Re: Pass-through LDAP authentication with Internet Explorer and Active Directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a "trusted" site, which, according to the Windows Integrated Authentication docs, means that IE will happily send the authentication credentials, but I would be more inclined to think that they will just not be in the right format for mod_authnz_ldap to handle.  What's weird is that it is definitely getting the domain\username part of it.

Maybe it just won't work.  I got mod_auth_sspi working with a workaround, so maybe I'll just go that route.

On Tue, Sep 16, 2008 at 3:51 PM, André Warnier <aw@xxxxxxxxxx> wrote:
André Warnier wrote:
Eric Covener wrote:
So, it looks like I need mod_setenvif, right?  Could anybody write a quick
directive that would look at REMOTE_USER to see if there is a backslash
("\"), and if there is, set the same variable to everything following the
backslash?  I think this would solve my problem.  I would rather use
mod_authnz_ldap that  mod_auth_sspi as it is included with Apache and is
well-supported.

The authentication/authorization modules don't read from the
REMOTE_USER environment variable.

Party pooper !

Clayton,
I kind of get a feeling that Eric is right though, because a) he usually seems to know his stuff, and b) that would not be very secure, to say the least.
That would mean that we are back to try and figure out what exactly happens between IE and the server, and it what circumstances exactly IE sends this domain\user-id thing.

But maybe Eric can help there ?
Eric, what kind of "401" does mod_authnz_ldap send to the browser when it needs authentication ? Basic ?
Then I can't quite imagine Clayton's scheme working, because IE would never of its own device send the user's password (I don't even think it knows it).




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




--
Clayton Hicklin
chicklin@xxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux