--
Best Regards,
Sergey Syrota
On Thu, Jan 7, 2010 at 11:05 AM, Michael B Allen <ioplex@gmail.com> wrote:
Bare in mind that mod_auth_ntlm_windbind requires "joining" the
machine to AD and running the Samba windbind daemon. And note that
because this all happens at the Apache layer, you will not have much
language level control (such as using SIDs supplied during the
NETLOGON step to check group membership). So it's not clear to me what
would be left for a Zend_Auth module to actually do. At least it would
not need to be specific to NTLM. You might has well just make a
"Zend_Auth_Apache" component or some such that worked with all of the
mod_auth_whatever modules from Apache.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
On Thu, Jan 7, 2010 at 11:19 AM, Sergii Syrota <serg.syrota@gmail.com> wrote:
> We've implemented NTLM authentication using this module.
> Works great. Apache takes care of NTLM part, and by the time Zend_Auth runs
> - there is already authenticated username in the environment (or 403 to the
> user).
> Works in IE (with default security settings if site is in "local intranet"
> or "trusted zone") and firefox (if domain is added
> to network.automatic-ntlm-auth.trusted-uris in about:config). Other browsers
> show username/password prompt, but if you enter username/pass for AD -
> authenticates without any problems.
>
> --
> Best Regards,
> Sergey Syrota
>
>
> On Thu, Jan 7, 2010 at 9:16 AM, Michael B Allen <ioplex@gmail.com> wrote:
>>
>> On Thu, Jan 7, 2010 at 8:56 AM, Cornelius Weiss <c.weiss@metaways.de>
>> wrote:
>> > Hi,
>> > I need to implement NTLM auth support. NTLM is a kind of HTTP
>> > Authentication, so imho it belongs somewhere into the sope of the
>> > Zend_Auth_Http Adapter.
>> > Reading the code of Zend_Auth_Http, I realised, that I can't add NTLM
>> > support without changeing the Zend_Auth_Http class.
>> > So please advice which way to go:
>> > - Let Basic and Digest also be extra classes -> having
>> > Zend_Auth_Http_Basic
>> > / ... or
>> > - Have Basic and Digest in the Http base class and implement a plugin
>> > structure for others
>>
>> Hi Cornelius,
>>
>> Note that any solution would have to implement NTLMv2. Virtually all
>> of the existing NTLM solutions out there with the exception of a few
>> like our stuff and Samba's do not do NTLMv2 - they do the lowly,
>> insecure and now obsolete NTLMv1. Authenticating clients using NTLMv2
>> requires doing MSRPC with SecureChannel which is to say it is probably
>> something you do not want to mess with.
>>
>> Mike
>>
>> --
>> Michael B Allen
>> PHP Active Directory Integration
>> http://www.ioplex.com/plexcel.html
>>
>
>
没有评论:
发表评论