Home > Archive > LDAP > January 2007 > Pass IIS credentials through LDAP?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Pass IIS credentials through LDAP?
|
|
| Eric Nichols 2006-12-31, 8:29 am |
| I've never really been able to find a definitive answer on this.
IIS has their Integrated Authentication method which can recognize the
client's credentials. I'd like to take those credentials and bind as that IIS
user to an Active Directory server over LDAP.
Any ideas?
Thanks and happy New Years!
| |
| Andrej Ricnik-Bay 2006-12-31, 7:21 pm |
| On 1/1/07, Eric Nichols <eric@dirwiz.com> wrote:
> Any ideas?
I'm fairly certain (not that I have any windows expertise
what so ever) that this works via some RPC or similar
system hooks and has nothing to do with LDAP (or perl,
for that matter).
Cheers,
Andrej
| |
| Ken Cornetet 2007-01-02, 7:20 pm |
| If you use plain-text authentication, the user's ID and password are
available to the CGI script via environment variables. Fortunately, AD
LDAP binds accept the user ID in the form of DOMAIN\USERID
Here's a snippet of code:
$userID =3D $ENV{LOGON_USER};
$passwd =3D $ENV{AUTH_PASSWORD};
my $AdminUser1 =3D "$ntdomain\\$userID";
my $AdminPasswd1 =3D $passwd;
$ldap1 =3D Net::LDAP->new($dc1) or LogAndExit("open LDAP#1: $@");
my $result =3D $ldap1->bind( dn =3D> $AdminUser1, password =3D>
$AdminPasswd1 );
die("Failed to bind1: " . $result->error) if $result->code;
-----Original Message-----
From: Eric Nichols [mailto:eric@dirwiz.com]=20
Sent: Sunday, December 31, 2006 7:40 AM
To: perl-ldap@perl.org
Subject: Pass IIS credentials through LDAP?
I've never really been able to find a definitive answer on this.
IIS has their Integrated Authentication method which can recognize the
client's credentials. I'd like to take those credentials and bind as
that IIS user to an Active Directory server over LDAP.
Any ideas?
Thanks and happy New Years!
| |
| Eric Nichols 2007-01-02, 7:20 pm |
| Nice idea but unfortunately it won't work. In IIS 6 they don't post the
password in ENV any more. Plus I'm looking to use "Integrated Auth" which is
basically NTLM.. I was hoping there were a Win32 library I could call to get
something like NTLM creds and then hand that through Net::LDAP as a pass
through...
I most likely have all my terminology wrong in the above statement. As I see
things, IIS runs this the authenticated CGI session as the user object that
authenticates. So the credentials should be in the win32 environment (not
ENV) somewhere. Probably much like how firefox does NTLM. It picks up the
user's credentials and passes them to IIS as auth. I want to do the same
except read them during a CGI session and pass them through an LDAP bind.
It's a tough solution because it pulls from two environments that have never
been connected (as far as I know).
On Tue, January 2, 2007 10:58 am, Ken Cornetet wrote:
> If you use plain-text authentication, the user's ID and password are
> available to the CGI script via environment variables. Fortunately, AD
> LDAP binds accept the user ID in the form of DOMAIN\USERID
>
> Here's a snippet of code:
>
>
> $userID = $ENV{LOGON_USER};
> $passwd = $ENV{AUTH_PASSWORD};
>
> my $AdminUser1 = "$ntdomain\\$userID";
> my $AdminPasswd1 = $passwd;
>
> $ldap1 = Net::LDAP->new($dc1) or LogAndExit("open LDAP#1: $@");
> my $result = $ldap1->bind( dn => $AdminUser1, password =>
> $AdminPasswd1 );
> die("Failed to bind1: " . $result->error) if $result->code;
>
>
> -----Original Message-----
> From: Eric Nichols [mailto:eric@dirwiz.com]
> Sent: Sunday, December 31, 2006 7:40 AM
> To: perl-ldap@perl.org
> Subject: Pass IIS credentials through LDAP?
>
> I've never really been able to find a definitive answer on this.
>
> IIS has their Integrated Authentication method which can recognize the
> client's credentials. I'd like to take those credentials and bind as
> that IIS user to an Active Directory server over LDAP.
>
> Any ideas?
> Thanks and happy New Years!
>
| |
| Achim Grolms 2007-01-03, 7:22 pm |
| On Sunday 31 December 2006 14:40, Eric Nichols wrote:
> I've never really been able to find a definitive answer on this.
>
> IIS has their Integrated Authentication method which can recognize the
> client's credentials. I'd like to take those credentials and bind as that
> IIS user to an Active Directory server over LDAP.
>
> Any ideas?
Thats possible on apache + mod_auth_kerb
1. Make apache GSSAPI/Kerberos authentication work
as desrcribed in <http://www.grolmsnet.de/kerbtut/>
2. activate GSSAPI/Kerberos credentials delegation as described
in <http://www.grolmsnet.de/kerbtut/cre...delegation.html>
3. Make the webserverside an Net::LDAP use that credentials
using Authen::SASL::Perl::GSSAPI as described in
<http://perl.grolmsnet.de/authensasl/> to bind
to the AD-LDAP-server.
If you are using IIS instead of apache you have to use
the Win32-API, the interface to use the authentication
is called "SSPI" and described in
<http://msdn.microsoft.com/library/d...tyinterface.asp>
The interface is useable in C, I don't know of a Perl-adapter to SSPI.
Achim
| |
| Achim Grolms 2007-01-04, 7:20 pm |
| On Thursday 04 January 2007 15:42, you wrote:
> Thanks Achim,
> That helps. At least I now know that SSPI is the auth I need to look for..
> Just hope I can pass it through Net::LDAP
Passing it through Net::LDAP means using a module
implementing the SASL authentication standard (See RFC2222),
in that case the GSSAPI mechanism (to use Kerberos5).
One module implementing SASL and GSSAPI is
Authen::SASL::Perl::GSSAPI (by Simon Wilkinson),
using a RFC2744 C-Implematation (MIT Kerberos or
Heimdal, for example).
In case of Win32-SSPI that means writing a SASL-Adapter
using the SSPI instead of RFC2744 and implementing
the Authen::SASL interface.
(Or does anyone know of a RFC2744-to-SSPI adapter?)
Achim
| |
|
|
|
|
|