Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

Integrated Authentication

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


stateri at gmail

Apr 12, 2006, 1:37 PM

Post #1 of 5 (3575 views)
Permalink
Integrated Authentication
Hi,

Is there any way to do Apache HTTP Server recognize the users of
Operation System and put it in a System Variable, like IIS with Integrated
Authentication ? (IIS put Windows logged User in the REMOTE_USER cgi
variable).

thanks in advance for any help,

Sergio Stateri Jr.
stateri[at]gmail.com


tnelson at onresolve

Apr 12, 2006, 2:11 PM

Post #2 of 5 (3517 views)
Permalink
RE: Integrated Authentication [In reply to]
You're after NTLM support. There's a module floating around out there
named 'mod_auth_sspi' that does this, although it can be a bit hard to
track down (see
http://www.gknw.at/development/apache/httpd-2.0/win32/modules/).

Once loaded, set up a directive like this:

<IfModule mod_auth_sspi.c>
Alias /foo "C:/bar/foo"
<Location /foo-auth>
AuthName "Please Enter Your Logon Details"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIBasicPreferred Off
require valid-user
</Location>
</IfModule>

By default, if the user uses IE, it'll automatically pick their details
up without requiring them to log in. If they're using Firefox or some
other browser that doesn't support NTLM, they'll have to log in manually
with their Windows domain credentials.

I've only ever used this from a Perl handler, so I'm not entirely sure
what exactly in the request that it sets (perhaps someone could
clarify?), but from the Perl handler, the login name was accessible from
$r->user(). Note that the format includes the domain as well, i.e.
'LIME\tnelson'.

Actually, I'd be interested to hear if anyone used this in conjunction
with mod_jk, such that the user's Windows domain login name was
available by the time it got to a servlet via
request.getUserPrincipalName() or something. Anyone done that? The
"Java" approach for enabling NTLM support w/ Tomcat directly seems
nasty.


Trent.


________________________________

From: Sergio Stateri [mailto:stateri[at]gmail.com]
Sent: 12 April 2006 21:37
To: dev[at]httpd.apache.org
Subject: Integrated Authentication



Hi,

Is there any way to do Apache HTTP Server recognize the users
of Operation System and put it in a System Variable, like IIS with
Integrated Authentication ? (IIS put Windows logged User in the
REMOTE_USER cgi variable).

thanks in advance for any help,

Sergio Stateri Jr.
stateri[at]gmail.com


jessh at ptc

Apr 12, 2006, 2:24 PM

Post #3 of 5 (3516 views)
Permalink
Re: Integrated Authentication [In reply to]
This seemed to work fine last I tried it (with mod_jk).

Trent Nelson wrote:
> You're after NTLM support. There's a module floating around out there
> named 'mod_auth_sspi' that does this, although it can be a bit hard to
> track down (see
> http://www.gknw.at/development/apache/httpd-2.0/win32/modules/).
>
> Once loaded, set up a directive like this:
>
> <IfModule mod_auth_sspi.c>
> Alias /foo "C:/bar/foo"
> <Location /foo-auth>
> AuthName "Please Enter Your Logon Details"
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative On
> SSPIOfferBasic On
> SSPIBasicPreferred Off
> require valid-user
> </Location>
> </IfModule>
>
> By default, if the user uses IE, it'll automatically pick their details
> up without requiring them to log in. If they're using Firefox or some
> other browser that doesn't support NTLM, they'll have to log in manually
> with their Windows domain credentials.
>
> I've only ever used this from a Perl handler, so I'm not entirely sure
> what exactly in the request that it sets (perhaps someone could
> clarify?), but from the Perl handler, the login name was accessible from
> $r->user(). Note that the format includes the domain as well, i.e.
> 'LIME\tnelson'.
>
> Actually, I'd be interested to hear if anyone used this in conjunction
> with mod_jk, such that the user's Windows domain login name was
> available by the time it got to a servlet via
> request.getUserPrincipalName() or something. Anyone done that? The
> "Java" approach for enabling NTLM support w/ Tomcat directly seems
> nasty.
>
>
> Trent.
>
>
> ________________________________
>
> From: Sergio Stateri [mailto:stateri[at]gmail.com]
> Sent: 12 April 2006 21:37
> To: dev[at]httpd.apache.org
> Subject: Integrated Authentication
>
>
>
> Hi,
>
> Is there any way to do Apache HTTP Server recognize the users
> of Operation System and put it in a System Variable, like IIS with
> Integrated Authentication ? (IIS put Windows logged User in the
> REMOTE_USER cgi variable).
>
> thanks in advance for any help,
>
> Sergio Stateri Jr.
> stateri[at]gmail.com
>
>
>


wrowe at rowe-clan

Apr 12, 2006, 3:28 PM

Post #4 of 5 (3514 views)
Permalink
Re: Integrated Authentication [In reply to]
Sergio Stateri wrote:
>
> Is there any way to do Apache HTTP Server recognize the users of
> Operation System and put it in a System Variable, like IIS with
> Integrated Authentication ? (IIS put Windows logged User in the
> REMOTE_USER cgi variable).

For Windows this is correct, you can use IE with NTLM/mod_auth_sspi.

But for non-Windows or non-IE clients - the answer is no, that's not
something that the web browser will typically divulge.


carsten_sttgt at gmx

Apr 12, 2006, 4:20 PM

Post #5 of 5 (3516 views)
Permalink
Re: Integrated Authentication [In reply to]
William A. Rowe, Jr. schrieb:

> Sergio Stateri wrote:
> >
> > Is there any way to do Apache HTTP Server recognize the users of
> > Operation System and put it in a System Variable, like IIS with
> > Integrated Authentication ? (IIS put Windows logged User in the
> > REMOTE_USER cgi variable).
>
> For Windows this is correct, you can use IE with NTLM/mod_auth_sspi.
>
> But for non-Windows or non-IE clients - the answer is no, that's not
> something that the web browser will typically divulge.

That's not complete correct. It gives still more browser than the IE, which
supports NTLM on Windows. For example Firefox. And Firefox can handle
automatic ntlm authentification too.
On a *nix server you can use mod_ntlm(2) to handle NTLM.So the only need is
the right Windows client. Other clients can fallback to auth basic and must
provide the credentials manually (or with kerberos).Regards,Carsten

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.