John Hosie wrote:
Is there any module for Apache that will help in performing authentication/authorization
on web services using an Active Directory "registry"? In our environment, when
a user logs into their Windows workstation through Active Directory, I understand they
are given a Kerberos ticket. I understand that there is a way for this ticket to be
passed (through client application code, sent with a URL) to the Apache server module
that is providing the service used by the user. I understand that there should be a way
to use that ticket to 1) ensure that the user is who they say they are; 2) check to see
if the user is in the group (arbitrary) that is allowed to come to this application. I've
also been told that using LDAP to go to Active Directory is the right way to do the
server side (Linux based) functions, while the Windows environment has their own way to
put the client side together.
Is there an example of how do do this somewhere in C code?
What packages need to be installed on the server?
mod_auth_kerb will let you authenticate an Active Directory user,
assuming you have everything set up correctly (warning, it's a fairly
steep learning curve).
I don't know how to test for group membership with that module, but you
might be able to additionally use mod_authnz_ldap (require-group) to
accomplish that.
- Dan
