Setting up a new backuppc for a small group of device and I am running centos 5.4 with winbind setup and working. Everything is working and I would like the users to authenicate using their AD creds and was wondering what folks are using to do that with apache 2.2 and centos 5.4. I know about mod_auth_pam but that seems pretty dead so I was just wondering what folks were using and whats the easiest to setup. Any pointers to any how to's would be appreciated...Thanks.
I had written a blog quite some time back on this. There might be some glitches in it, but will give you some clue. The blog is blog.Palalinha.Com i am sitting at the airport with my mobile so cant find you the correct thread in the blog. Let me know if it helps.
On 2/8/10, Tom Bishop bishoptf@gmail.com wrote:
Setting up a new backuppc for a small group of device and I am running centos 5.4 with winbind setup and working. Everything is working and I would like the users to authenicate using their AD creds and was wondering what folks are using to do that with apache 2.2 and centos 5.4. I know about mod_auth_pam but that seems pretty dead so I was just wondering what folks were using and whats the easiest to setup. Any pointers to any how to's would be appreciated...Thanks.
I looked over an most of which I have already done, the last piece that I am trying to address is how to do authentication with Apache against active directory, mod_auth_pam is one way but I have not had any luck getting it to compile with the latest Apache....Thanks
On Mon, Feb 8, 2010 at 6:49 PM, Arvind P R iinfi1@gmail.com wrote:
I had written a blog quite some time back on this. There might be some glitches in it, but will give you some clue. The blog is blog.Palalinha.Com i am sitting at the airport with my mobile so cant find you the correct thread in the blog. Let me know if it helps.
On 2/8/10, Tom Bishop bishoptf@gmail.com wrote:
Setting up a new backuppc for a small group of device and I am running centos 5.4 with winbind setup and working. Everything is working and I would like the users to authenicate using their AD creds and was
wondering
what folks are using to do that with apache 2.2 and centos 5.4. I know about mod_auth_pam but that seems pretty dead so I was just wondering
what
folks were using and whats the easiest to setup. Any pointers to any how to's would be appreciated...Thanks.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I've had decent luck with LDAP authentication for Apache. AD does not support anonymous LDAP searches so you have to have a user account that has the ability to search AD. Here's a modified sample config (.htaccess or httpd.conf) that includes security group membership checks. This would require that a user login with their Windows domain username and password and that the user be a member of the AD security group 'managers':
AuthType basic AuthName "Windows Domain Credentials - Managers Only" AuthzLDAPMethod ldap AuthzLDAPServer "dc1.example.com" AuthzLDAPBindDN "CN=username,CN=Users,DC=example,DC=com" AuthzLDAPBindPassword "superSecretPassword" AuthzLDAPUserBase "CN=Users,DC=example,DC=com" AuthzLDAPUserKey sAMAccountName AuthzLDAPUserScope subtree AuthzLDAPGroupBase "CN=Users,DC=example,DC=com" AuthzLDAPGroupKey cn AuthzLDAPGroupScope subtree AuthzLDAPMemberKey member AuthzLDAPSetGroupAuth ldapdn require group managers
On Tue, Feb 9, 2010 at 11:35 AM, Tom Bishop bishoptf@gmail.com wrote:
I looked over an most of which I have already done, the last piece that I am trying to address is how to do authentication with Apache against active directory, mod_auth_pam is one way but I have not had any luck getting it to compile with the latest Apache....Thanks
On Mon, Feb 8, 2010 at 6:49 PM, Arvind P R iinfi1@gmail.com wrote:
I had written a blog quite some time back on this. There might be some glitches in it, but will give you some clue. The blog is blog.Palalinha.Com i am sitting at the airport with my mobile so cant find you the correct thread in the blog. Let me know if it helps.
On 2/8/10, Tom Bishop bishoptf@gmail.com wrote:
Setting up a new backuppc for a small group of device and I am running centos 5.4 with winbind setup and working. Everything is working and I would like the users to authenicate using their AD creds and was
wondering
what folks are using to do that with apache 2.2 and centos 5.4. I know about mod_auth_pam but that seems pretty dead so I was just wondering
what
folks were using and whats the easiest to setup. Any pointers to any
how
to's would be appreciated...Thanks.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks.
