We are/have been looking for this same information, along with retrieving
all the NT groups that a user is a part of and using that for permissions
also. What I've found is some Apache mods which use Samba to perform this.
Actually, the samba group is working on something called winbind ( or it
used to be ) in which your linux/unix box would have all
autorization/authenication performed against the domain controller (
including groups ). So the knowledge is in the samba group/code. The mod
we're using here is mod_pam and then using pam_smb. Mod_pam allows apache
to use the underlying PAM authorization architecture and pam_smb adds the
ability to auth agains an NT box.
http://pam.sourceforge.net/mod_auth_pam/
http://www.csn.ul.ie/~airlied/pam_smb/
Now there is another project, spawn from the samba project, called jcifs (
jcifs.samba.org ), which is implemented in java and allows access to NT file
shares/printers. In order to accomplish this, one must authenticate against
the domain. Hopefully, this library will have everything you need ( an we
need ) eventually.
Any other options I'd be greatly interested in hearing as our company is
slow to switch to Win2k. What I've been thinking about doing is
implementing the service interfaces to create a system where the users
authenticate against NT, get group membership from NT, but still have a db
backend for session storage.
> -----Original Message-----
> From: Diethelm Guallar, Gonzalo [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 29, 2001 11:30 AM
> To: 'Turbine'
> Subject: [OT] Linking a webapp login to an NT domain controller?
>
> pam_smb
> [This is for a Turbine-based app, that's why I'm posting
> this OT question here.]
>
> Is there any way to ask a user (on the browser) for a
> name/password combination and have the web (or app)
> server validate that against an NT4 domain controller?
> The web/app server could be anything; right now, it
> is IIS and Resin, but I'm looking for a generic
> answer that applies to Apache/IIS/others, and to
> Resin/Tomcat/others. Any hints?
>
> I understand Win2K has some kind of directory in it
> (Active Directory?), which exports at least part of
> its functionality via LDAP. Is this correct? If yes,
> does this fact make it simpler to implement the
> functionality I'm looking for over Win2K than it is
> to implement it over WinNT?
>
> Thanks in advance,
>
>
> --
> Gonzalo A. Diethelm
> [EMAIL PROTECTED]
>
>
> ------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
> Problems?: [EMAIL PROTECTED]
>
-----------------------------------------------------------------------
This message has been scanned for viruses with Trend Micro's Interscan VirusWall.
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
