Single Sign-On with Apache and Active Directory – Part 1
This HowTo will describe how to setup single sign-on authenticationwith Apache and Microsoft Active Directory.Most of you are probably
aware that there is no default/built-in support for automatically
authenticating to an Apache web server using the NTLM header information
passed from the web browser (in most cases Microsoft Internet Explorer)
to the Web Server.Microsoft IIS of course supports this out of the
box but who wants to use IIS?There are as I have found 3 major
solutions for achieving this and I will outline which I picked and why.
First I’ll start by explaining which solution I selected and why.
There are 3 major solutions for this which are mod_ntlm, mod_auth_kerb
and Apache2:AuthenNTLM.I have chosen Apache2:AuthenNTLM.Now as for
the why…I bypassed mod_auth_kerb instantly after reading that it
required a working winbind setup.Keep in mind that I am looking for an
easy quick setup, and configuring winbind first does not fall into that
realm of a quick and easy setup.Next I tried mod_ntlm which seemed to
be very easy to setup and worked well.But there was one catch…If the
browser did not send the NTLM information or correct NTLM information1
the user had to login with the username in the form of DOMAIN\username.
In my experience with applications already in place they did not
require this form of DOMAIN\username.This could be resolved if you
could specify the default domain in mod_ntlm which you cannot.Reading
the documentation for Apache2:AuthenNTLM you could specify the default
domain as well as many other options that are not available in mod_ntlm.
Configuration proved to be a little tricky, but if it weren’t I
wouldn’t be writing this HowTo.Now as you may have noticed from the
naming syntax of Apache2:AuthenNTLM that it is indeed a perl module.
Now as we are using Apache2:AuthenNTLM it will require mod_perl2 which
is not included with CentOS4 or RHEL4.
Now for the HowTo:
1) Start by installing Apache and mod_perl by issuing the following commands:
shell> yum install httpd
shell> wget http://sivel.net/repo/i386/mod_perl-2.0.3-1.el4.sn.i386.rpm
shell> rpm -Uvh mod_perl-2.0.3-1.el4.sn.i386.rpm
2) Next we need to install the Apache2:AuthenNTLM module
shell> wget http://sivel.net/repo/i386/perl-Apache2-AuthenNTLM-0.02-1.el4.sn.i386.rpm
shell> rpm -Uvh perl-Apache2-AuthenNTLM-0.02-1.el4.sn.i386.rpm
3) Now we need to configure Apache to use Apache2:AuthenNTLM
shell> cd /etc/httpd/conf.d
shell> touch ntlm.conf
shell> vi ntlm.conf
[*]Add the following information:
<location
/
directory
>
# Change this to the directory you wish to protect. Can be /
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName Basic
require valid-user
# domain pdc bdc
PerlAddVar ntdomain "DOMAIN dc1 dc2" # Change DOMAIN to the netbios name of your domain. Change dc1 and dc2 to the hostnames of the domain controllers for your domain. dc2 is not required if your setup does not have a dc2.
PerlSetVar defaultdomain DOMAIN # Change DOMAIN to the netbios name of your domain
PerlSetVar splitdomainprefix 1
</location>
shell> vi /etc/httpd/conf/httpd.conf
Find ‘KeepAlive Off’ and change it to ‘KeepAlive On’
4) Now we need to modify /etc/resolv.conf
shell> vi /etc/resolv.conf
[*] We need to make sure that it looks like the following:
search domain.lan
nameserver 10.0.0.1
nameserver 10.0.0.2
[*]Where domain.lan is your Active Directory domain name and the
nameservers are the name servers for your Active Directory (usually the
domain controllers)
5) Let’s start Apache
shell> /etc/init.d/httpd start
6) Let’s setup a simple test page that will utilize the server environment variable that AuthenNTLM sets.
shell> cd /path/set/in/step/3
shell> touch index.php
shell> vi index.php
[*]Insert the following information:
<?
php
echo
"You have logged in as <b>"
.
$_SERVER
[
'REMOTE_USER'
]
.
"</b>;"
;
?>
[*]If you do not see your username then you don’t have something in
step 3 setup correctly.If you get a login prompt check the footnotes
below.
Part 2
Footnotes
1. Getting a login prompt can be caused by using Firefox with the
default configuration, not being logged on in the domain that you are
attempting to authenticate against, or not having the site listed in the
Local Intranet security zone in Internet Explorer.Or worst of all you
could have mis configured something in step 3.You can turn on debug
information by adding ‘PerlSetVar ntlmdebug 2′ to step 3.Debugging
will log to /var/log/httpd/error_log.
页:
[1]