0. Install the Apache module mod_auth_pam.
1. Connect the Linux host to the Windows domain. From the menus, select: Administration -> Authentecation -> Authentecation -> Winbind
Configure winbind and and click the "join" button. Note that this required the Windows administrator's username and password.
2. Edit the system's services and enable winbindd to run on startup
Now these commands should work:
wbinfo -u
wbinfo -g
wbinfo -a\\ % ;
For example:
wbinfo -a XYZ\\jsexton%my_password
should successfully authenticate jsexton against the NT domain XYZ.
3. Setup PAM's http configuration. Here's the use of pam_permit.so. Without this, PAM will check for a valid local account and fail. You'll find references out there to having to make /etc/shadow readable by the httpd for this reason. But using the permit option avoids this problem. This took awhile to figure out because I was using myself as a test and I do in fact have a local account. What I didn't realize was that it was not smart enough to deal with the leading Windows domain on the username. User "jsexton" existed on the linux box, but "XYZ\jsexton" did not. Not having to enter the Windows domain with the username when logging in would also solve the problem, but I don't see how to make that happen in the winbindd setup, for an NT domain.
File /etc/pam.d/http
#%PAM-1.0
auth sufficient pam_winbind.so debug
#account required pam_winbind.so debug
account required pam_permit.so
4. Set Apache to load PAM:
File /etc/httpd/conf.d/auth_pam.conf
LoadModule auth_pam_module modules/mod_auth_pam.so
LoadModule auth_sys_group_module modules/mod_auth_sys_group.so
5. Protect a sample directory:
File /etc/httpd/conf/http.conf
Alias /test/ "/test/"
<Directory "/test">
AllowOverride None
Allow from all
Order Deny,Allow
AuthType Basic
AuthName "AUTH TEST"
AuthPAM_Enabled on
Require valid-user
</Directory>
Now loading http://localhost/test/ should ask for a name and password and authenticate against the Windows domain (note the trailing slash on the URL). Enter the Windows domain in the username with one back-slash, ie "XYZ\jsexton". Watch /var/log/messages and /var/log/httpd/error_log for information. The exact location of some of these files may vary on your system.
No comments:
Post a Comment