How do people do Apache Active-Dir authentication?

Ed Plese ed at edplese.com
Sat Jul 8 13:45:00 GMT 2006


On Sat, Jul 08, 2006 at 05:01:26PM +1200, Jason Haar wrote:
> Ed Plese wrote:
> > Check the permissions on /var/lib/samba/winbindd_privileged too.  I had
> > to alter these (but left the permissions on 'pipe' as is) in order to get
> > mod_ntlm_winbind to work.  By default the apache user doesn't have any
> > rights to this directory to even see the 'pipe' file.
> >   
> You are correct - that was wrong. However, mod_ntlm_winbind doesn't
> support Active Directory groups at all - which was my primary aim. So
> I'm still looking...

I've never used it, but it looks like ntlm_auth has an option that will
do this for you.  From `ntlm_auth --help`:


  --require-membership-of=STRING

  Require that a user be a member of this group (either name or SID)
  for authentication to succeed.


If you're writing a web application with fine-grained access controls
based on group membership, it might work better to have your software
query which groups the user is in and determine if the user is authorized
to view a particular page.  This way you can better handle access denied
cases instead of just displaying the login dialog box.


Ed Plese


More information about the samba-technical mailing list