You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Billy Baker <bi...@teknobilly.com> on 2012/11/24 04:26:31 UTC
[users@httpd] SSO LDAP Authorization with Auth_Form Session and Authnz_ldap in
httpd 2.4
Hello httpd Auth_Form Fans,
I'm trying to implement a multi-site sso solution using httpd's
mod_session, mod_auth_form, and mod_authnz_ldap. I have the LDAP
authentication part working great. I can authenticate against my LDAP
directory using a simple html Auth_Form Form.
What I don't understand is how to configure support for multiple
hosts. My understanding is the SessionCookie Name, Passphrase would
keep track of the sessions. For the single site it works fine.
I thought I would post what I have so far, as I have not seen this
topic covered here before, and perhaps some others would aprreciate
this working example of single sites working with auth_form session
and authnz_ldap.
Do I need DBD at this stage? Shouldn't the sessions recognize the
AuthName example to authenticate by or the session cookie
name/path/crypto passphrase. Regardless, I'm missing something. If
you see something I'd sure appreciate any tips.
Below ais my configuration example. It's the same except I'm trying
to connect to sub domains rather than top-level domains.
Cheers,
Billy Baker
# httpd v2.4
# First Virtual Host Configuration
# Domain: Example.com
<VirtualHost *:80>
ServerAdmin techsupport@example.com
serverName example.com
DocumentRoot /var/www/html/example.com
ErrorDocument 401 /login.html
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret
<Location />
AuthFormProvider ldap
AuthType form
AuthName example
AuthFormLoginRequiredLocation http://example.com/login.html
AuthLDAPUrl
"ldap://ds.example.com:389/ou=people,dc=example,dc=com?uid?sub?objectclass=*"
AuthLDAPBinddn "uid=sdldapadmin,ou=special users,dc=example,dc=com"
AuthLDAPBindPassword secretpasswd
Require valid-user
</Location>
<Location /login.html>
Order allow,Deny
Allow from all
require all granted
</Location>
<location /logout>
SetHandler form-logout-handler
AuthName example
AuthFormLogoutLocation http://example.com/loggedout.html
</location>
<Location /dologin.html>
SetHandler form-login-handler
AuthType form
AuthName example
AuthFormProvider ldap
AuthFormLoginRequiredLocation http://example.com/login.html
</Location>
ErrorLog logs/ExampleError_log
CustomLog logs/ExampleAccess_log common
</VirtualHost>
# Second Virtual Host Configuration File
# Domain: Demo.com
<VirtualHost *:80>
ServerAdmin techsupport@demo.com
serverName demo.com
DocumentRoot /var/www/html/demo.com
ErrorDocument 401 /login.html
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret
<Location />
AuthFormProvider ldap
AuthType form
AuthName example
AuthFormLoginRequiredLocation http://demo.com/login.html
AuthLDAPUrl
"ldap://ds.demo.com:389/ou=people,dc=demo,dc=com?uid?sub?objectclass=*"
AuthLDAPBinddn "uid=sdldapadmin,ou=special users,dc=demo,dc=com"
AuthLDAPBindPassword secretpasswd
Require valid-user
</Location>
<Location /login.html>
Order allow,Deny
Allow from all
require all granted
</Location>
<location /logout>
SetHandler form-logout-handler
AuthName example
AuthFormLogoutLocation http://demo.com/loggedout.html
</location>
<Location /dologin.html>
SetHandler form-login-handler
AuthType form
AuthName example
AuthFormProvider ldap
AuthFormLoginRequiredLocation http://demo.com/login.html
</Location>
ErrorLog logs/demoError_log
CustomLog logs/demoAccess_log common
</VirtualHost>
####################################################
# login.html
<html>
<head><title>Test Login</title></head>
<body>
<form method="POST" action="/dologin.html">
Username: <input type="text" name="httpd_username" value="" />
Password: <input type="password" name="httpd_password" value="" />
<input type="submit" name="login" value="Login" />
<input type="hidden" name="httpd_location"
value="http://demo.com/index.html" />
</form>
</body>
</html>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org