logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Will there be a mod_auth_sspi for 2.4?
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
PipoDeClown



Joined: 20 Dec 2005
Posts: 76

PostPosted: Wed 22 Feb '12 21:57    Post subject: Will there be a mod_auth_sspi for 2.4? Reply with quote

see title Smile
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Thu 23 Feb '12 0:32    Post subject: Reply with quote

I don't think so. There no develoment since a longer time. There is no longer a required function the module uses in the new Apache.

Also there are some security bugs in it.

example

Code:

<IfModule !mod_auth_sspi.c>
    LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>
<IfModule mod_auth_sspi.c>
    <Location /protected/>
        AuthName "A Protected Place"
      AuthType SSPI
      SSPIAuth On
      SSPIAuthoritative On
      SSPIOfferBasic On
      SSPIBasicPreferred On
      require valid-user
    </Location>
</IfModule>


with that configuration, try this.

When the login prompt comes up, type in nothing and just press the OK
button twice (for me it is press it twice).

When I do this, I get to the protected (supposedly) document. Moving
around from any links on that document, I just have to keep pressing
OK twice. Never do I actually need a valid username or password. If I
type in invalid data, I will never get in.

It has to do with the NT_ANNONYMOUS user in Windows, and depending on
which OS Apache is on (XP vs. Vista) depends on what I see in the
whoami script.

I haven't messed around that much with the Require statement, but
because the example config uses valid-user, and valid-user allows
bypass, I do not to put this module up at our site.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Thu 23 Feb '12 7:35    Post subject: Reply with quote

Credit given where credit due ... me Wink

I've talked with the maintainer of this module about this bug and that is is not compatible with 2.4.x, we'll see if he ever gets around to it.

EDIT: changed "author" to "maintainer" since neither of the maintainers are the original author from what I know.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Thu 23 Feb '12 10:58    Post subject: Reply with quote

glsmith wrote:
Credit given where credit due ... me Wink


Yepp Gregg figured that out. I forgot to write that Embarassed
Back to top
spsellars



Joined: 26 Feb 2012
Posts: 1
Location: US

PostPosted: Sun 26 Feb '12 13:27    Post subject: Reply with quote

Are there any alternatives to mod_auth_sspi which will work with Apache 2.4 (using Integrated Windows Authentication)?

Unfortunately, requiring our intranet users to manually enter their usernames/passwords isn't an option, so the ldap module won't work for us. And the Kerberos modules only seem implemented on *nix systems.

The only alternative I can come up with for now is forwarding requests to a separate IIS server, starting a session with the AUTH_USER variable from there, and forwarding back to the original page. For obvious reasons I'd prefer not to go that route.

Hoping I'm missing an obvious alternative. Any ideas?
Back to top
PipoDeClown



Joined: 20 Dec 2005
Posts: 76

PostPosted: Sun 26 Feb '12 23:29    Post subject: Reply with quote

i'd stick with the 2.2 where sspi is working.
Back to top
markw



Joined: 24 Nov 2011
Posts: 7
Location: UK

PostPosted: Wed 18 Jul '12 11:30    Post subject: Reply with quote

Hi Folks,

We're using auth_sspi on our server but would love to move up to Apache 2.4. I was just wondering if there have been any developments in this regard yet?

Thanks!
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Wed 18 Jul '12 12:42    Post subject: Reply with quote

There has, but it's far from finished and it's been two months now since the was any work done to it.
Back to top
markw



Joined: 24 Nov 2011
Posts: 7
Location: UK

PostPosted: Wed 18 Jul '12 12:50    Post subject: Reply with quote

glsmith wrote:
There has, but it's far from finished and it's been two months now since the was any work done to it.


OK, thanks for the update. Out of interest is there a public page where we can check this status? Also is there anything we could do to support their work?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Wed 18 Jul '12 20:15    Post subject: Reply with quote

Actually, to be honest, I am just assuming it's going to be 2.4 compatible. The one dev that did the 2.0.5-beta is moving to the authnz style (what the difference is I do not know) and since 2.4 is out, I would hope it's going to be 2.4 compatable.

http://mod-auth-sspi.svn.sourceforge.net/viewvc/mod-auth-sspi/branches/mod_authnz_sspi/

I talked to one of the maintainer's of record for this and he's busy with libCurl at the moment, there's a new release of that coming I guess, then he wants a break.

I'll keep hinting to him about this thought since my server that I keep some modules on, this one is the most downloaded (a few a day).
Back to top
markw



Joined: 24 Nov 2011
Posts: 7
Location: UK

PostPosted: Fri 20 Jul '12 11:21    Post subject: Reply with quote

Ah ok, that makes sense then. Thanks for your efforts and the information.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Fri 24 Aug '12 9:42    Post subject: Reply with quote

Friday, August 24, 2012 12:44 AM PST

I should have one out sometime this weekend.

I've built it in x86 & x64, I've tested it in x86 so far. It doesn't work on XP, that is for sure. It is working fine on my Vista x86 however. I'll be testing it on Win7 x64 maybe tomorrow (well today since it's almost 1am here).
Back to top
wm003



Joined: 24 Mar 2006
Posts: 88

PostPosted: Fri 24 Aug '12 10:01    Post subject: Reply with quote

Great News! Thanks a lot for your effort.

