If your organization has Active Directory and Apache deployed, one way to reduce logins is to integrate the two by having HTTP authentication on Apache use Active Directory.
There are several Apache modules that support authentication to an LDAP store, and with the release of Apache 2.0, it is supported natively with the mod_auth_ldap module. The documentation for mod_auth_ldap can be found at the following site: http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html.
The mod_auth_ldap module works in the following way:
If you are still running Apache 1.x, the auth_ldap module is widely used and works in much the same way as mod_auth_ldap. For more information, visit the following site: http://www.rudedog.org/auth_ldap/.
The mod_auth_ldap module isn't ideal from an Active Directory perspective. Typically, the second step (search for the user's DN) is completely unnecessary. If you have been configuring a user principal name (UPN) for all of your users, the search could be eliminated by attempting to authenticate the user with its UPN instead of the DN. Active Directory supports binding with either. That means mod_auth_ldap could instead just take the user name entered in the user name/password prompt and prepend it to a preconfigured UPN suffix (e.g., @rallencorp.com). Hopefully, the developers of mod_auth_ldap will take this into consideration for a future enhancement.
Another issue to be aware of when using this module is that you will need to hardcode a domain controller name to query and bind against in the mod_auth_ldap configuration. Unless you are using some type of load balancing software or hardware, you will be placing a dependency on that domain controller.
Both mod_auth_ldap and auth_ldap support SSL and TLS, and I highly recommend enabling that if you plan on using either of these modules. If you don't enable SSL/TLS support, passwords sent from the Apache server to a domain controller will be sent in clear text.
18.9.4 See Also
For more information on Apache, see http://www.apache.org/.