How do people do Apache Active-Dir authentication?

Jason Haar Jason.Haar at
Sat Jul 8 19:41:14 GMT 2006

Ed Plese wrote:
> I've never used it, but it looks like ntlm_auth has an option that will
> do this for you.  From `ntlm_auth --help`:
>   --require-membership-of=STRING
>   Require that a user be a member of this group (either name or SID)
>   for authentication to succeed.

Hmmm. Thanks for that. I can use that within auth_any as the means of
authorizing the user. Seems to work well. (slight issue with Apache
having to call a perl script per URL, but I can't find anything else
that will work :-()
> If you're writing a web application with fine-grained access controls
> based on group membership, it might work better to have your software
> query which groups the user is in and determine if the user is authorized
> to view a particular page.  This way you can better handle access denied
> cases instead of just displaying the login dialog box.
No - I am looking for a generic solution to put in front of
Apache-housed webapps. A variety of third-party apps. As such, I don't
intend anyone to have to rewrite them to make it work.

Actually, now that you've mentioned ntlm_auth's "require-membership"
option, it might be best/fastest to use something like mod_auth_mysql
and do a form-based login. That way you can get the advantages you
mention of more informative error pages/etc.


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba-technical mailing list