auth_ldap

Kon Wilms konfoo at gmail.com
Tue Aug 19 03:48:53 MSD 2008


On Mon, Aug 18, 2008 at 4:30 PM, mike <mike503 at gmail.com> wrote:
> That's hopefully what someone would be working out if I paid :)
>
> I want to get nginx adopted everywhere including internally on our
> intranet. But we have WIA/NTLM/whatever the integrated authentication
> in IE6, IE7 and our Active Directory domain accounts.
>
> It's in IE6/IE7 and called WIA I  believe (Windows Integrated
> Authentication) that uses NTLM/LDAP/whatever to transparently identify
> you based on your domain account is what I need. I tried to get this
> support in Lighttpd, but I no longer use or care about Lighty. I am
> all about nginx now.

Well theres not much to work out besides the implementation. :)

I am using Apache and ldap auth against 2k3 and 2k8 for SSO support in
our organization (for the few apps that require it i.e. subversion
users, etc.). The trick with 2k3 and 2k8 is that you need an
authorized user in the OU or group that has rights to query the
directory -- it cannot be done anonymously anymore as was the case
with 2k (IIRC).

2k8 royally broke everything for me as well, in that you cant query
across domains that are in the same forest, whereas with 2k3 you
could. But that is more of an Apache bug than anything else. The
downside with this annoyance is that if domain1 is being accessed with
ldap auth for a user in domain 2, the dummy query account cant find
out about domain2's users. So you have to duplicate users on domain1
from domain2, and youre left with what can best be described as a CSO
clusterf*ck of a solution.

Markus if you're listening that may be something to note (there is an
outstanding authnz_ldap bug related to this).

Sigh.

Cheers
Kon





More information about the nginx mailing list