awesome Lee! Thank you! I've updated my notes here: http://www.turnpike420.net/linux/Apache_ADS_AuthLDAP.txt
take care, David McD
On Thu, 20 Jan 2005 20:55:25 -0800, Lee Garner lee@leegarner.com wrote:
That's pretty much it. My comments are interspersed below:
David McDowell wrote:
awesome, if we are open tomorrow (snow storm coming) I shall have to try this... I have a couple of embedded questions to help me understand it, see comments below! thanks...
my comment/questions are _below_ the item they are related to:
On Thu, 20 Jan 2005 14:15:21 -0800 (PST), lee@leegarner.com lee@leegarner.com wrote:
I have mod_authz_ldap working ok. Here's a .htaccess file:
AuthName "Authorized Access Only" AuthType Basic AuthzLDAPEngine on AuthzLDAPServer "serverip:389" AuthzLDAPBindDN ldap_lookup@domain.com
Does AuthzLDAPBindDN need to be the full ADS username@domain.com?
That's the only way I could get it to work. I tried a few variations on "cn=(name|userid),ou=department,dc=..." and it never worked. In any case, it does need to be the full name. user@domain worked the easiest.
AuthzLDAPBindPassword Ldap_Lookup_password AuthzLDAPUserKey sAMAccountName
So this is where this goes... not blah blah... DC=com?sAMAccountName?sub?(objectClass=user)
Yep. I'm not sure if authz_ldap filters on objectClass, I haven't checked.
AuthzLDAPUserBase dc=domain,dc=com
With this user base, this will go set it to look at the top of the ADS schema? For example, I have an OU = MyCity in case we ever expanded to another city I could have another OU for those users.
That's the domain ID, and it would include subordinate OUs (according to the entry below). I'm sure that you could restrict it somewhat by specifying ou=mycity,dc=...
AuthzLDAPUserScope subtree
and this tells it to search all subordinate OU's in the tree?
Exactly.
AuthzLDAPSetAuthorization off
What is AuthzLDAPSetAuthorization off for?
Ah, that's an issue that I found. It's supposed to default to "off", but I found that with it on, or missing, the user's FQDN is passed to Apache ("cn=fred,ou=finance,dc=company,dc=com"). Authentication still works, but it messed up some of my programs which rely on REMOTE_USER. With the setting off, Apache gets only the sAMAccountName ("fred").
require group CN=GroupName,CN=Users,DC=domain,DC=com
I can still use "require valid-user" here right? require valid-user OU=MyCity,DC=domain,DC=com ??
Yes. I use it for controlling access to network & systems monitoring apps (Nagios, Cacti, NMIS), so I restrict it to the IT dept.
Thanks for fielding my questions!! :) David McD
No problem. I hope this helps. Stay warm.
Lee.
CentOS mailing list CentOS@caosity.org http://lists.caosity.org/mailman/listinfo/centos