Apache 2 - LDAP/Active Directory - Automatic login/authentication process

Question

Is there a fully automated way to authentication a user using IE8+ with Apache without the user having to enter any form of credentials? Running IIS is not really an option even tho i'm running Windows.

I've found some Perl based solutions that should work but i could only get it to work on *Nix with a LOT of fuzzing around.

I'm currently using authnz_ldap_module which works great, but the users are really cranky and annoyed by having to put in their user-id and password for each new session that they open.

Any ideas?

Answer 1

I've been having the same problem myself today after eventually getting the mod_authnz_ldap module to work.

From my research thus far, I gather you can't do seamless signon with the mod_authnz_ldap module and you'll have to use mod_auth_sspi instead. I've tried this out and it seems to work as expected (on Internet Explorer anyway - you can also configure Firefox to pass through by modifying the network.automatic-ntlm-auth.trusted-uris key).

Here's the steps:

1. Download the mod_auth_sspi module from http://sourceforge.net/projects/mod-auth-sspi/
2. From the zip file's bin folder, copy mod_auth_sspi.so to your apache modules folder
3. From the zip file's bin folder, copy sspipkgs.exe to your apache bin folder
4. Edit httpd.conf so that the Directory is configured something like this:

 Alias /secure "C:/Secure"
 <Directory "C:/Secure">
 Order deny,allow
 Allow from all

 AuthType SSPI
 SSPIAuth On
 SSPIOfferBasic on
 SSPIBasicPreferred On
 SSPIAuthoritative Off
 AuthName "Login"
 SSPIDomain dc.domain

 Require valid-user
 </Directory>

Now restart Apache.

Unfortunately, after all that it's no good for me as a solution as I have multiple LDAP servers to authenticate against, but hopefully this will help you.