I'm coming from FC3 and moving to CentOS 3.4. I have been using mod_auth_ldap for some time now with Apache 2.x and authenticating to my Microsoft ADS without problems, here's my article on how that worked:
http://www.turnpike420.net/linux/Apache_ADS_AuthLDAP.txt
However, I have come to find out that CentOS 3.4 only comes with mod_authz_ldap and when I did some reading on it, doesn't seem like it will work with M ADS at all. Any thoughts on how I can get mod_auth_ldap (not authz) functional with my CentOS 3.4 and where to get it??
thanks, David McD
I have mod_authz_ldap working ok. Here's a .htaccess file:
AuthName "Authorized Access Only" AuthType Basic AuthzLDAPEngine on AuthzLDAPServer "serverip:389" AuthzLDAPBindDN ldap_lookup@domain.com AuthzLDAPBindPassword Ldap_Lookup_password AuthzLDAPUserKey sAMAccountName AuthzLDAPUserBase dc=domain,dc=com AuthzLDAPUserScope subtree AuthzLDAPSetAuthorization off require group CN=GroupName,CN=Users,DC=domain,DC=com
However, I have come to find out that CentOS 3.4 only comes with mod_authz_ldap and when I did some reading on it, doesn't seem like it will work with M ADS at all. Any thoughts on how I can get
awesome, if we are open tomorrow (snow storm coming) I shall have to try this... I have a couple of embedded questions to help me understand it, see comments below! thanks...
my comment/questions are _below_ the item they are related to:
On Thu, 20 Jan 2005 14:15:21 -0800 (PST), lee@leegarner.com lee@leegarner.com wrote:
I have mod_authz_ldap working ok. Here's a .htaccess file:
AuthName "Authorized Access Only" AuthType Basic AuthzLDAPEngine on AuthzLDAPServer "serverip:389" AuthzLDAPBindDN ldap_lookup@domain.com
Does AuthzLDAPBindDN need to be the full ADS username@domain.com?
AuthzLDAPBindPassword Ldap_Lookup_password AuthzLDAPUserKey sAMAccountName
So this is where this goes... not blah blah... DC=com?sAMAccountName?sub?(objectClass=user)
AuthzLDAPUserBase dc=domain,dc=com
With this user base, this will go set it to look at the top of the ADS schema? For example, I have an OU = MyCity in case we ever expanded to another city I could have another OU for those users.
AuthzLDAPUserScope subtree
and this tells it to search all subordinate OU's in the tree?
AuthzLDAPSetAuthorization off
What is AuthzLDAPSetAuthorization off for?
require group CN=GroupName,CN=Users,DC=domain,DC=com
I can still use "require valid-user" here right? require valid-user OU=MyCity,DC=domain,DC=com ??
Thanks for fielding my questions!! :) David McD
However, I have come to find out that CentOS 3.4 only comes with mod_authz_ldap and when I did some reading on it, doesn't seem like it will work with M ADS at all. Any thoughts on how I can get
CentOS mailing list CentOS@caosity.org http://lists.caosity.org/mailman/listinfo/centos
That's pretty much it. My comments are interspersed below:
David McDowell wrote:
awesome, if we are open tomorrow (snow storm coming) I shall have to try this... I have a couple of embedded questions to help me understand it, see comments below! thanks...
my comment/questions are _below_ the item they are related to:
On Thu, 20 Jan 2005 14:15:21 -0800 (PST), lee@leegarner.com lee@leegarner.com wrote:
I have mod_authz_ldap working ok. Here's a .htaccess file:
AuthName "Authorized Access Only" AuthType Basic AuthzLDAPEngine on AuthzLDAPServer "serverip:389" AuthzLDAPBindDN ldap_lookup@domain.com
Does AuthzLDAPBindDN need to be the full ADS username@domain.com?
That's the only way I could get it to work. I tried a few variations on "cn=(name|userid),ou=department,dc=..." and it never worked. In any case, it does need to be the full name. user@domain worked the easiest.
AuthzLDAPBindPassword Ldap_Lookup_password AuthzLDAPUserKey sAMAccountName
So this is where this goes... not blah blah... DC=com?sAMAccountName?sub?(objectClass=user)
Yep. I'm not sure if authz_ldap filters on objectClass, I haven't checked.
