On Thu, Aug 14, 2008 at 2:02 PM, Dan White <[EMAIL PROTECTED]> wrote: > John Hosie wrote: >> >> Is there any module for Apache that will help in performing >> authentication/authorization on web services using an Active Directory >> "registry"? In our environment, when a user logs into their Windows >> workstation through Active Directory, I understand they are given a Kerberos >> ticket. I understand that there is a way for this ticket to be passed >> (through client application code, sent with a URL) to the Apache server >> module that is providing the service used by the user. I understand that >> there should be a way to use that ticket to 1) ensure that the user is who >> they say they are; 2) check to see if the user is in the group (arbitrary) >> that is allowed to come to this application. I've also been told that using >> LDAP to go to Active Directory is the right way to do the server side (Linux >> based) functions, while the Windows environment has their own way to put the >> client side together. >> Is there an example of how do do this somewhere in C code? >> What packages need to be installed on the server? >> > > mod_auth_kerb will let you authenticate an Active Directory user, assuming > you have everything set up correctly (warning, it's a fairly steep learning > curve). >
There's also mod_spnego (http://sourceforge.net/project/showfiles.php?group_id=82781), which works Unix and Windows. > I don't know how to test for group membership with that module, but you > might be able to additionally use mod_authnz_ldap (require-group) to > accomplish that. > > - Dan > -- César L. B. Silveira http://www.cesarbs.org/blog
