How do people do Apache Active-Dir authentication?

Jason Haar Jason.Haar at
Thu Jul 6 09:45:32 GMT 2006

I've got a perfectly well working Samba server (with winbind) with
Apache-2 on it (CentOS 4.3 and Fedora Core 5), and want to be able to
backend Apache onto Active Directory for authentication and authorization.

I've tried mod_ntlm_winbind, but cannot get it to work either via
Negotiate, NTLM or even Basic. It uses ntlm_auth - which I have
successfully operating on a Squid server on the same box - so that's not
at fault. However, it just doesn't work - running things with "-d10"
doesn't seem to show any obvious problem.

I've tried it with mod_auth_ldap - but that is oriented towards a single
domain model. We OTOH have a forest with multiple domains - with
Universal Groups containing members from a mixture of domains, etc. It
doesn't like that (let's not bring up Microsoft crippling sAMAccountName)

So how are people doing this? You know, so users can log into Apache as
"domain/username" or "username at domain" and be allowed access if they are
in any AD group - just like IIS can handle?

Someone must have got this working? Right? :-}

PS: I currently have it working using auth_any and a perl script hacked
up to call "net rpc" at appropriate times. Mostly works - but can't
handle recursive group lookups itself - so that fails too. I am doomed ;-)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba-technical mailing list