Adriano Varoli Piazza
Adriano Varoli Piazza

Reputation: 7429

How to obtain AD user credentials from computer with Apache, PHP and LDAP

We're trying to implement a single-sign-on solution that integrates AD and a PHP web application. When a user tries to access the intranet website, this is what should happen:

This is all meant to work only within an intranet. Outside it, We just display a login form.

We're somewhat stumped with this process. From other sources, we configured Apache with the following directives, but were ultimately unsuccessful, with an internal server error message and nothing on the error logs.

<Location "/">
    Options -Indexes MultiViews FollowSymLinks
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName "VALIDAUTHNAME"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative   Off
    AuthLDAPURL "ldap://IP.FOR.THE.SERVER:389/DC=MYCOMPANY,DC=CL?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "DC=MYCOMPANY,DC=MYCOUNTRY"
    Require ldap-attribute gidNumber=10000
</Location>

Is there a clear explanation of the process we have to implement? We've read lots of stuff about the inverse process, passing credentials to AD, but not much about this case. Our sysadmins aren't really experienced in this, so they aren't of much help.

Upvotes: 2

Views: 5145

Answers (1)

G-Nugget
G-Nugget

Reputation: 8836

A few months ago, I did exatly what you're trying to do with mod_auth_nltm_winbind. The configuration of it isn't very difficult, but it helps to be familiar with winbind. Your sysadmins should be able to help with that if you aren't. winbind is a part of the samba package, so it's probably already installed on your server. Once you get winbind set up, you just need to enable the apache module and do a little bit of configuration. The site for the module should be able to guide you through it. When I originally set this up, I tested it with IE8, Chrome, and an older version of Firefox (5 or 6 maybe) and they all natively support the NTLM authentication. If everything is configured and working correctly, the apache module will automagically fill $_SERVER['PHP_AUTH_USER'] with the user name without needing any interaction with the user and you can do whatever you want to with it from there. There is a lot more documentation available now and even with the lacking documentation before, I only had one major problem for which a fix is now well documented.

Upvotes: 1

Related Questions