Automatically authenticating windows users on an apache/Linux server

Question

If I wanna authenticate windows accounts to AD when a user browses to an apache-running site on a Linux server, here are the usual suspects:  

• List item
• mod_ntlm (which I used in a distant past) - last update on 2003
• mod_auth_ntlm_winbind - last update on 04/2007
• mod_auth_kerb - last update on 12/2008

No luck getting any of those to work with a recent, fully patched, windows 2000 AD server.

Do you have any clues as to a recipe that does work? 

-Peter

-- UPDATE

my current build environment is this:

• OS: Ubuntu Lucid
• Apache 2.2.14 (from repos)

the auth modules I recompiled from source.

Answer 1

LDAP. Active Directory should speak the LDAP protocol well enough (although, I believe Novell's eDirectory sticks to the spec better) that you can use LDAP authentication setups to communicate with it. It'll be a lot easier than fussing around with the Windows-centric NTLM garbage.

See this site for an example:
http://www.jejik.com/articles/2007/06/apache_and_subversion_authentication_with_microsoft_active_directory/

The other, likely costly option, is to invest in an identity manager product. Novell, Sun (now Oracle), and IBM all make one. I suspect that, unless you're designing something for a mid-size corporate project, you won't need these. But, they are an option to consider.

Answer 2

Did you just try to drop binary modules onto an existing apache binary, or did you rebuild Apache and the modules from source on your system?

The last time I did this (admittedly 3+ years ago), I found a combination of Apache+mod_ntlm that worked, but I ended up using a less-than-current version of Apache, in order to match the version of mod_ntlm that I found. My conclusion at the time was that if I wanted current, I was going to have to rebuild Apache and mod_ntlm from source, and I didn't have the time to do that.

Unfortunately, that was two jobs ago, and I don't have access to the configuration details.