httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Clayton Hicklin" <>
Subject Re: [users@httpd] Pass-through LDAP authentication with Internet Explorer and Active Directory
Date Tue, 16 Sep 2008 21:02:58 GMT
This is a "trusted" site, which, according to the Windows Integrated
Authentication docs, means that IE will happily send the authentication
credentials, but I would be more inclined to think that they will just not
be in the right format for mod_authnz_ldap to handle.  What's weird is that
it is definitely getting the domain\username part of it.

Maybe it just won't work.  I got mod_auth_sspi working with a workaround, so
maybe I'll just go that route.

On Tue, Sep 16, 2008 at 3:51 PM, André Warnier <> wrote:

> André Warnier wrote:
>> Eric Covener wrote:
>>> So, it looks like I need mod_setenvif, right?  Could anybody write a
>>>>> quick
>>>>> directive that would look at REMOTE_USER to see if there is a backslash
>>>>> ("\"), and if there is, set the same variable to everything following
>>>>> the
>>>>> backslash?  I think this would solve my problem.  I would rather use
>>>>> mod_authnz_ldap that  mod_auth_sspi as it is included with Apache and
>>>>> is
>>>>> well-supported.
>>> The authentication/authorization modules don't read from the
>>> REMOTE_USER environment variable.
>>>  Party pooper !
>>  Clayton,
> I kind of get a feeling that Eric is right though, because a) he usually
> seems to know his stuff, and b) that would not be very secure, to say the
> least.
> That would mean that we are back to try and figure out what exactly happens
> between IE and the server, and it what circumstances exactly IE sends this
> domain\user-id thing.
> But maybe Eric can help there ?
> Eric, what kind of "401" does mod_authnz_ldap send to the browser when it
> needs authentication ? Basic ?
> Then I can't quite imagine Clayton's scheme working, because IE would never
> of its own device send the user's password (I don't even think it knows it).
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:> for more info.
> To unsubscribe, e-mail:
>  "   from the digest:
> For additional commands, e-mail:

Clayton Hicklin

View raw message