Re: Pass-through LDAP authentication with Internet Explorer and Active Directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Sep 16, 2008 at 4:00 PM, André Warnier <aw@xxxxxxxxxx> wrote:
Clayton Hicklin wrote:
On Tue, Sep 16, 2008 at 3:37 PM, Eric Covener <covener@xxxxxxxxx> wrote:

So, it looks like I need mod_setenvif, right?  Could anybody write a
quick
directive that would look at REMOTE_USER to see if there is a backslash
("\"), and if there is, set the same variable to everything following
the
backslash?  I think this would solve my problem.  I would rather use
mod_authnz_ldap that  mod_auth_sspi as it is included with Apache and is
well-supported.
The authentication/authorization modules don't read from the
REMOTE_USER environment variable.

--
Eric Covener
covener@xxxxxxxxx

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


Well, where are they getting their info?  This is what I'm getting in the
error log:

[5028] auth_ldap authenticate: user WHQ_NT_DOMAIN\\ch017001 authentication
failed; URI /scpmanager/ [User not found][No Such Object]

Clearly domain\user is getting passed to the authn/authz modules from IE
somehow or another.

This is getting interesting.  How indeed ?
Is there a way to trace the headers being sent back and forth during this authentication phase, at the Apache level ? We're talking IE as a browser here, so Firefox add-ons don't count.

If not, assuming that server has perl and mod_perl available, I could put together a quick access handler that does that.
(as mentioned before, I have a stake in a solution too).


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


In this case, Apache is running on Windows.  Although it could be loaded, perl and mod_perl are not available at the moment.  I'm beginning to think we're chasing our tails.  IE is going to pass the credentials in NTLM format, I believe.  Even if we got the username right, I'm thinking maybe the password won't be readable by mod_authn_ldap.  I don't know.

--
Clayton Hicklin
chicklin@xxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux