You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Stewart, Eric" <er...@lib.usf.edu> on 2006/05/02 21:38:12 UTC
[users@httpd] Active Directory, Apache 2.2.2, and LDAP
This would probably be more appropriately titled "Active
Directory is not LDAP". I've been trying to get a good Apache2.2.x to
AD authenticator going, and thought I had it all set with mod_auth_ldap.
And I do ... With some major caveats. In the hopes that someone else
has a better solution, or to possibly provide some insight to those
running into strange issues with mod_authnz_ldap and AD, here's what
I've discovered so far:
My enviorn:
RHEL 4
Apache 2.2.2, using mod_ldap, mod_authnz_ldap, and mod_ssl
Mod_perl 2.0.2
PHP 5.1.2
It turns out that the following set up will work - but that you
might get bitten by what I call an "AD Bug":
<Directory "/data1/webdocs/idriver">
AllowOverride None
Order allow,deny
Allow from #an IP#
AuthType Basic
AuthName ": Secure files"
AuthBasicProvider ldap
AuthzLDAPAuthoritative On
AuthUserFile /dev/null
AuthLDAPURL
"ldap://yourdc.your.org/OU=Staff,DC=your,DC=org?sAMAccountName?sub?(&(ob
jectclass=user))"
AuthLDAPBindDN "CN=LDAP Query,OU=Special
Accounts,OU=Dept,OU=Staff,DC=your,DC=org"
AuthLDAPBindPassword <readonly password>
require ldap-group CN=Domain Users,CN=Users,DC=lib,DC=usf,DC=edu
satisfy any
</Directory>
This will work as expected, providing:
The user attempting to authenticate does not have "Domain Users" set as
his/her "Default Group". And if you change it, it usually takes about
15 minutes to kick in.
Side note: Do not "quote escape" the "group" listed after
"ldap-group" in the "require" - it will break authentication.
You might be thinking at this point "That's not right". Well,
that's what I think, but it's what I've observed so far. If you Google
for ldap and "active directory" you should come across a page somewhere
along the line which tells you how to export your AD to the equivalent
of an LDIF file (basically, a text representation of your AD/LDAP
directory). If you search through that, you'll find (or at least I did)
the following:
- For a user's entry, for their list of groups, no entry for their
default
group (at least this was the case for the users I looked at).
- For a group's entry, you won't find any(?) user who has the group in
question as their default group (again, this was the case for the
users
I looked at).
Feel free to start a discussion, provide insight/commentary, or
ignore as usual.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Active Directory, Apache 2.2.2, and LDAP
Posted by Rainer Sokoll <R....@intershop.de>.
On Tue, May 02, 2006 at 03:38:12PM -0400, Stewart, Eric wrote:
> It turns out that the following set up will work - but that you
> might get bitten by what I call an "AD Bug":
>
> <Directory "/data1/webdocs/idriver">
[...]
> </Directory>
>
> This will work as expected, providing:
[problems]
I cannot say much about AD and default groups (I am not a windows
admin, fortunataly) but this works fine for me (2.0.58 at this time):
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
<Location /foo/>
AuthType Basic
AuthLDAPEnabled on
AuthLDAPAuthoritative on
AuthLDAPBindDN "DOMAIN\\User"
AuthLDAPBindPassword veryverysecret
AuthLDAPUrl
ldap://yourdc.your.org:389/OU=Staff,DC=your,DC=org?sAMAccountName
require valid-user
</Location
AuthLDAPBind* is used for initial authentication, since a regular user
cannot read sAMAccountName (my windows admins told me so)
> Feel free to start a discussion, provide insight/commentary, or
> ignore as usual.
;-))
HTH,
Rainer
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org