You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Theresa Hilding <th...@gccaz.edu> on 2013/12/19 22:31:00 UTC

[users@httpd] How to configure authentication and authorization in directive against 2 Active Directory domains

We have an AD forest with user accounts in one domain (domain_u) and group
memberships for the same user accounts in a second domain (domain_g). I
need to authenticate users against domain_u and use the returned
distinguished name to authorize users based on group memberships in
domain_g.

I can successfully authenticate users against domain_u with a config that
looks like this:

<AuthnProviderAlias ldap ldap-domain_u>
  AuthLDAPBindDN "cn=….."
  AuthLDAPBindPassword …..
  AuthLDAPURL "ldap://.……"
</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap-domain_g>
  AuthLDAPBindDN "cn=….."
  AuthLDAPBindPassword …..
  AuthLDAPURL "ldap://.……"
</AuthnProviderAlias>

<Directory "${SRVROOT}/htdocs/test">
  AllowOverride none
  AuthType Basic
  AuthBasicProvider ldap-domain_u
  AuthLDAPGroupAttributeIsDN on
  LDAPReferrals Off
  <RequireAll>
    Require valid-user
  </RequireAll>
</Directory>

This authentication against domain_u works however, I cannot figure out how
to authorize authenticated users against groups in domain_g. When I look at
group members in domain_g using my ldap browser I see distinguished names
that look exactly like the distinguished name set by apache as an
environment variable after a successful authentication:

CN=S-1-5-..-……….-……….-……….-……,CN=ForeignSecurityPrincipals,DC=domain_u,DC=edu

Note that this distinguished name exists in domain_g in the
ForeignSecurityPrincipals container and specifies a SID instead of a
samaccountname.

I have tried many different permutations of config options underneath the
<Directory>  directive but cannot get apache to use a second
AuthnProviderAlias (ldap-domain_g) to verify group membership for the
distinguished name in domain_g. I've also done numerous google searches
focusing on ad foreignsecurityprincipals, Active Directory and Apache
configuration and have not yet found the magic post I've been looking for.

Is what I would like to do even possible and if so could someone please
respond with the correct configuration to make this work?

Also, please note that if I set the LDAPReferrals to 'On' my browser
displays 'Internal Server Error' and the apache error log contains the
message:
[ldap:error] … (70023) This function has not been implemented on this
platform: AH01277: LDAP: Unable to add rebind cross reference entry. Out of
memory?


Thank you in advance,
Theresa