[Centos] in CentOS 3.4, mod_auth_ldap ?

David McDowell turnpike420 at gmail.com
Fri Jan 21 14:50:46 UTC 2005 

awesome Lee!  Thank you!  I've updated my notes here:
http://www.turnpike420.net/linux/Apache_ADS_AuthLDAP.txt

take care,
David McD


On Thu, 20 Jan 2005 20:55:25 -0800, Lee Garner <lee at leegarner.com> wrote:
> That's pretty much it.  My comments are interspersed below:
> 
> David McDowell wrote:
> 
> >awesome, if we are open tomorrow (snow storm coming) I shall have to
> >try this... I have a couple of embedded questions to help me
> >understand it, see comments below!  thanks...
> >
> >my comment/questions are _below_ the item they are related to:
> >
> >On Thu, 20 Jan 2005 14:15:21 -0800 (PST), lee at leegarner.com
> ><lee at leegarner.com> wrote:
> >
> >
> >>I have mod_authz_ldap working ok.  Here's a .htaccess file:
> >>
> >>AuthName        "Authorized Access Only"
> >>AuthType        Basic
> >>AuthzLDAPEngine on
> >>AuthzLDAPServer "serverip:389"
> >>AuthzLDAPBindDN ldap_lookup at domain.com
> >>
> >>
> >Does AuthzLDAPBindDN need to be the full ADS username at domain.com?
> >
> >
> That's the only way I could get it to work.  I tried a few variations on
> "cn=(name|userid),ou=department,dc=..." and it never worked.  In any
> case, it does need to be the full name.  user at domain worked the easiest.
> 
> >>AuthzLDAPBindPassword Ldap_Lookup_password
> >>AuthzLDAPUserKey sAMAccountName
> >>
> >>
> >So this is where this goes... not blah blah...
> >DC=com?sAMAccountName?sub?(objectClass=user)
> >
> >
> Yep.  I'm not sure if authz_ldap filters on objectClass, I haven't checked.
> 
> >>AuthzLDAPUserBase dc=domain,dc=com
> >>
> >>
> >With this user base, this will go set it to look at the top of the ADS
> >schema? For example, I have an OU = MyCity in case we ever expanded to
> >another city I could have another OU for those users.
> >
> >
> That's the domain ID, and it would include subordinate OUs (according to
> the entry below).  I'm sure that you could restrict it somewhat by
> specifying ou=mycity,dc=...
> 
> >>AuthzLDAPUserScope subtree
> >>
> >>
> >
> >and this tells it to search all subordinate OU's in the tree?
> >
> >
> Exactly.
> 
> >>AuthzLDAPSetAuthorization off
> >>
> >>
> >What is AuthzLDAPSetAuthorization off for?
> >
> >
> Ah, that's an issue that I found.  It's supposed to default to "off",
> but I found that with it on, or missing, the user's FQDN is passed to
> Apache ("cn=fred,ou=finance,dc=company,dc=com").  Authentication still
> works, but it messed up some of my programs which rely on REMOTE_USER.
> With the setting off, Apache gets only the sAMAccountName ("fred").
> 
> >>require group CN=GroupName,CN=Users,DC=domain,DC=com
> >>
> >>
> >I can still use "require valid-user" here right?
> >require valid-user OU=MyCity,DC=domain,DC=com   ??
> >
> >
> Yes.  I use it for controlling access to network & systems monitoring
> apps (Nagios, Cacti, NMIS), so I restrict it to the IT dept.
> 
> >Thanks for fielding my questions!!  :)
> >David McD
> >
> >
> No problem.  I hope this helps.  Stay warm.
> 
> Lee.
> 
> _______________________________________________
> CentOS mailing list
> CentOS at caosity.org
> http://lists.caosity.org/mailman/listinfo/centos
>

More information about the CentOS mailing list