On Tue, Feb 9, 2010 at 10:57 AM, Pat and Lori Boyer pboyer@gmail.comwrote:
I've had decent luck with LDAP authentication for Apache. AD does not support anonymous LDAP searches so you have to have a user account that has the ability to search AD. Here's a modified sample config (.htaccess or httpd.conf) that includes security group membership checks. This would require that a user login with their Windows domain username and password and that the user be a member of the AD security group 'managers':
AuthType basic AuthName "Windows Domain Credentials - Managers Only" AuthzLDAPMethod ldap AuthzLDAPServer "dc1.example.com" AuthzLDAPBindDN "CN=username,CN=Users,DC=example,DC=com" AuthzLDAPBindPassword "superSecretPassword" AuthzLDAPUserBase "CN=Users,DC=example,DC=com" AuthzLDAPUserKey sAMAccountName AuthzLDAPUserScope subtree AuthzLDAPGroupBase "CN=Users,DC=example,DC=com" AuthzLDAPGroupKey cn AuthzLDAPGroupScope subtree AuthzLDAPMemberKey member AuthzLDAPSetGroupAuth ldapdn require group managers
On Tue, Feb 9, 2010 at 11:35 AM, Tom Bishop bishoptf@gmail.com wrote:
I looked over an most of which I have already done, the last piece that I am trying to address is how to do authentication with Apache against active directory, mod_auth_pam is one way but I have not had any luck getting it to compile with the latest Apache....Thanks
On Mon, Feb 8, 2010 at 6:49 PM, Arvind P R iinfi1@gmail.com wrote:
I had written a blog quite some time back on this. There might be some glitches in it, but will give you some clue. The blog is blog.Palalinha.Com i am sitting at the airport with my mobile so cant find you the correct thread in the blog. Let me know if it helps.
On 2/8/10, Tom Bishop bishoptf@gmail.com wrote:
Setting up a new backuppc for a small group of device and I am running centos 5.4 with winbind setup and working. Everything is working and I would like the users to authenicate using their AD creds and was
wondering
what folks are using to do that with apache 2.2 and centos 5.4. I know about mod_auth_pam but that seems pretty dead so I was just wondering
what
folks were using and whats the easiest to setup. Any pointers to any
how
to's would be appreciated...Thanks.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks.
I guess you think insecure would be better? If I understand your need, you want to make AD insecure, so please enable anonymous binds so you don't need a user/pass to make the query:)
Or program your own auth backend that binds with the intended creds asking for auth:) Oh, and do this w/o tls/ssl because you want it insecure:)
Point taken and I do understand, in reality I would rather have nothing to do with MS which is insecure from the start, ever try to firewall an SBS 2003 install, good luck, they recommend turning it off, go figure....lol
On Tue, Feb 9, 2010 at 12:08 PM, Joseph L. Casale <jcasale@activenetwerx.com
wrote:
This looks like the way to go, I don't like the username /pass stored in
plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks.
I guess you think insecure would be better? If I understand your need, you want to make AD insecure, so please enable anonymous binds so you don't need a user/pass to make the query:)
Or program your own auth backend that binds with the intended creds asking for auth:) Oh, and do this w/o tls/ssl because you want it insecure:) _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, 2010-02-09 at 18:08 +0000, Joseph L. Casale wrote:
This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks.
I guess you think insecure would be better? If I understand your need, you want to make AD insecure, so please enable anonymous binds so you don't need a user/pass to make the query:)
Or program your own auth backend that binds with the intended creds asking for auth:) Oh, and do this w/o tls/ssl because you want it insecure:)
---- seems to me that permitting an anonymous bind to LDAP is inherently more secure than requiring a user/password combination so I don't think that your explanation is exactly true. In Microsoft's view, the only systems querying LDAP would be systems automatically passing the authentication.
Craig
seems to me that permitting an anonymous bind to LDAP is inherently more secure than requiring a user/password combination so I don't think that your explanation is exactly true.
There are ways to create accounts just for this with reduced privileges. Research technet...
In Microsoft's view, the only systems querying LDAP would be systems automatically passing the authentication.
Wow, someone actually hacking on MS for expecting us to do things secure? What will they expect next:)
If they didn't and by default allowed anon binds, "someone" would surely say "Microsoft sucks, they don't expect us to do this securely, blah blah".
The topic is mute, lets save the list the despair of rehashing the severely hashed. From the point of view of some, MS will always suck. Changing the minds of that type of person isn't my interest, I was merely pointing out some facts surrounding the implementation of the topic at hand. Sorry for disagreeing with you:)
On Tue, 2010-02-09 at 21:29 +0000, Joseph L. Casale wrote:
seems to me that permitting an anonymous bind to LDAP is inherently more secure than requiring a user/password combination so I don't think that your explanation is exactly true.
There are ways to create accounts just for this with reduced privileges. Research technet...
In Microsoft's view, the only systems querying LDAP would be systems automatically passing the authentication.
Wow, someone actually hacking on MS for expecting us to do things secure? What will they expect next:)
If they didn't and by default allowed anon binds, "someone" would surely say "Microsoft sucks, they don't expect us to do this securely, blah blah".