Our company still has a lot of XP-developer machines until next summer (yes, we will finally upgrade to Win7!) , but as long as it works unter Windows Server 2003 (maybe not, because of XP-Kernal?) and Windows Server 2008, i am really looking forward to that, so i can finally test and migrate to apache 2.4.x

Very Happy
Back to top
Mandeep



Joined: 18 Sep 2012
Posts: 3
Location: London

PostPosted: Tue 18 Sep '12 14:21    Post subject: mod_auth_sspi with apache2.4 - Any updates ? Reply with quote

Hi glsmith and wm003,

Did anyone of you managed to get it working? I have a live server working fine with mod_auth_sppi on Apache 2.2. Its been in place for about 3 years and works like a charm.

However as part of server upkeep and maintenance, we decided to upgrade t Apache 2.4 and PHP 5.4 with new instance of mysql. One of the key requirements for intranet users is the need to auto login. Mod_auth_sspi is something I need desperately to be working with 2.4 for this upgrade to happen. Can you guys please put me in the right direction if you managed to implement this successfully!

Many Thanks
Mandeep
Back to top
PipoDeClown



Joined: 20 Dec 2005
Posts: 76

PostPosted: Sat 22 Sep '12 8:47    Post subject: authnz binary Reply with quote

found a binary on Apachehaus for 2.4
https://www.apachehaus.net/modules/mod_authnz_sspi/
havent tested it myself yet
Back to top
Mandeep



Joined: 18 Sep 2012
Posts: 3
Location: London

PostPosted: Tue 25 Sep '12 14:31    Post subject: Reply with quote

Hi,

I have now managed to get it working. It needed few tweaks but finally managed to automatically log the users on to the intranet.

If anyone needs help with this, contact me.

I will soon put some config and sample code together and post it here.

Regards
Mandeep
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Tue 25 Sep '12 14:32    Post subject: Reply with quote

Please post your code
Back to top
Mandeep



Joined: 18 Sep 2012
Posts: 3
Location: London

PostPosted: Tue 25 Sep '12 14:54    Post subject: Reply with quote

So, Just to give everyone a refresher on this. With Apache 2.2 the mod_auth_sspi.so module can be used to auto login users by getting their AD credentials ( logged on user on the client machine). This method is very useful when you are working on an intranet.

With Apache2.4 this module is broken and does not work. If you are upgrading to 2.4 and need this to work, you have to make some changes. The below steps are for windows 2008 R2, Running Apache 2.4 (32 bit version)

Follow these steps to get this working:

1: Download the module from here
https://www.apachehaus.net/modules/mod_authnz_sspi/
(x86 for 32 bit and x64 for 64 bit apache)
2: Copy the mod_authnz_sspi.so from Apache24>>modules folder and place it in the modules folder of your Apache folder on your webserver
3: Under the httpd.conf file (Config file for your apache) place this line of code. Try to load this as the last module
LoadModule authnz_sspi_module modules/mod_authnz_sspi.so
4: Make sure that the following modules are uncommented
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
PS:- both the above modules are required for this to work.
5: Place the following code in your httpd.conf file
<Directory "path/to/your/secure/folder">
Options None
AllowOverride All
Order allow,deny
Allow from all
#AuthName "SSPI Protected Place"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIOmitDomain On
Require valid-user
</Directory>
6: Restart your apache servive and hopefully it should restart without any issues.

7: Now in order to recognise the user , use the following code on a php page (index/main page for internal users)

$cred = explode('\\',$_SERVER['REMOTE_USER']);
if (count($cred) == 1) array_unshift($cred, "(no domain info - perhaps SSPIOmitDomain is On)");
list($domain, $user) = $cred;

echo "You appear to be user <B>$user</B><BR/>";
echo "logged into the Windows NT domain <B>$domain</B><BR/>";

You should now be able to see the logged on user. Once this is completed you can write SQL/MYSQL queries to identify the user type and redirect them to their appropriate pages/section of the intranet. I would set the Session variables once I have identified the user and queries their information to personalise their intranet pages.

Hope this will be helpful and save people several hours of effort.

Regards
Mandeep
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Tue 25 Sep '12 15:20    Post subject: Reply with quote

The auth config is the old one. The my_cfg.txt in the zip shows the new one from apache 2.4 Wink
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Tue 25 Sep '12 22:47    Post subject: Reply with quote

Nice to have some confirmation this module works, thank you!

As James said, this is the old 2.2 style access control:
Order allow,deny
Allow from all

In 2.4, that can still be used if and only if mod_access_compat is loaded (which is the default it seems), but if you start using the new style of access granting throughout your config, you can remove the access_compat module, save a shred or two of ram and probably gain a little performance since it doesn't have to be translated every request.

Require all granted

does the same in 2.4 as 2.2's
Order allow,deny
Allow from all
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules Goto page 1, 2  Next
Page 1 of 2