Using Centrify with Apache servers

The Centrify agent, adclient, provides authentication and authorization for basic Linux and UNIX services such as login and telnet. The modules in Centrify for Apache work in conjunction with adclient and the internal service library to provide silent and prompted authentication and authorization when users access Web applications created in Apache environments.

In an Apache server environment, directives are used to configure authentication and authorization for applications. The Centrify-defined directives support the following authentication methods for Web pages, directories, virtual Web sites, and applications on Apache in a standard Active Directory environment:

  • Simple and Protected GSS-API Negotiation (SPNEGO): With the SPNEGO authentication method, users who successfully sign into the domain can be silently authenticated to the Web application without entering a user name or password if they use a Web browser that supports SPNEGO tokens. For example, if they use Internet Explorer as their Web browser to access an application, they are authenticated transparently with the user name and password they entered when they initially logged on to their local computer.
  • NT LAN Manager (NTLM) authentication for Windows clients: With the NTLM authentication method, users can be authenticated silently or by specifying a valid Active Directory user name and password when prompted.
  • Basic authentication (BASIC): With the BASIC authentication method, the user is prompted in a browser-generated dialog box to provide a valid user name and password. By default Centrify for Apache is configured to use Active Directory accounts to authenticate the credentials. In addition, you can also enable PAM authentication; this is useful when you want to authenticate the credentials against a local repository; for example, /etc/passwd.

If you are using only Active Directory for authentication, skip to Installing Centrify for Apache (The rest of this chapter is only pertinent to those using Active Directory Federation Services.)