Reputation: 7429
We're trying to implement a single-sign-on solution that integrates AD and a PHP web application. When a user tries to access the intranet website, this is what should happen:
This is all meant to work only within an intranet. Outside it, We just display a login form.
We're somewhat stumped with this process. From other sources, we configured Apache with the following directives, but were ultimately unsuccessful, with an internal server error message and nothing on the error logs.
<Location "/">
Options -Indexes MultiViews FollowSymLinks
Order allow,deny
Allow from all
AuthType Basic
AuthName "VALIDAUTHNAME"
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL "ldap://IP.FOR.THE.SERVER:389/DC=MYCOMPANY,DC=CL?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "DC=MYCOMPANY,DC=MYCOUNTRY"
Require ldap-attribute gidNumber=10000
</Location>
Is there a clear explanation of the process we have to implement? We've read lots of stuff about the inverse process, passing credentials to AD, but not much about this case. Our sysadmins aren't really experienced in this, so they aren't of much help.
Upvotes: 2
Views: 5145
Reputation: 8836
A few months ago, I did exatly what you're trying to do with mod_auth_nltm_winbind
. The configuration of it isn't very difficult, but it helps to be familiar with winbind
. Your sysadmins should be able to help with that if you aren't. winbind
is a part of the samba
package, so it's probably already installed on your server. Once you get winbind set up, you just need to enable the apache module and do a little bit of configuration. The site for the module should be able to guide you through it. When I originally set this up, I tested it with IE8, Chrome, and an older version of Firefox (5 or 6 maybe) and they all natively support the NTLM authentication. If everything is configured and working correctly, the apache module will automagically fill $_SERVER['PHP_AUTH_USER']
with the user name without needing any interaction with the user and you can do whatever you want to with it from there. There is a lot more documentation available now and even with the lacking documentation before, I only had one major problem for which a fix is now well documented.
Upvotes: 1