mod_pam/winbind apache authentication Source

July 2, 2010 Markdown source

1---
2title: 'mod_pam/winbind apache authentication'
3date: '2010-07-02'
4published_at: '2010-07-02T14:42:00.008+10:00'
5tags: ['linux', 'pam', 'samba', 'sysadmin', 'winbind']
6author: 'Gavin Jackson'
7excerpt: 'Introduction/Pre-requisites The Winbind NTLM Authentication configuration for squid and apache approach to AD authentication is good and all, but it does not work in IE8 over https. An alternate metho...'
8updated_at: '2010-07-02T15:00:54.170+10:00'
9legacy_url: 'http://www.gavinj.net/2010/07/modpamwinbind-apache-authentication.html'
10---
11
12[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrI_6aOLBayBl1rgikS2hjRovq1iL9IhnWe_z1oI1c5plZ5ArpPoKnOGe-N1UwUL0tdqiMt_f3Mlg40xT8A9Hw5U8KNwFVb7LZHUlsCs7XNidjsyxyFiChgQs-aUhgP8c0gqU0UezVpSw/s200/escher-ascending-and-descending-medium.jpg)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrI_6aOLBayBl1rgikS2hjRovq1iL9IhnWe_z1oI1c5plZ5ArpPoKnOGe-N1UwUL0tdqiMt_f3Mlg40xT8A9Hw5U8KNwFVb7LZHUlsCs7XNidjsyxyFiChgQs-aUhgP8c0gqU0UezVpSw/s1600/escher-ascending-and-descending-medium.jpg)
13
14Introduction/Pre-requisites
15
16The [Winbind NTLM Authentication configuration for squid and apache](http://gavinjnet.blogspot.com/2010/07/winbind-ntlm-authentication.html) approach to AD authentication is good and all, but it does not work in IE8 over https.
17
18An alternate method is to use apache mod_pam to authenticate against pam (which has been configured to authenticate against the AD controller using winbind).
19
20On SLES 11 it is not installed by default, so you are going to have to build from source.
21
22Ensure that samba and winbind have been installed and configured (see this [guide](http://gavinjnet.blogspot.com/2010/07/winbind-ntlm-authentication.html)).
23
24Building mod_pam from source
25
26Download the source code from: [http://pam.sourceforge.net/mod_auth_pam/](http://pam.sourceforge.net/mod_auth_pam/)
27
28```
29zypper install apache2-devel
30tar -zxvf mod_auth_pam-2.0-1.1.1.tar.gz
31cd mod_auth_pam
32make
33make install
34```
35
36Now, on 64 bit SLES you need to modify the **/etc/pam.d/httpd** file (which was created during the install process)
37
38```
39#%PAM-1.0
40auth       required /lib64/security/pam_winbind.so try_first_pass debug
41account    required /lib64/security/pam_permit.so
42```
43
44Configuring Apache The build process should have added the mod_pam module to your apache installation (you can verifiy this by checking /etc/sysconfig/apache2).
45
46You can now add the following entry to your site root configuration:
47
48```
49 authType Basic
50AuthPAM_Enabled on
51AuthBasicAuthoritative Off
52AuthName "secure area"
53require valid-user
54AuthUserFile /dev/null
55```
56
57Restart apache /etc/init.d/apache2 restart
58
59Now when trying to view the **http://webserver/pam** directory, it will prompt for a username and password that is authenticated using winbind (via pam). Pretty cool eh
60
61
62

---
title: 'mod_pam/winbind apache authentication'
date: '2010-07-02'
published_at: '2010-07-02T14:42:00.008+10:00'
tags: ['linux', 'pam', 'samba', 'sysadmin', 'winbind']
author: 'Gavin Jackson'
excerpt: 'Introduction/Pre-requisites The Winbind NTLM Authentication configuration for squid and apache approach to AD authentication is good and all, but it does not work in IE8 over https. An alternate metho...'
updated_at: '2010-07-02T15:00:54.170+10:00'
legacy_url: 'http://www.gavinj.net/2010/07/modpamwinbind-apache-authentication.html'
---

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrI_6aOLBayBl1rgikS2hjRovq1iL9IhnWe_z1oI1c5plZ5ArpPoKnOGe-N1UwUL0tdqiMt_f3Mlg40xT8A9Hw5U8KNwFVb7LZHUlsCs7XNidjsyxyFiChgQs-aUhgP8c0gqU0UezVpSw/s200/escher-ascending-and-descending-medium.jpg)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrI_6aOLBayBl1rgikS2hjRovq1iL9IhnWe_z1oI1c5plZ5ArpPoKnOGe-N1UwUL0tdqiMt_f3Mlg40xT8A9Hw5U8KNwFVb7LZHUlsCs7XNidjsyxyFiChgQs-aUhgP8c0gqU0UezVpSw/s1600/escher-ascending-and-descending-medium.jpg)

Introduction/Pre-requisites

The [Winbind NTLM Authentication configuration for squid and apache](http://gavinjnet.blogspot.com/2010/07/winbind-ntlm-authentication.html) approach to AD authentication is good and all, but it does not work in IE8 over https.

An alternate method is to use apache mod_pam to authenticate against pam (which has been configured to authenticate against the AD controller using winbind).

On SLES 11 it is not installed by default, so you are going to have to build from source.

Ensure that samba and winbind have been installed and configured (see this [guide](http://gavinjnet.blogspot.com/2010/07/winbind-ntlm-authentication.html)).

Building mod_pam from source

Download the source code from: [http://pam.sourceforge.net/mod_auth_pam/](http://pam.sourceforge.net/mod_auth_pam/)

```
zypper install apache2-devel
tar -zxvf mod_auth_pam-2.0-1.1.1.tar.gz
cd mod_auth_pam
make
make install
```

Now, on 64 bit SLES you need to modify the **/etc/pam.d/httpd** file (which was created during the install process)

```
#%PAM-1.0
auth       required /lib64/security/pam_winbind.so try_first_pass debug
account    required /lib64/security/pam_permit.so
```

Configuring Apache The build process should have added the mod_pam module to your apache installation (you can verifiy this by checking /etc/sysconfig/apache2).

You can now add the following entry to your site root configuration:

```
 authType Basic
AuthPAM_Enabled on
AuthBasicAuthoritative Off
AuthName "secure area"
require valid-user
AuthUserFile /dev/null
```

Restart apache /etc/init.d/apache2 restart

Now when trying to view the **http://webserver/pam** directory, it will prompt for a username and password that is authenticated using winbind (via pam). Pretty cool eh