On 9/18/07, Connolly, Wayne Wayne.Connolly@team.telstra.com wrote:
There is only one thing left to do to make this complete -> Automatic Authentication against the domain 'ACCOUNT-01' via Windows native NTLM authentication.
Before I embark on this journey I was hoping that anyone could offer any tips, extension ideas or pitfalls to avoid.
Hi Wayne,
Theres a PHP extension called Plexcel that does Windows authentication and much much more. It doesn't use NTLM though. It uses Kerberos and something called SPNEGO. This is actually what IIS is doing when you turn on IWA. On the wire, Plexcel is just like IWA.
If you want NTLM I think theres a module for Apache that can call Samba's Winbind daemon. But note that NTLM is not optimal for this scenario. It requires communication with a domain controller whereas Kerberos does not (although NTLM is still required for scenarios where the client is not a member of the domain or a member of a domain that has a trust with the target domain).
Anyway, I guess I'm starting to rant. In addition to the Plexcel extension there's a little MediaWiki plugin that calls plexcel. Check it out:
http://www.ioplex.com/mediawiki_plugin.html
It handles SSO, explicit login using the conventional form, automatically creates accounts in the local DB with the user's info from AD and has ACLs to control who can access content and such.
Bear in mind that you're going to need a MediaWiki plugin so that the user's information can be pushed into MW so that the higher level logic does sensible things. You can't just use mod_ntlm or flip on IWA in IIS.
Mike