auth_ldap

mike mike503 at gmail.com
Tue Aug 19 04:09:57 MSD 2008


I'm fine with however it has to work. We're still using XP and  
probably will for some time. I suppose as software moves on some of  
those kinks that can be fixed will be worked out. But that first step  
of getting the existing way implemented is key right now.

On Aug 18, 2008, at 4:48 PM, "Kon Wilms" <konfoo at gmail.com> wrote:

> On Mon, Aug 18, 2008 at 4:30 PM, mike <mike503 at gmail.com> wrote:
>> That's hopefully what someone would be working out if I paid :)
>>
>> I want to get nginx adopted everywhere including internally on our
>> intranet. But we have WIA/NTLM/whatever the integrated authentication
>> in IE6, IE7 and our Active Directory domain accounts.
>>
>> It's in IE6/IE7 and called WIA I  believe (Windows Integrated
>> Authentication) that uses NTLM/LDAP/whatever to transparently  
>> identify
>> you based on your domain account is what I need. I tried to get this
>> support in Lighttpd, but I no longer use or care about Lighty. I am
>> all about nginx now.
>
> Well theres not much to work out besides the implementation. :)
>
> I am using Apache and ldap auth against 2k3 and 2k8 for SSO support in
> our organization (for the few apps that require it i.e. subversion
> users, etc.). The trick with 2k3 and 2k8 is that you need an
> authorized user in the OU or group that has rights to query the
> directory -- it cannot be done anonymously anymore as was the case
> with 2k (IIRC).
>
> 2k8 royally broke everything for me as well, in that you cant query
> across domains that are in the same forest, whereas with 2k3 you
> could. But that is more of an Apache bug than anything else. The
> downside with this annoyance is that if domain1 is being accessed with
> ldap auth for a user in domain 2, the dummy query account cant find
> out about domain2's users. So you have to duplicate users on domain1
> from domain2, and youre left with what can best be described as a CSO
> clusterf*ck of a solution.
>
> Markus if you're listening that may be something to note (there is an
> outstanding authnz_ldap bug related to this).
>
> Sigh.
>
> Cheers
> Kon
>





More information about the nginx mailing list