Apache + Perl + NTLM/LDAP == Single signon?

Question

We have a Perl app which runs under Apache on Solaris using CGI::Application. That's all running fine. We'd like to get access to the USER_ID variable passed by the IE browser, and do some Database queries and LDAP queries.

I've looked at the Apache documentation and I can't figure out how to achieve this. We don't have internet access (it's an intranet) from the solaris servers so we need to compile everything ourselves.

Does anyone have a check list (or tutorial) of what Apache needs (modules/plugins) in order to achieve this, and how it should be configured?

Answer 1

There are mod_ntlm and mod_ldap plugins for apache which you can use to authenticate.

In your case, i'd assume that you actually do want to use mod_ntlm and ldap or "active directory" is only its backend?

Here's on tutorial that covers the setting up phase: http://sivel.net/2007/05/sso-apache-ad-1/

Compilation phase in the tutorial is aimed for rpm based linux platform though but twiki has some more info about compiling for solaris10 here: http://twiki.org/cgi-bin/view/Codev/NtlmForSolaris10#How_to_build_your_own_mod_ntlm_b

Answer 2

NTLM Winbind

I use the module auth_ntlm_winbind_module (mod_auth_ntlm_winbind.so) on our server. You need to have Samba and winbind installed, properly configured and running.

You can download the module from the Samba project tree:

git clone git://git.samba.org/jerry/mod_auth_ntlm_winbind.git 

In order to authenticate users via NTLM you have to add the following directives to your directory settings:

<Directory /srv/http>
         Allow from all
         AuthName "NTLM Authentication thingy"
         NTLMAuth on
         NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
         NTLMBasicAuthoritative on
         AuthType NTLM
         require valid-user
         AllowOverride all
</Directory>

Of course you need to load the module, too:

LoadModule auth_ntlm_winbind_module /usr/lib/httpd/modules/mod_auth_ntlm_winbind.so

The Windows user account is passed to the application as the REMOTE_USER:

#!/usr/bin/perl

use CGI;
my $query = new CGI;
# get the windows account from the header
my $windows_account = $query->remote_user();

Note that IE only sends the user authentication data to trusted sites.

Here's a website with a bit more info on the module.

---

Direct Authentication via LDAP

Another method is to use the module authnz_ldap_module (mod_authnz_ldap.so). This is probably loaded by default already. Note that this is not true Single signon as the user is prompted for a password.

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

Add this to your directory definition:

<Directory /srv/http>
    AuthName "Authentication required"
    AuthType Basic
    AuthzLDAPAuthoritative off
    AuthBasicProvider ldap

    # "protocol://hostname:port/base?attribute?scope?filter" NONE
    # NONE indicates that an unsecure connection should be used for LDAP, i.e. port 389
    AuthLDAPURL "ldap://your.ldap.server.net:389/OU=the,OU=search,OU=node,DC=domain,DC=net?sAMAccountName?sub?(objectClass=*)" NONE


    # This is only needed if your LDAP server doesn't allow anonymous binds
    AuthLDAPBindDN "CN=AD Bind User,OU=the,OU=bind,OU=node,DC=domain,DC=net"
    AuthLDAPBindPassword super-secret

    Require valid-user
    AllowOverride all
</Directory>

More info about the module.