Recipe 18.9 Integrating with Apache

Previous page
Table of content
Next page

18.9.1 Problem

If your organization has Active Directory and Apache deployed, one way to reduce logins is to integrate the two by having HTTP authentication on Apache use Active Directory.

18.9.2 Solution

There are several Apache modules that support authentication to an LDAP store, and with the release of Apache 2.0, it is supported natively with the mod_auth_ldap module. The documentation for mod_auth_ldap can be found at the following site: http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html.

The mod_auth_ldap module works in the following way:

  1. Binds using preconfigured bind DN and bind password.

  2. Searches the directory with the preconfigured search filter and username of the user that is authenticating.

  3. If a match was found, performs a bind attempt with the matching user's DN and password.

If you are still running Apache 1.x, the auth_ldap module is widely used and works in much the same way as mod_auth_ldap. For more information, visit the following site: http://www.rudedog.org/auth_ldap/.

18.9.3 Discussion

The mod_auth_ldap module isn't ideal from an Active Directory perspective. Typically, the second step (search for the user's DN) is completely unnecessary. If you have been configuring a user principal name (UPN) for all of your users, the search could be eliminated by attempting to authenticate the user with its UPN instead of the DN. Active Directory supports binding with either. That means mod_auth_ldap could instead just take the user name entered in the user name/password prompt and prepend it to a preconfigured UPN suffix (e.g., @rallencorp.com). Hopefully, the developers of mod_auth_ldap will take this into consideration for a future enhancement.

Another issue to be aware of when using this module is that you will need to hardcode a domain controller name to query and bind against in the mod_auth_ldap configuration. Unless you are using some type of load balancing software or hardware, you will be placing a dependency on that domain controller.

Both mod_auth_ldap and auth_ldap support SSL and TLS, and I highly recommend enabling that if you plan on using either of these modules. If you don't enable SSL/TLS support, passwords sent from the Apache server to a domain controller will be sent in clear text.

18.9.4 See Also

For more information on Apache, see http://www.apache.org/.


Previous page
Table of content
Next page
Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456
Authors: Laura E. Hunter, Robbie Allen
BUY ON AMAZON
Snort Cookbook
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Ruby Cookbook (Cookbooks (OReilly))
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy