You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Theresa Hilding <th...@gccaz.edu> on 2013/12/19 22:31:00 UTC
[users@httpd] How to configure authentication and authorization in
directive against 2 Active Directory domains
We have an AD forest with user accounts in one domain (domain_u) and group
memberships for the same user accounts in a second domain (domain_g). I
need to authenticate users against domain_u and use the returned
distinguished name to authorize users based on group memberships in
domain_g.
I can successfully authenticate users against domain_u with a config that
looks like this:
<AuthnProviderAlias ldap ldap-domain_u>
AuthLDAPBindDN "cn=….."
AuthLDAPBindPassword …..
AuthLDAPURL "ldap://.……"
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-domain_g>
AuthLDAPBindDN "cn=….."
AuthLDAPBindPassword …..
AuthLDAPURL "ldap://.……"
</AuthnProviderAlias>
<Directory "${SRVROOT}/htdocs/test">
AllowOverride none
AuthType Basic
AuthBasicProvider ldap-domain_u
AuthLDAPGroupAttributeIsDN on
LDAPReferrals Off
<RequireAll>
Require valid-user
</RequireAll>
</Directory>
This authentication against domain_u works however, I cannot figure out how
to authorize authenticated users against groups in domain_g. When I look at
group members in domain_g using my ldap browser I see distinguished names
that look exactly like the distinguished name set by apache as an
environment variable after a successful authentication:
CN=S-1-5-..-……….-……….-……….-……,CN=ForeignSecurityPrincipals,DC=domain_u,DC=edu
Note that this distinguished name exists in domain_g in the
ForeignSecurityPrincipals container and specifies a SID instead of a
samaccountname.
I have tried many different permutations of config options underneath the
<Directory> directive but cannot get apache to use a second
AuthnProviderAlias (ldap-domain_g) to verify group membership for the
distinguished name in domain_g. I've also done numerous google searches
focusing on ad foreignsecurityprincipals, Active Directory and Apache
configuration and have not yet found the magic post I've been looking for.
Is what I would like to do even possible and if so could someone please
respond with the correct configuration to make this work?
Also, please note that if I set the LDAPReferrals to 'On' my browser
displays 'Internal Server Error' and the apache error log contains the
message:
[ldap:error] … (70023) This function has not been implemented on this
platform: AH01277: LDAP: Unable to add rebind cross reference entry. Out of
memory?
Thank you in advance,
Theresa