nginx + windows integrated auth/ntlm/ldap/etc/etc
mike
mike503 at gmail.com
Fri Dec 12 12:10:28 MSK 2008
I've revised this after talking to a coworker... I'd like to revise
the technical details of this original request.
I want to get SPNEGO-capable authentication into nginx, so it can be
adopted and used inside of enterprises with Active Directory for SSO -
not using pam_smb or LDAP only, as that doesn't make for an entirely
seamless experience. I want Kerberos support for Integrated Windows
Authentication - that is what is expected in our enterprise and not
having to prompt the user for their username/password and such.
I've posted this on RentACoder - it's not live yet, but when it is it
will be bid request ID 1064860.
If anyone is interested, please let me know! I am willing to pay, and
may in fact be able to raise extra cash by other parties for this.
Please email me on or off list.
It should be as simple as a couple libraries (openldap, openssl,
libkrb5? I don't know) and some simple configuration like:
auth_spnego on;
auth_spnego_controller adserver1.foo.com adserver2.foo.com; (if this
makes sense)
auth_spnego_timeout 7d; (if not defaulted by the libraries etc.)
... etc ...
Here's some links/info about SPNEGO and some source code in various
languages to use for example...
http://en.wikipedia.org/wiki/SPNEGO
http://modgssapache.sourceforge.net/ - probably the best C source to leverage
http://mbechler.eenterphace.org/blog/index.php?/archives/5-php_krb5-beta-Negotiate-auth-with-GSSAPI-for-PHP.html
- mod_krb5 - quite possibly even better C source
http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html
http://msdn.microsoft.com/en-us/library/ms995329.aspx
http://msdn.microsoft.com/en-us/library/ms995330.aspx
http://tools.ietf.org/html/rfc2478 - possibly might have info
http://osdir.com/ml/encryption.kerberos.general/2003-09/msg00019.html
- modgssapache uses APIs from microsoft, tested on linux/solaris,
mod_spnego tested on all major platforms
http://bofriis.dk/spnego/spnego_client.html - java implementation
http://www.ibm.com/developerworks/websphere/library/techarticles/0809_lansche/0809_lansche.html
- websphere implementation
http://dev.taglab.com/sites/taglab-public/support/spnego.html -
another java implementation
http://www.openldap.org/lists/openldap-devel/200801/msg00070.html -
possibly added into openldap
mod_auth_kerb for apache might also have some source
samba 3.0.7+ might have source (see a reference to libsmb/spnego.c)
http://www.ioplex.com/ - PHP support for SPNEGO
On Wed, Jun 25, 2008 at 11:38 PM, mike <mike503 at gmail.com> wrote:
> Igor, et al:
>
> Anyone here know the internals of an XP-based network (running the
> newer Active Directory-like LDAP stuff, not the old style samba domain
> controller stuff) and if it would be easy to support it in nginx?
>
> I'd love to be able to role model nginx inside of our enterprise
> environment as well as externally, and what better way than to have it
> support IE's built-in authentication (I don't know the exact specifics
> and what to call it) - I think Firefox supports it too (it prompts you
> once with an HTTP auth dialog, but then seems to remember that)
>
> It's some challenge response mechanism. It would require nginx to
> speak to a domain controller (basically I think perl's Authen::SMB at
> one time worked) - I don't know if it speaks LDAP nowadays strictly or
> what; someone knowledgable with the protocol would need to be involved
> to make sure it was implemented correctly...
>
> Just thought I'd bring it up. Maybe someone has some ideas. It's
> another item on my wishlist that I'd be willing to sponsor $$ wise...
>
> Thanks!
>
More information about the nginx
mailing list