Apache + Perl + NTLM/LDAP == Single signon?
-
14-11-2019 - |
Pergunta
We have a Perl app which runs under Apache on Solaris using CGI::Application. That's all running fine. We'd like to get access to the USER_ID variable passed by the IE browser, and do some Database queries and LDAP queries.
I've looked at the Apache documentation and I can't figure out how to achieve this. We don't have internet access (it's an intranet) from the solaris servers so we need to compile everything ourselves.
Does anyone have a check list (or tutorial) of what Apache needs (modules/plugins) in order to achieve this, and how it should be configured?
Solução
There are mod_ntlm and mod_ldap plugins for apache which you can use to authenticate.
In your case, i'd assume that you actually do want to use mod_ntlm and ldap or "active directory" is only its backend?
Here's on tutorial that covers the setting up phase: http://sivel.net/2007/05/sso-apache-ad-1/
Compilation phase in the tutorial is aimed for rpm based linux platform though but twiki has some more info about compiling for solaris10 here: http://twiki.org/cgi-bin/view/Codev/NtlmForSolaris10#How_to_build_your_own_mod_ntlm_b
Outras dicas
NTLM Winbind
I use the module auth_ntlm_winbind_module
(mod_auth_ntlm_winbind.so
) on our server. You need to have Samba and winbind installed, properly configured and running.
You can download the module from the Samba project tree:
git clone git://git.samba.org/jerry/mod_auth_ntlm_winbind.git
In order to authenticate users via NTLM you have to add the following directives to your directory settings:
<Directory /srv/http>
Allow from all
AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
AllowOverride all
</Directory>
Of course you need to load the module, too:
LoadModule auth_ntlm_winbind_module /usr/lib/httpd/modules/mod_auth_ntlm_winbind.so
The Windows user account is passed to the application as the REMOTE_USER:
#!/usr/bin/perl
use CGI;
my $query = new CGI;
# get the windows account from the header
my $windows_account = $query->remote_user();
Note that IE only sends the user authentication data to trusted sites.
Here's a website with a bit more info on the module.
Direct Authentication via LDAP
Another method is to use the module authnz_ldap_module
(mod_authnz_ldap.so
). This is probably loaded by default already. Note that this is not true Single signon as the user is prompted for a password.
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Add this to your directory definition:
<Directory /srv/http>
AuthName "Authentication required"
AuthType Basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
# "protocol://hostname:port/base?attribute?scope?filter" NONE
# NONE indicates that an unsecure connection should be used for LDAP, i.e. port 389
AuthLDAPURL "ldap://your.ldap.server.net:389/OU=the,OU=search,OU=node,DC=domain,DC=net?sAMAccountName?sub?(objectClass=*)" NONE
# This is only needed if your LDAP server doesn't allow anonymous binds
AuthLDAPBindDN "CN=AD Bind User,OU=the,OU=bind,OU=node,DC=domain,DC=net"
AuthLDAPBindPassword super-secret
Require valid-user
AllowOverride all
</Directory>