AuthzLDAPUserBase dc=domain,dc=com
With this user base, this will go set it to look at the top of the ADS schema? For example, I have an OU = MyCity in case we ever expanded to another city I could have another OU for those users.
That's the domain ID, and it would include subordinate OUs (according to the entry below). I'm sure that you could restrict it somewhat by specifying ou=mycity,dc=...
AuthzLDAPUserScope subtree
and this tells it to search all subordinate OU's in the tree?
Exactly.
AuthzLDAPSetAuthorization off
What is AuthzLDAPSetAuthorization off for?
Ah, that's an issue that I found. It's supposed to default to "off", but I found that with it on, or missing, the user's FQDN is passed to Apache ("cn=fred,ou=finance,dc=company,dc=com"). Authentication still works, but it messed up some of my programs which rely on REMOTE_USER. With the setting off, Apache gets only the sAMAccountName ("fred").
require group CN=GroupName,CN=Users,DC=domain,DC=com
I can still use "require valid-user" here right? require valid-user OU=MyCity,DC=domain,DC=com ??
Yes. I use it for controlling access to network & systems monitoring apps (Nagios, Cacti, NMIS), so I restrict it to the IT dept.
Thanks for fielding my questions!! :) David McD
No problem. I hope this helps. Stay warm.
Lee.
awesome Lee! Thank you! I've updated my notes here: http://www.turnpike420.net/linux/Apache_ADS_AuthLDAP.txt
take care, David McD
On Thu, 20 Jan 2005 20:55:25 -0800, Lee Garner lee@leegarner.com wrote:
That's pretty much it. My comments are interspersed below:
David McDowell wrote:
awesome, if we are open tomorrow (snow storm coming) I shall have to try this... I have a couple of embedded questions to help me understand it, see comments below! thanks...
my comment/questions are _below_ the item they are related to:
On Thu, 20 Jan 2005 14:15:21 -0800 (PST), lee@leegarner.com lee@leegarner.com wrote:
I have mod_authz_ldap working ok. Here's a .htaccess file:
AuthName "Authorized Access Only" AuthType Basic AuthzLDAPEngine on AuthzLDAPServer "serverip:389" AuthzLDAPBindDN ldap_lookup@domain.com
Does AuthzLDAPBindDN need to be the full ADS username@domain.com?
That's the only way I could get it to work. I tried a few variations on "cn=(name|userid),ou=department,dc=..." and it never worked. In any case, it does need to be the full name. user@domain worked the easiest.
AuthzLDAPBindPassword Ldap_Lookup_password AuthzLDAPUserKey sAMAccountName
So this is where this goes... not blah blah... DC=com?sAMAccountName?sub?(objectClass=user)
Yep. I'm not sure if authz_ldap filters on objectClass, I haven't checked.
AuthzLDAPUserBase dc=domain,dc=com
With this user base, this will go set it to look at the top of the ADS schema? For example, I have an OU = MyCity in case we ever expanded to another city I could have another OU for those users.
That's the domain ID, and it would include subordinate OUs (according to the entry below). I'm sure that you could restrict it somewhat by specifying ou=mycity,dc=...
AuthzLDAPUserScope subtree
and this tells it to search all subordinate OU's in the tree?
Exactly.
AuthzLDAPSetAuthorization off
What is AuthzLDAPSetAuthorization off for?
Ah, that's an issue that I found. It's supposed to default to "off", but I found that with it on, or missing, the user's FQDN is passed to Apache ("cn=fred,ou=finance,dc=company,dc=com"). Authentication still works, but it messed up some of my programs which rely on REMOTE_USER. With the setting off, Apache gets only the sAMAccountName ("fred").
require group CN=GroupName,CN=Users,DC=domain,DC=com
I can still use "require valid-user" here right? require valid-user OU=MyCity,DC=domain,DC=com ??
Yes. I use it for controlling access to network & systems monitoring apps (Nagios, Cacti, NMIS), so I restrict it to the IT dept.
Thanks for fielding my questions!! :) David McD
No problem. I hope this helps. Stay warm.
Lee.
CentOS mailing list CentOS@caosity.org http://lists.caosity.org/mailman/listinfo/centos
-
David McDowell -
Lee Garner -
lee@leegarner.com