Nginx + windows integrated auth/ntlm/ldap/etc/etc

Igor, et al:

Anyone here know the internals of an XP-based network (running the
newer Active Directory-like LDAP stuff, not the old style samba domain
controller stuff) and if it would be easy to support it in nginx?

I’d love to be able to role model nginx inside of our enterprise
environment as well as externally, and what better way than to have it
support IE’s built-in authentication (I don’t know the exact specifics
and what to call it) - I think Firefox supports it too (it prompts you
once with an HTTP auth dialog, but then seems to remember that)

It’s some challenge response mechanism. It would require nginx to
speak to a domain controller (basically I think perl’s Authen::SMB at
one time worked) - I don’t know if it speaks LDAP nowadays strictly or
what; someone knowledgable with the protocol would need to be involved
to make sure it was implemented correctly…

Just thought I’d bring it up. Maybe someone has some ideas. It’s
another item on my wishlist that I’d be willing to sponsor $$ wise…

Thanks!

I’ve revised this after talking to a coworker… I’d like to revise
the technical details of this original request.

I want to get SPNEGO-capable authentication into nginx, so it can be
adopted and used inside of enterprises with Active Directory for SSO -
not using pam_smb or LDAP only, as that doesn’t make for an entirely
seamless experience. I want Kerberos support for Integrated Windows
Authentication - that is what is expected in our enterprise and not
having to prompt the user for their username/password and such.

I’ve posted this on RentACoder - it’s not live yet, but when it is it
will be bid request ID 1064860.

If anyone is interested, please let me know! I am willing to pay, and
may in fact be able to raise extra cash by other parties for this.
Please email me on or off list.

It should be as simple as a couple libraries (openldap, openssl,
libkrb5? I don’t know) and some simple configuration like:

auth_spnego on;
auth_spnego_controller adserver1.foo.com adserver2.foo.com; (if this
makes sense)
auth_spnego_timeout 7d; (if not defaulted by the libraries etc.)
… etc …

Here’s some links/info about SPNEGO and some source code in various
languages to use for example…

http://en.wikipedia.org/wiki/SPNEGO

http://modgssapache.sourceforge.net/ - probably the best C source to
leverage

http://mbechler.eenterphace.org/blog/index.php?/archives/5-php_krb5-beta-Negotiate-auth-with-GSSAPI-for-PHP.html

• mod_krb5 - quite possibly even better C source

http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html

http://msdn.microsoft.com/en-us/library/ms995329.aspx

http://msdn.microsoft.com/en-us/library/ms995330.aspx

http://tools.ietf.org/html/rfc2478 - possibly might have info

http://osdir.com/ml/encryption.kerberos.general/2003-09/msg00019.html

• modgssapache uses APIs from microsoft, tested on linux/solaris,
  mod_spnego tested on all major platforms

http://bofriis.dk/spnego/spnego_client.html - java implementation

http://www.ibm.com/developerworks/websphere/library/techarticles/0809_lansche/0809_lansche.html

• websphere implementation

http://dev.taglab.com/sites/taglab-public/support/spnego.html -
another java implementation

http://www.openldap.org/lists/openldap-devel/200801/msg00070.html -
possibly added into openldap

mod_auth_kerb for apache might also have some source

samba 3.0.7+ might have source (see a reference to libsmb/spnego.c)

http://www.ioplex.com/ - PHP support for SPNEGO