Automatically authenticating windows users on an apache/Linux server
If I wanna authenticate windows accounts to AD when a user browses to an apache-running site on a Linux server, here are the usual suspects:
- List item
- mod_ntlm (which I used in a distant past) - last update on 2003
- mod_auth_ntlm_winbind - last update on 04/2007
- mod_auth_kerb - last update on 12/2008
No luck getting any of those to work with a recent, fully patched, windows 2000 AD server.
Do you have any clues as to a recipe that does work?
my current build environment is this:
- OS: Ubuntu Lucid
- Apache 2.2.14 (from repos)
the auth modules I recompiled from source.
Did you just try to drop binary modules onto an existing apache binary, or did you rebuild Apache and the modules from source on your system?
The last time I did this (admittedly 3+ years ago), I found a combination of Apache+mod_ntlm that worked, but I ended up using a less-than-current version of Apache, in order to match the version of mod_ntlm that I found. My conclusion at the time was that if I wanted current, I was going to have to rebuild Apache and mod_ntlm from source, and I didn't have the time to do that.
Unfortunately, that was two jobs ago, and I don't have access to the configuration details.
LDAP. Active Directory should speak the LDAP protocol well enough (although, I believe Novell's eDirectory sticks to the spec better) that you can use LDAP authentication setups to communicate with it. It'll be a lot easier than fussing around with the Windows-centric NTLM garbage.
See this site for an example: http://www.jejik.com/articles/2007/06/apache_and_subversion_authentication_with_microsoft_active_directory/
The other, likely costly option, is to invest in an identity manager product. Novell, Sun (now Oracle), and IBM all make one. I suspect that, unless you're designing something for a mid-size corporate project, you won't need these. But, they are an option to consider.