The topic is mute, lets save the list the despair of rehashing the severely hashed. From the point of view of some, MS will always suck. Changing the minds of that type of person isn't my interest, I was merely pointing out some facts surrounding the implementation of the topic at hand. Sorry for disagreeing with you:)
---- I just disagree with your parsing and conclusions.
I did not hack on MS for expecting us to do things securely nor did I say that preventing anonymous binds made it more secure. I think I actually said the opposite.
anonymous binds are just that - anonymous binds and there could easily be ACL's that govern what you can access without a user/password but I think Microsoft is after overall simplicity.
The topic would necessarily be 'moot' and not 'mute' and I was uncomfortable with the notion that you were chiding the OP for thinking that an anonymous bind was less secure - in most instances, it is a more secure option... especially for his usage. If he could bind anonymously, he could bind, let the user supply the account/password, authenticate and thus no account information would be necessary in the config files so it speaks directly to the OP's desires.
Better security.
Craig
On Tue, 2010-02-09 at 14:21 -0700, Craig White wrote:
On Tue, 2010-02-09 at 18:08 +0000, Joseph L. Casale wrote:
This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks.
I guess you think insecure would be better? If I understand your need, you want to make AD insecure, so please enable anonymous binds so you don't need a user/pass to make the query:)
Or program your own auth backend that binds with the intended creds asking for auth:) Oh, and do this w/o tls/ssl because you want it insecure:)
seems to me that permitting an anonymous bind to LDAP is inherently more secure than requiring a user/password combination so I don't think that your explanation is exactly true. In Microsoft's view, the only systems querying LDAP would be systems automatically passing the authentication.
Craig
----
Yes it is true, you have to have that for it to work correctly.
John
> -----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of JohnS Sent: Wednesday, February 10, 2010 1:31 AM To: CentOS mailing list Subject: Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
On Tue, 2010-02-09 at 14:21 -0700, Craig White wrote:
On Tue, 2010-02-09 at 18:08 +0000, Joseph L. Casale wrote:
This looks like the way to go, I don't like the username /pass stored
in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks.
I guess you think insecure would be better? If I understand your need,
you want
to make AD insecure, so please enable anonymous binds so you don't
need a user/pass
to make the query:)
Or program your own auth backend that binds with the intended creds
asking for auth:)
Oh, and do this w/o tls/ssl because you want it insecure:)
seems to me that permitting an anonymous bind to LDAP is inherently more secure than requiring a user/password combination so I don't think that your explanation is exactly true. In Microsoft's view, the only systems querying LDAP would be systems automatically passing the authentication.
Craig
Yes it is true, you have to have that for it to work correctly.
John
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I apologize if this has been mentioned before but one option would be to use Apache's Kerberos module for authentication. See the modules sourceforge page here --> http://modauthkerb.sourceforge.net/configure.html
Regards,
Dan
If you are using AD for JUST authentication and not user information, you can use the PAM Kerberos stuff. We've been using it for a couple of years from both CentOS/RHEL 4 and 5 systems with good results. It was actually pretty easy to do (once we figured out which type of chicken bones to burn).
You can use authconfig to turn it all on:
authconfig --enablekrb5 --krb5realm {AD domain name} \ --enbablekrb5kdcdns --enablekrb5realmdns --update
This will use DNS to locate the domain controller and KDC for the domain given the AD domain name. You can manually specify the KDC and admin servers too, see the authconfig man page for specific details.
If you want something perhaps more polished, you could look into the Likewise products, which handle the whole shooting match pretty well (http://www.likewise.com/products/likewise_open/). I've played with the Open (free) version and it worked just fine, the Enterprise has more features but I haven't played with it.
As always, YMMV.
I just need something for apache auth. I have winbind working just fine for the other stuff...Thanks
On 2/9/10, Jay Leafey jay.leafey@mindless.com wrote:
If you are using AD for JUST authentication and not user information, you can use the PAM Kerberos stuff. We've been using it for a couple of years from both CentOS/RHEL 4 and 5 systems with good results. It was actually pretty easy to do (once we figured out which type of chicken bones to burn).
You can use authconfig to turn it all on:
authconfig --enablekrb5 --krb5realm {AD domain name} \ --enbablekrb5kdcdns --enablekrb5realmdns --update
This will use DNS to locate the domain controller and KDC for the domain given the AD domain name. You can manually specify the KDC and admin servers too, see the authconfig man page for specific details.
If you want something perhaps more polished, you could look into the Likewise products, which handle the whole shooting match pretty well (http://www.likewise.com/products/likewise_open/). I've played with the Open (free) version and it worked just fine, the Enterprise has more features but I haven't played with it.
As always, YMMV.
Jay Leafey - Memphis, TN jay.leafey@mindless.com
Em 10-02-2010 00:43, Tom Bishop escreveu:
I just need something for apache auth. I have winbind working just fine for the other stuff...Thanks
One thing I use is ldaps auth, but it will always demand an auth dialog.
