`
li.feixiang
  • 浏览: 121237 次
  • 性别: Icon_minigender_1
  • 来自: 武汉
社区版块
存档分类
最新评论

Single Sign-On with Apache and Active Directory – Part 1

    博客分类:
  • Java
阅读更多

This HowTo will describe how to setup single sign-on authentication with Apache and Microsoft Active Directory. Most of you are probably aware that there is no default/built-in support for automatically authenticating to an Apache web server using the NTLM header information passed from the web browser (in most cases Microsoft Internet Explorer) to the Web Server. Microsoft IIS of course supports this out of the box but who wants to use IIS? There are as I have found 3 major solutions for achieving this and I will outline which I picked and why.

First I’ll start by explaining which solution I selected and why. There are 3 major solutions for this which are mod_ntlm, mod_auth_kerb and Apache2:AuthenNTLM. I have chosen Apache2:AuthenNTLM. Now as for the why…I bypassed mod_auth_kerb instantly after reading that it required a working winbind setup. Keep in mind that I am looking for an easy quick setup, and configuring winbind first does not fall into that realm of a quick and easy setup. Next I tried mod_ntlm which seemed to be very easy to setup and worked well. But there was one catch…If the browser did not send the NTLM information or correct NTLM information1 the user had to login with the username in the form of DOMAIN\username. In my experience with applications already in place they did not require this form of DOMAIN\username. This could be resolved if you could specify the default domain in mod_ntlm which you cannot. Reading the documentation for Apache2:AuthenNTLM you could specify the default domain as well as many other options that are not available in mod_ntlm. Configuration proved to be a little tricky, but if it weren’t I wouldn’t be writing this HowTo. Now as you may have noticed from the naming syntax of Apache2:AuthenNTLM that it is indeed a perl module. Now as we are using Apache2:AuthenNTLM it will require mod_perl2 which is not included with CentOS4 or RHEL4.

Now for the HowTo:

1) Start by installing Apache and mod_perl by issuing the following commands:

shell> yum install httpd
shell> wget http://sivel.net/repo/i386/mod_perl-2.0.3-1.el4.sn.i386.rpm
shell> rpm -Uvh mod_perl-2.0.3-1.el4.sn.i386.rpm

2) Next we need to install the Apache2:AuthenNTLM module

shell> wget http://sivel.net/repo/i386/perl-Apache2-AuthenNTLM-0.02-1.el4.sn.i386.rpm
shell> rpm -Uvh perl-Apache2-AuthenNTLM-0.02-1.el4.sn.i386.rpm

3) Now we need to configure Apache to use Apache2:AuthenNTLM

shell> cd /etc/httpd/conf.d
shell> touch ntlm.conf
shell> vi ntlm.conf

  • Add the following information:
<location
 
/
directory
>
 # Change this to the directory you wish to protect.  Can be /
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName Basic
require valid-user
#                    domain  pdc  bdc
PerlAddVar ntdomain "DOMAIN  dc1  dc2" # Change DOMAIN to the netbios name of your domain.  Change dc1 and dc2 to the hostnames of the domain controllers for your domain.  dc2 is not required if your setup does not have a dc2.
PerlSetVar defaultdomain DOMAIN # Change DOMAIN to the netbios name of your domain
PerlSetVar splitdomainprefix 1

</location>

shell> vi /etc/httpd/conf/httpd.conf
Find ‘KeepAlive Off’ and change it to ‘KeepAlive On’

4) Now we need to modify /etc/resolv.conf

shell> vi /etc/resolv.conf

  • We need to make sure that it looks like the following:

search domain.lan
nameserver 10.0.0.1
nameserver 10.0.0.2

  • Where domain.lan is your Active Directory domain name and the nameservers are the name servers for your Active Directory (usually the domain controllers)

5) Let’s start Apache

shell> /etc/init.d/httpd start

6) Let’s setup a simple test page that will utilize the server environment variable that AuthenNTLM sets.

shell> cd /path/set/in/step/3
shell> touch index.php
shell> vi index.php

  • Insert the following information:

<? php
echo
"You have logged in as <b>" . $_SERVER [ 'REMOTE_USER' ] . "</b>;" ;
?>

  • If you do not see your username then you don’t have something in step 3 setup correctly. If you get a login prompt check the footnotes below.

Part 2

Footnotes
1. Getting a login prompt can be caused by using Firefox with the default configuration, not being logged on in the domain that you are attempting to authenticate against, or not having the site listed in the Local Intranet security zone in Internet Explorer. Or worst of all you could have mis configured something in step 3. You can turn on debug information by adding ‘PerlSetVar ntlmdebug 2′ to step 3. Debugging will log to /var/log/httpd/error_log.

分享到:
评论

相关推荐

    Single Sign-on

    单点登录(Single Sign-on,简称SSO)是企业级应用集成解决方案中的一个重要组成部分,它旨在提供用户在多个系统和应用程序之间无缝切换的能力,而无需多次输入认证信息。微软为其实现提供了集成服务,如与Microsoft...

