Introduction/Pre-requisites
The Winbind NTLM Authentication configuration for squid and apache approach to AD authentication is good and all, but it does not work in IE8 over https.
An alternate method is to use apache mod_pam to authenticate against pam (which has been configured to authenticate against the AD controller using winbind).
On SLES 11 it is not installed by default, so you are going to have to build from source.
Ensure that samba and winbind have been installed and configured (see this guide).
Building mod_pam from source
Download the source code from: http://pam.sourceforge.net/mod_auth_pam/
zypper install apache2-devel
tar -zxvf mod_auth_pam-2.0-1.1.1.tar.gz
cd mod_auth_pam
make
make installNow, on 64 bit SLES you need to modify the /etc/pam.d/httpd file (which was created during the install process)
#%PAM-1.0
auth required /lib64/security/pam_winbind.so try_first_pass debug
account required /lib64/security/pam_permit.soConfiguring Apache The build process should have added the mod_pam module to your apache installation (you can verifiy this by checking /etc/sysconfig/apache2).
You can now add the following entry to your site root configuration:
authType Basic
AuthPAM_Enabled on
AuthBasicAuthoritative Off
AuthName "secure area"
require valid-user
AuthUserFile /dev/nullRestart apache /etc/init.d/apache2 restart
Now when trying to view the http://webserver/pam directory, it will prompt for a username and password that is authenticated using winbind (via pam). Pretty cool eh