[Centos] in CentOS 3.4, mod_auth_ldap ?

Lee Garner lee at leegarner.com
Fri Jan 21 04:55:25 UTC 2005


That's pretty much it.  My comments are interspersed below:

David McDowell wrote:

>awesome, if we are open tomorrow (snow storm coming) I shall have to
>try this... I have a couple of embedded questions to help me
>understand it, see comments below!  thanks...
>
>my comment/questions are _below_ the item they are related to:
>
>On Thu, 20 Jan 2005 14:15:21 -0800 (PST), lee at leegarner.com
><lee at leegarner.com> wrote:
>  
>
>>I have mod_authz_ldap working ok.  Here's a .htaccess file:
>>
>>AuthName        "Authorized Access Only"
>>AuthType        Basic
>>AuthzLDAPEngine on
>>AuthzLDAPServer "serverip:389"
>>AuthzLDAPBindDN ldap_lookup at domain.com
>>    
>>
>Does AuthzLDAPBindDN need to be the full ADS username at domain.com?
>  
>
That's the only way I could get it to work.  I tried a few variations on 
"cn=(name|userid),ou=department,dc=..." and it never worked.  In any 
case, it does need to be the full name.  user at domain worked the easiest.

>>AuthzLDAPBindPassword Ldap_Lookup_password
>>AuthzLDAPUserKey sAMAccountName
>>    
>>
>So this is where this goes... not blah blah...
>DC=com?sAMAccountName?sub?(objectClass=user)
>  
>
Yep.  I'm not sure if authz_ldap filters on objectClass, I haven't checked.

>>AuthzLDAPUserBase dc=domain,dc=com
>>    
>>
>With this user base, this will go set it to look at the top of the ADS
>schema? For example, I have an OU = MyCity in case we ever expanded to
>another city I could have another OU for those users.
>  
>
That's the domain ID, and it would include subordinate OUs (according to 
the entry below).  I'm sure that you could restrict it somewhat by 
specifying ou=mycity,dc=...

>>AuthzLDAPUserScope subtree
>>    
>>
>
>and this tells it to search all subordinate OU's in the tree?
>  
>
Exactly.

>>AuthzLDAPSetAuthorization off
>>    
>>
>What is AuthzLDAPSetAuthorization off for?
>  
>
Ah, that's an issue that I found.  It's supposed to default to "off", 
but I found that with it on, or missing, the user's FQDN is passed to 
Apache ("cn=fred,ou=finance,dc=company,dc=com").  Authentication still 
works, but it messed up some of my programs which rely on REMOTE_USER.  
With the setting off, Apache gets only the sAMAccountName ("fred").

>>require group CN=GroupName,CN=Users,DC=domain,DC=com
>>    
>>
>I can still use "require valid-user" here right?
>require valid-user OU=MyCity,DC=domain,DC=com   ??
>  
>
Yes.  I use it for controlling access to network & systems monitoring 
apps (Nagios, Cacti, NMIS), so I restrict it to the IT dept.

>Thanks for fielding my questions!!  :)
>David McD
>  
>
No problem.  I hope this helps.  Stay warm.

Lee.




More information about the CentOS mailing list