On Tue, 2009-01-20 at 21:00 -0700, Joseph L. Casale wrote: > >If you'd tell us what it is that you're doing we can help out, or > >explain any one of a hundred ways that you're doing it wrong. Either > >one, really. > > > I was tearing my hair out trying to get mod_auth_ntlm_winbind working with > apache so I could later use adLDAP/Dokuwiki to migrate all our docs out of > Exchange Public Folders. > > The goal was SSO in our AD domain. I had plain LDAP binding against the user > asking for permission to Dokuwiki which worked easy and was secure enough but > the goal was SSO... > > I had a total brain fade on the mod_auth_ntlm_winbind compilation but got it > working, now I simply can't make apache authenticate a user? Firefox has the > network.negotiate-auth.trusted-uris value defined yet simply keeps prompting > for authentication while this module causes apache to deliver something to ie > that it simply can't even render the page. Samba, Kerberos and winbind are all > configured right as the CentOS box has been joined to the domain, and wbinfo > and getent return logical data. It's clearly this module and apache that are not > working, but this is the only module that provides group support versus username > only mapping that I know of. > > As much as I am getting to like Dokuwiki, if you can reco an easy to use wiki > that facilitates SSO from AD clients but runs on Linux I would be grateful. I > only have one IIS server and I can't/wont hack at that box, its far to critical. > > I officially have no more hair. ---- mod_authz_ldap definitely can use groups or users to authenticate though to be honest, I am only authenticating to OpenLDAP and I do see some references to authenticating to active directory in the documentation. also - my impression was that only IE could use the SSO and Firefox would probably have to login. Craig