    Single-sign-on

    Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being ...

    CAS单点登录SSO( Single Sign-On)

    CAS(Central Authentication Service)单点登录(Single Sign-On,简称SSO)是一种网络认证协议,旨在简化用户在多个应用系统间的登录流程。当用户通过CAS认证后,可以在无需再次输入凭证的情况下访问已接入CAS的...

    Single sign-on best practices for Azure Active Directory

    优质资源,值得拥有

    single-sign-on-v2

    自定义的单点登录系统,可返回各个子系统的登录页及支持CAS Server集群。(https://github.com/liyingqiao121727/single-sign-on-v2)

    rubycas-server, 为web应用提供 单点登录(Single Sign-On) 认证,实现Jasig协议的服务器端.zip

    rubycas-server, 为web应用提供 单点登录(Single Sign-On) 认证,实现Jasig协议的服务器端 rubycas服务器版权Matt Zukowski贡献的部分是版权所有( c ) 2011 Urbacon有限公司。 其他部分是他们各自作者的版权。作者请...

    SSO(SingleSign-On)基于YMP框架实现的单点登录服务模块

    SSO (Single Sign-On) 基于YMP框架实现的单点登录服务模块

    SSO-Single-Sign-on实战.docx

    SSO-Single Sign-on实战 SSO(Single Sign-on)是一种单点登录技术,能够让用户在多个相关的应用程序之间进行身份验证,提高用户体验和安全性。SSO可以分为Web SSO和桌面SSO两种,Web SSO是指客户端的单点登录,而...

    WebSphere环境下的SSO(Single sign-on:单点登录、全网漫游)实现之: -- SSO(Single Sign-On)实现步骤

    本文中作者给大家详细的演示了如何实现WebSphere服务器和webpshere服务器之间的SSO(“单点登录、全网漫游”),并且给大家详细地解释了实现过程中的关键点和相关选项的含义,并且给出了开发带有安全性能要求的web...

    VMware vSphere 5.1安装 图 vcenter5.1安装 Single sign on 安装

    ### VMware vSphere 5.1 安装及Single Sign-On配置详解 #### 一、概述 VMware vSphere 5.1 是一款先进的虚拟化平台,为企业提供了强大的资源管理和优化功能。本文档详细介绍了vSphere 5.1的安装过程,并特别强调了...

    SSO解决方案大全 Single Sign-On for everyone

    SSO(Single Sign-On)是一种身份验证机制,允许用户在一个应用系统中登录后,无需再次认证即可访问其他关联的系统。这种技术对于拥有多个应用程序或网站的企业尤其有用,可以提高用户体验,减少用户记忆多套登录...

    CAS 单点登录(Single Sign On)

    CAS(Central Authentication Service)单点登录(Single Sign-On,简称SSO)是一种网络认证协议,它允许用户在一次登录后,就能访问多个相互信任的应用系统,而无需再次进行身份验证。这种技术对于大型企业或组织的...

    django-mama-cas, Django 中央身份验证服务( CAS ) 单点登录(Single Sign-On) 服务器.zip

    django-mama-cas, Django 中央身份验证服务( CAS ) 单点登录(Single Sign-On) 服务器 MamaCAS MamaCAS是 Django 中央认证服务( CAS ) 单一登录和单一注销服务器。 它实现了 CAS 1.0.2.0和 3.0协议,包括一些可选的...

    eSSO Single Sign On

    综上所述,eSSO Single Sign-On利用LDAP、Active Directory等技术,实现了用户在企业环境中的一次登录多应用访问,通过目录服务进行账户管理和权限分配,而组和角色的概念则进一步细化了权限控制。在具体实现时,...

    miniOrange Secure Single Sign-On Plug-in-crx插件

    语言:English (United States) 安全自动登录任何应用程序 使用此简单扩展为您的应用程序启用SSO。 -miniOrange单一登录插件将允许用户无缝登录所有可用的Web应用程序。 -插件与miniOrange服务器安全通信,以在登录...

    single sign on流程图

    ### Single Sign-On (SSO) 流程解析 #### 单点登录(SSO)概念介绍 单点登录(Single Sign-On,简称 SSO)是一种身份验证机制,它允许用户通过一次登录过程,即可访问所有相互信任的应用程序和服务,而无需在每个应用...

    Active Directory Cookbook, 3rd Edition.pdf

    Covers how to back up Active Directory, perform authoritative and nonauthoritative restores, check DIT file integrity, perform online and offline defrags, and search for deleted objects. Chapter 17, ...

    VisualSVN Server 3.5.4 破解补丁

    1.Active Directory Single Sign-On 2.Multisite Repository Replication 3.HTML5-powered Web Interface 4.PowerShell Scripting and Automation 5.Repository Management Delegation 6.Remote Server ...

Global site tag (gtag.js) - Google Analytics