httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Clayton Hicklin" <>
Subject Re: [users@httpd] Pass-through LDAP authentication with Internet Explorer and Active Directory
Date Tue, 16 Sep 2008 23:06:42 GMT
On Tue, Sep 16, 2008 at 4:21 PM, André Warnier <> wrote:

>>>   I'm beginning to think
>> we're chasing our tails.  IE is going to pass the credentials in NTLM
>> format, I believe.  Even if we got the username right, I'm thinking maybe
>> the password won't be readable by mod_authn_ldap.  I don't know.
>>  IE can do either of 3 things, as far as I know :
> 1) if it is doing Basic authentication, it will pass the user-id and
> password (as entered by the user in the pop-up login dialog), both merely
> encoded in a Base64 format.
> It passes that in a "Authorization:" request header.

I believe it is basic authorization.  The AuthType is set to Basic and the
AuthBasicProvider (not sure if that's right, I don't have access to it at
the moment) is set to ldap.  So, maybe there is no NTLM involved here.  The
user is already authenticated with the domain.  My original thought is that
IE sees the site requesting Basic authentication and is supplying the
domain\user and base64 password.  That's why I was hoping to just strip out
the domain\ part.

> 2) if it is doing Digest authentication, it will pass the user-id and a
> cryptic "token" based on the user-id and password entered by the user in a
> pop-up login dialog. The server-side must then somehow verify that this
> token matches one generated server-side on the base of the user password.
> It passes that in a "Authorization:" request header.
> That is anyway not what you want here.

Nope, not doing digest.

> 3) if it is doing NTLM authentication, then it will also pass the user-id
> and a token, but as a result of a multi-step negociation with an appropriate
> NTLM module on the server, which itself needs to talk to a Windows Domain
> Controller etc..
> At the end of all that, IE will pass the user-id and token to the server
> with the request, in, I believe, a WWW-authenticate: header.
> But that token does not contain the password, and IE at no point gets to
> know the password.

Seems like it would only do NTLM if I'm using the mod_auth_sspi module.  The
more I think about it, the more it doesn't make any sense that IE would try
and do NTLM when Apache is requesting Basic.

> But maybe do not give up yet.
> If you are in a Windows Domain, and it is inside a corporate environment,
> then presumably this REMOTE_USER that IE is sending, is already the result
> of some secure Domain authentication which happened before.
> And if so, you might be able to accept it as secure enough, and use its
> content as a user-id.
> The whole point now is to know whether you really need to know the user
> password, or if the mere fact of verifying that the user indeed exists in
> the LDAP system is enough (and maybe not even that).
> It all depends if you want to provide a reall secure login system, or if
> your purpose is to provide a user-friendly SSO mechanism for Apache
> applications.

Well, I need to do group authentication via LDAP, and the LDAP module binds
with the DN it looks up using the username provided by the browser.  It
definitely needs the password.

> One item just to clear up a lingering doubt : when you show the user-id
> that auth_ldap is dumping to the logfile, was that the result of a popup
> login dialog in IE, or was there no such popup dialog involved ?
Not the result of the popup, that was IE trying to send the credentials

> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:> for more info.
> To unsubscribe, e-mail:
>  "   from the digest:
> For additional commands, e-mail:

Clayton Hicklin

View raw message