[[seamless_authentication]]
 
Trace: » seamless_authentication
adLDAP - LDAP authentication with PHP for Active Directory
Home
Documentation
FAQ
LDAP over SSL
Download
Configuring Apache
Seamless Authentication
Support Forum

SourceForge.net Logo
Table of Contents

Seamless Authentication

Seamless authentication or Single Sign On (SSO) refers to where the browser does the authentication automatically for the user. No password is sent across the wire, they're all hashes (it's Samba voodoo). The protocol Microsoft uses to provide seamless browser authentation in a windows domain is called NTLM. More information on NTLM and the associated technologies are available at Wikipedia. Both Microsoft Internet Explorer and Mozilla Firefox readily support NTLM.

There are hundreds of ways to do LDAP authentication and just as many Apache modules, but the adLDAP project only covers open source modules and methods that authenticate automatically for the user without the need for third party plugins on the client side.

Seamless authentication methods include:

mod_auth_ntlm_winbind is the only known production standard solution to this problem. It's not a complete solution though, mod_auth_ntlm_winbind will only give you the logged in user and basic access control to the folder. mod_auth_ntlm_winbind can be used to determine the username of the user, and adLDAP can be used to interact with Active Directory based on the needs of the application (eg. group membership, AD manipulation, etc).

There is a forum available on Sourceforge for discussion of these topics (particularly mod_auth_ntlm_winbind).

mod_auth_ntlm_winbind

mod_auth_ntlm_winbind is a project coming out of the wonderful world of Samba. Basically mod_auth_ntlm_winbind has taken the reigns for Mod_NTLM because they're probably the most qualified to do so :)

It's not a 5 second answer, but unfortunately the configuration is out of necessity and it does work.

  1. Install Samba 3, Kerberos, SSL (just use apt/up2date/yum/emerge etc)
  2. Configure Kerberos, Winbind, and Samba
  3. Setup Apache and PHP
  4. Setup mod_auth_ntlm_winbind

The fine print: mod_auth_ntlm_winbind does not work over HTTPS, you need to header redirect them to HTTP for authentication, and then header redirect them back into HTTPS

mod_auth_kerb

mod_auth_kerb information is incomplete, people are encouraged to contribute to this area.

  1. Install Kerberos, SSL (just use apt/up2date/yum/emerge etc)
  2. Configure Kerberos
  3. Setup Apache and PHP
  4. Setup mod_auth_kerb

The fine print: mod_auth_kerb requires you to setup an AD user account with ticket delegation authority for each HTTP domain (eg. if there are 10 domains on the web server, you will need to setup 10 user accounts).

More information on mod_auth_kerb is available at the project website http://modauthkerb.sourceforge.net/
Information on implementing mod_auth_kerb with Active Directory is available at http://grolmsnet.de/kerbtut/

Apache on Windows with mod_auth_sspi

mod_auth_sspi can provide seamless authentication for Apache on Windows. It's relatively undocumented though and we haven't tried it, so please refer to http://mod-auth-sspi.sourceforge.net/ for more information.

IIS/PHP

Format the machine and install Linux (recommended), or remove anonymous access from the directory with the IIS management console, the username is available with $_SERVER[“LOGON_USER”].

Seamless authentication with Apache on Windows can be achieved with mod-auth-sspi

Token Authentication with IIS

IIS and NTLM authentication “just work”. If _you_ can't skin the cat, find someone else to do it for you. This was really a round-about solution until mod_auth_ntlm_winbind was released.

This is a basic breakdown. Although most people wouldn't use it in production anymore, it's an interesting way of doing authentication.

  1. Find a “pleb” Windows machine for authentication
  2. Install IIS/PHP
  3. Enable OpenSSL in php.ini and restart IIS
  4. Install OpenSSL on the webserver
  5. Generate an RSA key pair
  6. Install Apache/PHP on the webserver (requires OpenSSL support compiled into PHP)
  • The browser arrives at the Apache webserver, generate a random string and store it in the session, encrypt and base64 encode it, and flick them to the IIS webserver with the encoded token.
  • The IIS webserver authenticates them, then decodes and decrypts the token, adds the username to it, encrypts and encodes the new token and flicks them back to the Apache webserver with the new token
  • The Apache webserver decodes and decrypts the token, checks the random string against the one in their session, and then stores their username in the session and redirects to the menu.

Mod_NTLM

Mod_NTLM works, but only some of the time when you're using it in a Windows 2000 or above environment, although it probably works quite well for NT4. There's some issue that prevents it working _every_ time, and when it doesn't authenticate correctly, the user gets a username/password/domain login dialogue. The user keeps putting in their password and you start getting account lockouts, and even when you unlock it you may still not get them in. This may not be Mod_NTLM's fault, I (scott) suspect it's some problem caused by Internet Explorer's header authentication changing between versions, but either way it's not something you could put in production.

The Mod_NTLM project appears to be deprecated by mod_auth_ntlm_winbind

Mod_NTLM is available at http://modntlm.sourceforge.net.

 
seamless_authentication.txt · Last modified: 2007/12/04 15:43 by 203.24.71.250
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki