You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Stewart, Eric" <er...@lib.usf.edu> on 2006/05/02 21:38:12 UTC

[users@httpd] Active Directory, Apache 2.2.2, and LDAP

	This would probably be more appropriately titled "Active
Directory is not LDAP".  I've been trying to get a good Apache2.2.x to
AD authenticator going, and thought I had it all set with mod_auth_ldap.
And I do ... With some major caveats.  In the hopes that someone else
has a better solution, or to possibly provide some insight to those
running into strange issues with mod_authnz_ldap and AD, here's what
I've discovered so far:

	My enviorn:
RHEL 4
Apache 2.2.2, using mod_ldap, mod_authnz_ldap, and mod_ssl
Mod_perl 2.0.2
PHP 5.1.2

	It turns out that the following set up will work - but that you
might get bitten by what I call an "AD Bug":

<Directory "/data1/webdocs/idriver">
    AllowOverride None
    Order allow,deny
    Allow from #an IP#
    AuthType Basic
    AuthName ": Secure files"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative On
    AuthUserFile /dev/null
    AuthLDAPURL
"ldap://yourdc.your.org/OU=Staff,DC=your,DC=org?sAMAccountName?sub?(&(ob
jectclass=user))"
    AuthLDAPBindDN "CN=LDAP Query,OU=Special
Accounts,OU=Dept,OU=Staff,DC=your,DC=org"
    AuthLDAPBindPassword <readonly password>
    require ldap-group CN=Domain Users,CN=Users,DC=lib,DC=usf,DC=edu
    satisfy any
</Directory>

This will work as expected, providing:

The user attempting to authenticate does not have "Domain Users" set as
his/her "Default Group".  And if you change it, it usually takes about
15 minutes to kick in.

	Side note: Do not "quote escape" the "group" listed after
"ldap-group" in the "require" - it will break authentication.

	You might be thinking at this point "That's not right".  Well,
that's what I think, but it's what I've observed so far.  If you Google
for ldap and "active directory" you should come across a page somewhere
along the line which tells you how to export your AD to the equivalent
of an LDIF file (basically, a text representation of your AD/LDAP
directory).  If you search through that, you'll find (or at least I did)
the following:

- For a user's entry, for their list of groups, no entry for their
default
  group (at least this was the case for the users I looked at).
- For a group's entry, you won't find any(?) user who has the group in
  question as their default group (again, this was the case for the
users
  I looked at).

	Feel free to start a discussion, provide insight/commentary, or
ignore as usual.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Active Directory, Apache 2.2.2, and LDAP

Posted by Rainer Sokoll <R....@intershop.de>.

On Tue, May 02, 2006 at 03:38:12PM -0400, Stewart, Eric wrote:

> 	It turns out that the following set up will work - but that you
> might get bitten by what I call an "AD Bug":
> 
> <Directory "/data1/webdocs/idriver">
    [...]
> </Directory>
> 
> This will work as expected, providing:
[problems]

I cannot say much about AD and default groups (I am not a windows
admin, fortunataly) but this works fine for me (2.0.58 at this time):

LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
<Location /foo/>
  AuthType Basic
  AuthLDAPEnabled on
  AuthLDAPAuthoritative on
  AuthLDAPBindDN "DOMAIN\\User"
  AuthLDAPBindPassword veryverysecret
  AuthLDAPUrl
  ldap://yourdc.your.org:389/OU=Staff,DC=your,DC=org?sAMAccountName
  require valid-user
</Location

AuthLDAPBind* is used for initial authentication, since a regular user
cannot read sAMAccountName (my windows admins told me so)

> 	Feel free to start a discussion, provide insight/commentary, or
> ignore as usual.

;-))

HTH,
Rainer

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org