integrating ldap workstation login with webapps

Question

Is there a way to integrate an LDAP authentication system on a windows network with intranet webapps so that the user on logging into their desktop does not need to log in a second time with the web app?

Open to other forms of authenticating other than LDAP if not possible.

I'm not sure whether this should stay here or go to stackoverflow.com. Perhaps you can elaborate, is this a pre-packaged product you're using or are you developing/modifying it? — ThatGraemeGuy, May 15 '10 at 12:39

score 2 · Answer 1 · answered May 16 '10 at 20:19

2

Yes, it is doable. If it is apache, load mod_authz_ldap and point to your Active directory. Or point it to openldap proxy, which fetches auth credentials from active directory.

http://www.turnpike420.net/linux/Apache_ADS_AuthLDAP.txt

answered May 16 '10 at 20:19

RainDoctor

4,162
3
22
25

thanks for this - so how would I integrate this into my web application? – blippy May 19 '10 at 06:40
Your question is so broad: we don't know what webserver you are using, for instance. So, you need to do some prep work. – RainDoctor May 27 '10 at 04:34

score 1 · Answer 2 · answered May 15 '10 at 12:53

1

Basically, this is possible. If your particular webapp is capable of handling this depends on your environment and if this webapp is prepared for this.

Some questions: Do you use Active Directory for authentication? What is your webserver? IIS on Windows, Apache on Linux? Something else? What are the apps? What auth methods do they offer?

The most important thing you should research in this regard is Kerberos, which is used by Active Directory (and many other things) for exactly this purpose: Single sign on.

Regardless of the technology, prepare for a challenging experience, as doing this right is quite difficult.

answered May 15 '10 at 12:53

Sven

97,248
13
177
225

doing it right is really easy, the Mediawiki LDAP auth extension is simple, and Redmine's built-in LDAP authentication is brilliant. You do have to understand LDAP however, which is where the challenge lies. – gbjbaanb May 17 '10 at 19:01
No. Single sign on is not just the same user database, which is indeed easy, but not to have to login again if you are already logged in to your workstation. This is *not* easy. – Sven May 17 '10 at 20:33
I am not restricted to any win/linux on the server but have a preference for an open source solution. The apps would be my bespoke webapps and normally would be authentication would be managed via db and session cookies. Does this make sense? I will look into Kerberos, is there any specific software that helps with the ticket fetching process from a web app perspective? – blippy May 19 '10 at 06:55

score 0 · Answer 3 · answered May 15 '10 at 13:07

0

There are two technologies for that: Kerberos and NTLM. There are a lot of info on how to implement both, the best choice will depend on your IT environment.

answered May 15 '10 at 13:07

jneves

1,043
6
15

score 0 · Answer 4 · answered May 17 '10 at 18:59

You could consider a web single sign-on solution such as OneLogin.

http://www.onelogin.com

OneLogin integrates with Active Directory using NTLM so that if you are logged into your Windows domain, you're automatically also logged into OneLogin and any web app you have configured is just one click away.

OneLogin is pre-integrated with 600+ web applications, including intranet solutions like SocialText, Confluence, PBWorks and Jive, both behind and outside the firewall.

integrating ldap workstation login with webapps

4 Answers4