Kerberos ticket support has the advantage than you may avoid that, but it has the difficulty that you can't have a different username that easily.
Rui
I was able to get ldap auth working fairly easily, although getting SSL to work took a little bit more effort due to trying to get the ca.cert from the SBS server....
On Thu, Feb 11, 2010 at 2:34 AM, Rui Miguel Silva Seabra rms@1407.orgwrote:
Em 10-02-2010 00:43, Tom Bishop escreveu:
I just need something for apache auth. I have winbind working just fine for the other stuff...Thanks
One thing I use is ldaps auth, but it will always demand an auth dialog.
Kerberos ticket support has the advantage than you may avoid that, but it has the difficulty that you can't have a different username that easily.
Rui _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Am Mittwoch, den 10.02.2010, 01:10 +0100 schrieb Jay Leafey:
If you are using AD for JUST authentication and not user information, you can use the PAM Kerberos stuff. We've been using it for a couple of years from both CentOS/RHEL 4 and 5 systems with good results. It was actually pretty easy to do (once we figured out which type of chicken bones to burn).
If you have that working you can even go without pam as Dan mentioned you can use the apache kerberos module. A short howto is here: http://wiki.centos.org/HowTos/HttpKerberosAuth
Chris
financial.com AG
Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553
Did anyone know where can I find the MonoDevelop as RPM?
I wonder if thereś any version under 2.2
Regards
___________________________________ Atte. Alberto García Gómez M:.M:. Administrador de Redes/Webmaster Dirección Provincial de Educación. Matanzas, Cuba.
On Tue, 2010-02-16 at 05:58 -0500, Alberto Garcia Gomez wrote:
Did anyone know where can I find the MonoDevelop as RPM?
I wonder if thereś any version under 2.2
yum search mono ## have fun
mono-core.i386 : The Mono CIL runtime, suitable for running .NET code mono-data.i386 : Database connectivity for Mono mono-data-firebird.i386 : Firebird database connectivity for Mono mono-data-oracle.i386 : Oracle database connectivity for Mono mono-data-postgresql.i386 : Postgresql database connectivity for Mono mono-data-sqlite.i386 : sqlite database connectivity for Mono mono-data-sybase.i386 : Sybase database connectivity for Mono mono-devel.i386 : Development tools for Mono mono-extras.i386 : Provides the infrastructure for running and building daemons and services with Mono as well as various stub assemblies mono-jscript.i386 : JScript .NET support for Mono mono-locale-extras.i386 : Extra locale information for Mono mono-nunit.i386 : NUnit Testing Framework mono-nunit-devel.i386 : pkgconfig for nunit mono-web.i386 : ASP.NET, Remoting, and Web Services for Mono mono-winforms.i386 : Windows Forms implementation for Mono xsp.i386 : A small web server that hosts ASP.NET xsp-devel.i386 : Development files for xsp
I have no idea what you mean by version 2.2 but any .Net 2.0 code will run on mono and 1.1 with a lil work that is.
John
On Tue, 2010-02-16 at 05:58 -0500, Alberto Garcia Gomez wrote:
Did anyone know where can I find the MonoDevelop as RPM?
I wonder if thereś any version under 2.2
--- I see what now what you want and you will have to roll your on RPM or hack the Suse RPM or install from a tar fil. I do not think there is enough interest on RHEL and CentOS to make a RPM. Mono as it is comes with a IDE.
Have you tried the source install?
JOhn
On Mon, Feb 8, 2010 at 8:18 AM, Tom Bishop bishoptf@gmail.com wrote:
Setting up a new backuppc for a small group of device and I am running centos 5.4 with winbind setup and working. Everything is working and I would like the users to authenicate using their AD creds and was wondering what folks are using to do that with apache 2.2 and centos 5.4. I know about mod_auth_pam but that seems pretty dead so I was just wondering what folks were using and whats the easiest to setup. Any pointers to any how to's would be appreciated...Thanks.
This works for me
PerlModule Authen::Simple::Apache
PerlModule Authen::Simple::ActiveDirectory PerlSetVar AuthenSimpleActiveDirectory_host "mydc.inside.net" PerlSetVar AuthenSimpleActiveDirectory_principal "mydomain"
<Directory /var/www/whatever > PerlAuthenHandler Authen::Simple::ActiveDirectory
AuthType Basic AuthName "Sekret Playce" require valid-user
</Directory>
-
Alberto Garcia Gomez -
Arvind P R -
Christoph Maser -
Craig White -
Dan Burkland -
Jay Leafey -
JohnS -
Joseph L. Casale -
Pat and Lori Boyer -
Rui Miguel Silva Seabra -
Stephen Carville -
Tom Bishop