Auto Login with Active Directory

A few people have wrote in to tell me about using authconfig to set-up Active Directory authentication.  Well, I didn't know about authconfig, so I guess I went about it the hard way.  All the web searching I did never turned up authconfig as a possibility. But, at least I know that much more about configuring active directory authentication on Linux. ;-)

Another guy wrote in to ask about automatically authenticating someone who's already logged in to a workstation.  I wasn't able to respond, because he didn't provide an email address, which may be a bug in my contact form, I'm not sure.  In any case, I haven't yet gone that far in my own PHP-based Active Directory authentication implementation.  But I can talk about how I was thinking about doing it.  And as such, the following is merely speculation.  I'm not sure which method would work the best, or if any of these ideas are even going in the right direction.  I haven't yet experimented with this myself.

On the web server, I was thinking about making the web site available on the internal adapter (in a DMZ-style setup), so that it would be served on an internal IP, such as 192.168.*.*. Serving up the website to an internal, network IP lets me identify intranet traffic.  Currently, I let everyone on the network obtain the site from the external IP.

Now, here's where it gets fuzzy, because I don't yet know all the variables.   So, let's entertain some speculation.

One thing you could do is possibly make a login script on the Windows side that stows away a cookie in the user's browser.  I'm not very fond of IE, so the only way I'd do that is if I could make that work in a cross-browser fashion.  And I'd have to make one for Mac workstations too, because we have Mac AD members too.  Wouldn't like an approach that I couldn't use myself! Besides, that's not hard to do on a Unix-based workstation. I think a PHP shell script will do the trick. 

On the Windows side, if you only care about IE, that should be easy to do.  Once you login, make the Windows login script generate a cookie in IE.  Once you logout, have it automatically destroy that cookie.  On the login side, also automatically send a randomly generated key to the server for the user via a secure HTTP request, and at logout, automatically destroy the key on the server.  And whalah, you have a way of automatically authenticating users based on their desktop login, every time they access with that randomly generated key and it matches, you have a secure, reliable authentication.

The key, as it were (no pun intended!), to keeping it secure is generating the key on the Windows side. Once you receive the key on the server-side, limit that key to the machine's hostname and IP address, and also limit your authentication scheme to requests to the web server's intranet IP address.  You could just skip the hostname part, and probably be OK, but I think it strengthens security.  With hostname verification, you don't have to worry about stolen keys. 

At the server you can also periodically parse and cache the results of # getent group and # getent passwd  and deal out privileges based on user membership in Active Directory security groups.  

Personally, I've never done any scripting in Windows, so I don't know what's involved with that. I know that one obstacle with Windows is that a login script must be signed with your domain certificate (or so the Network admin here tells me).  Again, not sure what that entails.

Another possible, and lazier, route is via SMB.  You can automatically generate a share for each domain user in Samba on the server-side.  Then automatically mount that share for each user with Active Directory, map to a drive letter. 

Then with this approach, where it gets fuzzy, is there a way to tell who is actively connected to a share?  I believe there has to be.  If you have a user connected to a share, you know what machine they connected to the server with, and that they have an active login already authenticated via a Kerberos handshake.  So you can then assume they are also validated for HTTP access too when an HTTP request originates from the same hostname or IP address as the same logged with SMB. 

You don't even have to make the share writable or contain anything useful.  Of course, what I don't know is if you can find an easy way of querying who is connected to a share, what IP they used, etc.  Possibly the Samba log files?  Those are loaded with valuable information like that, conveniently separated by accessing IP and hostname, which you can get on the web server, if you're serving up the site via an internal IP (e.g., don't force internal users to go through the external adapter to get to the web site). 

The downside is, the samba log might not have information in a real time fashion, and I'm not sure of the security of that approach.  On the flipside, automatically mounting a share is pretty easy to do in Active Directory.

Again, this is all speculative, and just brain-storming out load.  Anyone with more ideas on how to do that, or someone that's actually done it, I'd love to hear about it, leave a comment here.