpe wrote:
>> Squid proxy server (latest version) will use NT domain authentication
>> so you can use Squid as a reverse proxy. Messy but it should work.
>>
>> Alernaitively (I haven't got a clue if this can be made to work but
>> it is worth a try), Win2K Domain Controllers run an LDAP server,
>> Apache may be able to use this for authentication.
>
> No need to go through all this trouble. There is an NTLM
> authentication module for Apache 1.3.x:
> http://modntlm.sourceforge.net/ That apparently can authenticate
> against Samba or NT (I haven't tried it myself yet, though).
>
> -Joe
>
>
I had a look at it a few weeks back.
The thing that ruled it out for me :
It can only check for NT - USERS, not GROUPS.
Other than that it worked fine.
Tom
--
| |
|
| Microsoft win2k AD is a LDAP but not startend version..
"Tim Pailthorpe" <tim@!SPAM.hod.co.uk> ¼¶¼g©ó¶l¥ó·s»D
:FTDo9.9495$La6.2330@news-binary.blueyonder.co.uk...
> Squid proxy server (latest version) will use NT domain authentication so
you
> can use Squid as a reverse proxy. Messy but it should work.
>
> Alernaitively (I haven't got a clue if this can be made to work but it is
> worth a try), Win2K Domain Controllers run an LDAP server, Apache may be
> able to use this for authentication.
>
> Tim.
>
>
> "Ross" <Ross@nospam.com> wrote in message
> news:_dDo9.14794$V21.377501@news...
> > Dear there,
> > I am going to install an Apache web server on my Linux. Now, I have a
> > Windows 2000 Domain Controller running at my network.
> > My question is:
> > Could I use the Windows domain user authentication for my Apache user
> > authentication, so that I don't need to create different user account
for
> > each user? And how if could?
> > Any help would be appreciated.
> > Thank you in advance.
> > Ross
> >
> >
>
>
| |
| Linux_Hawk 2002-10-08, 8:27 pm |
| I believe that the new version of SAMBA will support what you want to do.
Check on the SAMBA site. | |
| Marcel Weber 2002-10-14, 8:24 pm |
| Hi
auth_ldap works perfectly with apache and win2000. There are just some
small caveats: Windows 2000 wants a user with a valid account to connect
to the ldap server. I created a user ldapuser, that hasn't any rights in
the domain to achieve this.
I'm using this setup for 3 months now on our company's intranet.
The modules you need are: (on debian woody)
libapache_auth_ldap
In the httpd.conf put the following lines:
-----
<snip>
#httpd.conf
LoadModule auth_ldap_module /usr/lib/apache/1.3/auth_ldap.so
<Location />
Order allow,deny
allow from x.x.x.x
AuthType Basic
AuthName "Intranet"
# this is for connecting to the ad. YOUR_AD_LDAP_USER MUST be a valid AD user and find himself
# somewhere in the OU hierarchy
AuthLDAPBindDN " CN=YOUR_AD_LDAP_USER,OU=OUSyst
em,OU=OUAnotherLevel,DC=foo,DC
=msft"
AuthLDAPBindPassword "xyz"
# This is the actual query. The member of is not necessary but an example how to check group memberships.
AuthLDAPUrl ldap://applic1.biomed.msft/dc=biomed,dc=msft?sAMAccountName?sub?(&(objectClass=*) (memberOf=CN=A_VALID_GROUP,OU=
OUAN_ORGANISATION,DC=foo,DC=ms
ft))
require valid-user
</Location>
<snip>
-----
Works perfectly AND it has one huge advantage: The SMB / NTLM authentication does not
work from other network segments, for example from the DMZ. With ldap, no problem at all.
You can authenticate your users even via the internet (is not that good an idea though
as the transfer of the passwords is not too secure ;-) Furthermore, auth_ldap
stores the queried credentials in a cache and accelerates the whole authentication
extremly.
Best regards
Marcel
Joachim Feise schrieb:
> Tim Pailthorpe wrote:
>
>> Squid proxy server (latest version) will use NT domain authentication
>> so you
>> can use Squid as a reverse proxy. Messy but it should work.
>>
>> Alernaitively (I haven't got a clue if this can be made to work but it is
>> worth a try), Win2K Domain Controllers run an LDAP server, Apache may be
>> able to use this for authentication.
>
>
> No need to go through all this trouble. There is an NTLM authentication
> module
> for Apache 1.3.x: http://modntlm.sourceforge.net/
> That apparently can authenticate against Samba or NT (I haven't tried it
> myself
> yet, though).
>
> -Joe
>
|
|
|
|
|