Project

General

Profile

Forums » Help »

Windows domain-based transparent logon with Linux server?

Added by Jon Povey over 15 years ago

Hi all,

I am setting up Redmine + Apache2 + svn 1.5.4 on an Ubuntu 8.04 server.
I have the basics working with simple passwd file based auth. We have a Windows domain here that I'd like to authenticate against, ideally to do the transparent automatic logon thing (All windows clients, logged onto the domain).

I know mod_auth_sspi is available for this on Windows, but is it possible from Linux? I have looked into this before and vaguely remember something about using Samba, and maybe PAM and SASL.

If anyone has done this I'd really appreciate some clues.

Also, does windows transparent logon only work with IE, or does it work with Firefox as well? I think most of use Firefox here.

Thanks.


Replies (4)

RE: Windows domain-based transparent logon with Linux server? - Added by Yassen Damyanov over 15 years ago

You probably know much more than me about this issue, but just to share a thought: isn't a Windows Active Directory actually an LDAP server? If so, and your domain controller is based on that, how about tuning Redmine to auth against the LDAP directory?

RE: Windows domain-based transparent logon with Linux server? - Added by Jon Povey over 15 years ago

Yes, for the moment I have gone with this approach. It was pretty straightforward to authenticate against the ADS as LDAP, although it did require this patch to allow usernames with spaces: http://www.redmine.org/issues/show/811

This gives you the same account details as Windows, but no transparent logon.
Having looked into it a bit more though it appears (though i'm not sure) that:
  • Transparent SSPI auth on Linux is tricky to set up, using winbind or Kerberos possibly
  • It only works with IE, no other browsers
  • You have to make IE client security settings tweaks on all clients

All pretty off-putting, so I will stick with the LDAP solution for now.

RE: Windows domain-based transparent logon with Linux server? - Added by Carsten Schurig over 15 years ago

Setting up Apache/SVN authentification to an ADS is easy to do using winbind/Kerberos and auth_pam. There are plenty of howtos available providing information doing that. A good starting point is even the SVN book (http://svnbook.red-bean.com/). This works flawlessly. To the "outside" it looks like a normal Apache authentication.

Of course using LDAP directly in Apache isn't a big difference. Winbind/Kerberos/PAM is good if you want to use the ADS connection for other services as well...

If everyone gets a redmine account you can attach Redmine using LDAP to ADS and use Redmine.pm to do the auth for SVN. This is not a big difference to using LDAP directly. The advantage is, that theoretically you can mix external (LDAP) and internal (Redmine) logins, e.g. if you want to give access to users that don't have a account on your ADS. But I had problems with Redmine.pm and LDAP access to an ADS even though Redmine itself could authenticate. As we are a small company and are using the Redmine user database for all external users anyway I did stop investigating it.

RE: Windows domain-based transparent logon with Linux server? - Added by dan collins about 15 years ago

I skipped winbind/pam/etc altogether and used mod_ntlm with Apache 2.2. Mind you, I'm using this for a svn server and not redmine (not using redmine yet). This works for me because the svn repo is for internal use (all on the same domain controller) only.

LDAP against active directory in apache requires you to add a password in the apache config... in plain text.

Also it does work with firefox. Go to about:config and add your host under truster-uris.

    (1-4/4)