View Full Version : [ubuntu] Replacing IIS server with Ubuntu LAMP server

March 7th, 2010, 08:48 PM
I am trying to replace our Intranet Web Server (Win2K / IIS) with an Ubuntu 9.10 LAMP server. Our hosts are Active Directory Domain PC's running XP Pro with IE8. I have been struggling to get "Single Sign On" working for pages that need to be restricted to members of specific AD security groups. Joining Ubuntu to the domain and authenticating an individual AD user with kerberos proved to be fairly easy but it does not satisfy my AD group requirements. It seems to me that this would be a pretty common scenario but I am finding that howto's on this subject are scarce and not very detailed. Has anyone successfully gotten this working on 9.10 and if so, which Apache modules did you end up using? A nudge in the direction of a really good tutorial on the subject would be very much appreciated.

March 7th, 2010, 11:07 PM
I am not aware of any Apache modules that function interactively with AD DS. Samba 5 will have a better interaction with AD DS is the future, but that is not what you are after. I authenticate Ubuntu 9.10 with AD, but Apache and the XP clients are two different systems all together.

I suggest that you control access to web pages or content with a CMS or on an ip basis. If your AD groups are restricted to a certain ip range, it would be easy enough to write a simple .htaccess file and restrict access in that manner, making authentication somewhat of a moot point.

March 8th, 2010, 10:16 AM
But that would not help if users may sign in from different workstations at different times.

Example: A work station in a Hospital LAN where a doctor may log in in the morning and have access to certain pages, but a secretary may log in from the same machine later in the day using her own AD cred. but she should not have access to those pages.

Could AD not be used to restrict access on an Apache Webserver?

March 8th, 2010, 02:00 PM
I found this article (http://www.debianhelp.co.uk/apachead.htm). Perhaps, it may be of some help. Otherwise...

March 8th, 2010, 08:11 PM

Could AD not be used to restrict access on an Apache Webserver?

Yes, it can.
You're probably looking for this:

but keep in mind that MS's implementation of LDAP, AD, does not always follow the standard so it can be quite tricky.

I've played with this for a while and got as far as managing access based on users, but not groups.

This seems to be going in the right direction:

March 10th, 2010, 03:57 AM
Since my original post I have made a little headway on the project. Using the Apache ldap module and the following .htaccess file I can allow access to a directory only for users in the WWW_1 Active Directory security group.
AuthType Basic
AuthBasicProvider ldap
AuthName "WWW_1 Authorization"
AuthzLDAPAuthoritative Off
AuthLDAPUrl "ldap://example-dc1:3268/dc=example,dc=ex?sAMAccountname??(objectClass=*)"NONE
AuthLDAPBindDN administrator@example.ex
AuthLDAPBindPassword xxxxxxxx
AuthLDAPGroupAttributeIsDN on
require ldap-group cn=www_1,cn=Users,dc=example,dc=ex
I still get prompted for the username and password though. I was hoping that Internet Explorer would pass the credentials of the logged on user for me and accomplish true Single Sign On for the users.

March 10th, 2010, 08:41 PM
cool. (I'll save that config just in case I ever want to have another go at it)

For the SSO - I wonder : is it that IE doesnt pass on the credentials, or that Apache doesn't process them and comes with a prompt instead ?
On an IIS, that would be "Integretad Authentication" or so. I wonder if Apache has anything like that.

March 10th, 2010, 10:38 PM
I don't think IE attempts to login at all by default except ftp sites where it tries "anonymous".

March 11th, 2010, 06:56 PM
I don't think IE attempts to login at all by default except ftp sites where it tries "anonymous".

it does,
it's an option you can configure somewhere in IE options -> Security.
Among the choices are 'anonymous', prompt, use windows logon credentiuals, ...

August 30th, 2012, 05:22 PM
This is a little old but for those wondering how to get IE to pass windows credentials, you need to add your domain name to the Local intranet security zone under Tools > Options > Security Tab > Sites > Advanced. Only Internet Explorer would be so convoluted and bury a config that deep. You can also have your Windows admin set this in group policy so you do not need to change every single workstation.

See: http://technet.microsoft.com/en-us/library/dd572939%28v=office.13%29.aspx

August 31st, 2012, 05:40 AM
Necromancing - thread closed.

From the Ubuntu Forums Code of Conduct (http://ubuntuforums.org/index.php?page=policy).

If a post is older than a year or so and hasn't had a new reply in that time, instead of replying to it, create a new thread. In the software world, a lot can change in a very short time, and doing things this way makes it more likely that you will find the best information. You may link to the original discussion in the new thread if you think it may be helpful.