This HowTo will describe how to setup single sign-on authentication
with Apache and Microsoft Active Directory. Most of you are probably
aware that there is no default/built-in support for automatically
authenticating to an Apache web server using the NTLM header information
passed from the web browser (in most cases Microsoft Internet Explorer)
to the Web Server. Microsoft IIS of course supports this out of the
box but who wants to use IIS? There are as I have found 3 major
solutions for achieving this and I will outline which I picked and why.
First I’ll start by explaining which solution I selected and why.
There are 3 major solutions for this which are mod_ntlm, mod_auth_kerb
and Apache2:AuthenNTLM. I have chosen Apache2:AuthenNTLM. Now as for
the why…I bypassed mod_auth_kerb instantly after reading that it
required a working winbind setup. Keep in mind that I am looking for an
easy quick setup, and configuring winbind first does not fall into that
realm of a quick and easy setup. Next I tried mod_ntlm which seemed to
be very easy to setup and worked well. But there was one catch…If the
browser did not send the NTLM information or correct NTLM information1
the user had to login with the username in the form of DOMAIN\username.
In my experience with applications already in place they did not
require this form of DOMAIN\username. This could be resolved if you
could specify the default domain in mod_ntlm which you cannot. Reading
the documentation for Apache2:AuthenNTLM you could specify the default
domain as well as many other options that are not available in mod_ntlm.
Configuration proved to be a little tricky, but if it weren’t I
wouldn’t be writing this HowTo. Now as you may have noticed from the
naming syntax of Apache2:AuthenNTLM that it is indeed a perl module.
Now as we are using Apache2:AuthenNTLM it will require mod_perl2 which
is not included with CentOS4 or RHEL4.
Now for the HowTo:
1) Start by installing Apache and mod_perl by issuing the following commands:
shell> yum install httpd
shell> wget http://sivel.net/repo/i386/mod_perl-2.0.3-1.el4.sn.i386.rpm
shell> rpm -Uvh mod_perl-2.0.3-1.el4.sn.i386.rpm
2) Next we need to install the Apache2:AuthenNTLM module
shell> wget http://sivel.net/repo/i386/perl-Apache2-AuthenNTLM-0.02-1.el4.sn.i386.rpm
shell> rpm -Uvh perl-Apache2-AuthenNTLM-0.02-1.el4.sn.i386.rpm
3) Now we need to configure Apache to use Apache2:AuthenNTLM
shell> cd /etc/httpd/conf.d
shell> touch ntlm.conf
shell> vi ntlm.conf
- Add the following information:
<location
/
directory
>
# Change this to the directory you wish to protect. Can be /
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName Basic
require valid-user
# domain pdc bdc
PerlAddVar ntdomain "DOMAIN dc1 dc2" # Change DOMAIN to the netbios name of your domain. Change dc1 and dc2 to the hostnames of the domain controllers for your domain. dc2 is not required if your setup does not have a dc2.
PerlSetVar defaultdomain DOMAIN # Change DOMAIN to the netbios name of your domain
PerlSetVar splitdomainprefix 1
</location>
shell> vi /etc/httpd/conf/httpd.conf
Find ‘KeepAlive Off’ and change it to ‘KeepAlive On’
4) Now we need to modify /etc/resolv.conf
shell> vi /etc/resolv.conf
- We need to make sure that it looks like the following:
search domain.lan
nameserver 10.0.0.1
nameserver 10.0.0.2
- Where domain.lan is your Active Directory domain name and the
nameservers are the name servers for your Active Directory (usually the
domain controllers)
5) Let’s start Apache
shell> /etc/init.d/httpd start
6) Let’s setup a simple test page that will utilize the server environment variable that AuthenNTLM sets.
shell> cd /path/set/in/step/3
shell> touch index.php
shell> vi index.php
- Insert the following information:
<?
php
echo
"You have logged in as <b>"
.
$_SERVER
[
'REMOTE_USER'
]
.
"</b>;"
;
?>
- If you do not see your username then you don’t have something in
step 3 setup correctly. If you get a login prompt check the footnotes
below.
Part 2
Footnotes
1. Getting a login prompt can be caused by using Firefox with the
default configuration, not being logged on in the domain that you are
attempting to authenticate against, or not having the site listed in the
Local Intranet security zone in Internet Explorer. Or worst of all you
could have mis configured something in step 3. You can turn on debug
information by adding ‘PerlSetVar ntlmdebug 2′ to step 3. Debugging
will log to /var/log/httpd/error_log.
分享到:
相关推荐
Single Sign-on Services for Microsoft Enterprise Application Integration Solutions:
Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being ...
Solution in Detail - SAP NetWeaver Single Sign-On
NULL 博文链接:https://572327713.iteye.com/blog/2356519
A Survey on Single Sign-On Techniques
SingleSign-On introduction
Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards On Using the Enterprise Security Client
CAS讲义SSO (Single Sign-on)原理
自定义的单点登录系统,可返回各个子系统的登录页及支持CAS Server集群。(https://github.com/liyingqiao121727/single-sign-on-v2)
这篇文字比较详细的讲解了vshpere 5.1的安装,图文并茂,包括single sign on 的安装,比较详细。希望可以帮到需要的兄弟。
rubycas-server, 为web应用提供 单点登录(Single Sign-On) 认证,实现Jasig协议的服务器端 rubycas服务器版权Matt Zukowski贡献的部分是版权所有( c ) 2011 Urbacon有限公司。 其他部分是他们各自作者的版权。作者请...
SSO (Single Sign-On) 基于YMP框架实现的单点登录服务模块
技术分享:SSO_Single_Sign-on实战
Single Sign-On (SSO)是近来的热门话题. 很多和我交往的客户中都有不止一个运行在.Net框架中的Web应用程序或者若干子域名.而他们甚至希望在不同的域名中也可以只登陆一次就可以畅游所有站点.今天我们关注的是如何在...
本文中作者给大家详细的演示了如何实现WebSphere服务器和webpshere服务器之间的SSO(“单点登录、全网漫游”),并且给大家详细地解释了实现过程中的关键点和相关选项的含义,并且给出了开发带有安全性能要求的web...
django-mama-cas, Django 中央身份验证服务( CAS ) 单点登录(Single Sign-On) 服务器 MamaCAS MamaCAS是 Django 中央认证服务( CAS ) 单一登录和单一注销服务器。 它实现了 CAS 1.0.2.0和 3.0协议,包括一些可选的...
SSO Single-Sign-on in Action cas
NULL 博文链接:https://tomshen.iteye.com/blog/359053
语言:English (United States) 安全自动登录任何应用程序 使用此简单扩展为您的应用程序启用SSO。 -miniOrange单一登录插件将允许用户无缝登录所有可用的Web应用程序。 -插件与miniOrange服务器安全通信,以在登录...
NULL 博文链接:https://zgq456.iteye.com/blog/2192979