You will find there's Perl application which runs under Apache on Solaris using CGI::Application. That's all running fine. We want to obtain access to the consumer_ID variable went by the IE browser, and perform some Database queries and LDAP queries.

I have checked out the Apache documentation and that i can't learn how to accomplish this. We do not have access to the internet (this is an intranet) in the solaris servers so we have to compile everything ourselves.

Does anybody possess a checklist (or tutorial) of the items Apache needs (modules/plug ins) to be able to accomplish this, and just how it ought to be set up?

You will find mod_ntlm and mod_ldap plug ins for apache that can be used to authenticate.

Inside your situation, i'd think that you really do desire to use mod_ntlm and ldap or "active directory" is just its after sales?

Here's on tutorial that covers the establishing phase: http://sivel.internet/2007/05/sso-apache-ad-1/

Compilation phase within the tutorial is targeted for revoltions per minute based linux platform though but twiki has more information on producing for solaris10 here: http://twiki.org/cgi-bin/view/Codev/NtlmForSolaris10#How_to_build_your_own_mod_ntlm_b

NTLM Winbind

I personally use the module auth_ntlm_winbind_module (mod_auth_ntlm_winbind.so) on our server. You must have Samba and winbind installed, correctly set up and running.

You are able to download the module in the Samba project tree:

git clone git://git.samba.org/jerry/mod_auth_ntlm_winbind.git 

To be able to authenticate customers via NTLM you need to add the next directives for your directory configurations:

<Directory /srv/http>
         Allow from all
         AuthName "NTLM Authentication thingy"
         NTLMAuth on
         NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
         NTLMBasicAuthoritative on
         AuthType NTLM
         require valid-user
         AllowOverride all
</Directory>

Obviously you have to load the module, too:

LoadModule auth_ntlm_winbind_module /usr/lib/httpd/modules/mod_auth_ntlm_winbind.so

The Home windows user account is passed towards the application because the REMOTE_USER:

#!/usr/bin/perl

use CGI;
my $query = new CGI;
# get the windows account from the header
my $windows_account = $query->remote_user();

Observe that IE only transmits the consumer authentication data to reliable sites.

Here is a website with a little more information around the module.


Direct Authentication via LDAP

Permanently is by using the module authnz_ldap_module (mod_authnz_ldap.so). This really is most likely loaded automatically already. Observe that this isn't true Single signon because the user is motivated for any password.

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

Add this for your directory definition:

<Directory /srv/http>
    AuthName "Authentication required"
    AuthType Basic
    AuthzLDAPAuthoritative off
    AuthBasicProvider ldap

    # "protocol://hostname:port/base?attribute?scope?filter" NONE
    # NONE indicates that an unsecure connection should be used for LDAP, i.e. port 389
    AuthLDAPURL "ldap://your.ldap.server.net:389/OU=the,OU=search,OU=node,DC=domain,DC=net?sAMAccountName?sub?(objectClass=*)" NONE


    # This is only needed if your LDAP server doesn't allow anonymous binds
    AuthLDAPBindDN "CN=AD Bind User,OU=the,OU=bind,OU=node,DC=domain,DC=net"
    AuthLDAPBindPassword super-secret

    Require valid-user
    AllowOverride all
</Directory>

More information concerning the module.