How does single sign-on (SSO) work with PHP + Apache against an Active Directory for transparent authentication?

9
votes

I need to get more understanding about SSO on a web app against Active Directory.

For simply ask the user the login to authenticate on AD, I know that I can use some libraries like Zend_Ldap, adLdap and so on. But in this case, the user still need to type the login twice. For example: Authenticate against Active Directory/ISA from php

Afaik, to use SSO for transparent login, I need to implement an extra apache module. For example: How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app?

Authenticate against ldap using PHP, active directory, while using IE/Firefox

First I need to know which apache module I need to use and why. In this article for example there are three: mod_ntlm, mod_auth_kerb and Apache2:AuthenNTLM. And the thosed one was Apache2:AuthenNTLM

In the question described above the accepted answer was for mod_auth_sspi.

When talking about Active Directory I've got this answer, which describes active directory as an implementation of ldap + kerberos + "a few other miscellaneous bits and pieces".

I'm very confused about all these names, since I've nerver worked with it. Can someone clarify it to me? (ldap, kerberos, ntlm, sspi etc)

Finally, can someone point me to how the app recognize the authenticated user (from AD). Is it just by the username passed with somethink like $_SERVER['REMOTE_USER']? Any password is sent? How does the browser send this extra headers? Is there any local configuration that need to be done in each workstation?

2
phpapacheactive-directoryldapsingle-sign-on
This question is almost identical to stackoverflow.com/questions/1003751/…Simon East

2 Answers

16
votes

Authentication is a confusing mess. Here is some background.

  • LDAP: LDAP is a protocol for communicating user directory information. It can also handle authentication, but it is not seamless (SSO).

  • NTLM: NTLM is Microsoft's SSO built into IE, ActiveDirectory and IIS. The original version of NTLM is very insecure so NTLMv2 was implemented to fix the security issues in NTLM. The original NTLM is disabled by default in Windows Vista and later.

  • Kerberos: Kerberos is an open standard that is very secure and is designed to offer seamless (SSO) Authentication. ActiveDirectory supports a version of Kerberos.

As far as the Apache modules that can be used to implement these protocols, you included a pretty good list of them.

  • mod_ntlm: This is an Apache module that runs on Linux and supports the original NTLM (not NTLMv2).

  • mod_auth_kerb: This is an Apache module that implements Kerberos.

  • mod_auth_sspi: This is an Apache module for Windows that supports the original NTLM (not NTLMv2).

  • Apache2:AuthenNTLM: This is a Perl module that handles NTLM. I don't know if it supports NTLM and NTLMv2.

  • mod_auth_ntlm_winbind: This is an Apache module that interfaces with Samba's authentication.

1
votes

Single-Sign-On and Shared-Authentication are related, but different, concepts. I think you may be confusing them. If you want true SSO, look in to CAS.

LDAP and AD are protocols for storing users and organisation data. They are not useful for doing the actual authentication over web, but you can use them behind an SSO (Such as CAS), as the "database".