[TriLUG] Fwd: [Centos] in CentOS 3.4, mod_auth_ldap ?
David McDowell
turnpike420 at gmail.com
Fri Jan 21 09:20:36 EST 2005
OK folks... I was having some trouble with CentOS not containing
mod_auth_ldap as the FCx distros do. I use this to authenticate users
via Apache on linux against my Microsoft ADS for my web apps. At any
rate, CentOS does come with mod_authz_ldap which I had never been able
to configure correctly. Through the wonderful world of the linux
community, here's the results of my search in the thread below.
mod_authz_ldap *can* in fact be configured to work so there is no need
for mod_auth_ldap. mod_authz_ldap does not appear to be as
sophisticated as mod_auth_ldap but it seems to do the trick. Maybe
one of our LDAP gurus can comment on some of these things
*cough*Mark*cough* if he is familiar with ADS.
I'm going to update my note here:
http://www.turnpike420.net/linux/Apache_ADS_AuthLDAP.txt
See below for the thread that helped me get going with mod_authz_ldap.
---------- Forwarded message ----------
From: Lee Garner <lee at leegarner.com>
Date: Thu, 20 Jan 2005 20:55:25 -0800
Subject: Re: [Centos] in CentOS 3.4, mod_auth_ldap ?
To: CentOS discussion and information list <centos at caosity.org>
That's pretty much it. My comments are interspersed below:
David McDowell wrote:
>awesome, if we are open tomorrow (snow storm coming) I shall have to
>try this... I have a couple of embedded questions to help me
>understand it, see comments below! thanks...
>
>my comment/questions are _below_ the item they are related to:
>
>On Thu, 20 Jan 2005 14:15:21 -0800 (PST), lee at leegarner.com
><lee at leegarner.com> wrote:
>
>
>>I have mod_authz_ldap working ok. Here's a .htaccess file:
>>
>>AuthName "Authorized Access Only"
>>AuthType Basic
>>AuthzLDAPEngine on
>>AuthzLDAPServer "serverip:389"
>>AuthzLDAPBindDN ldap_lookup at domain.com
>>
>>
>Does AuthzLDAPBindDN need to be the full ADS username at domain.com?
>
>
That's the only way I could get it to work. I tried a few variations on
"cn=(name|userid),ou=department,dc=..." and it never worked. In any
case, it does need to be the full name. user at domain worked the easiest.
>>AuthzLDAPBindPassword Ldap_Lookup_password
>>AuthzLDAPUserKey sAMAccountName
>>
>>
>So this is where this goes... not blah blah...
>DC=com?sAMAccountName?sub?(objectClass=user)
>
>
Yep. I'm not sure if authz_ldap filters on objectClass, I haven't checked.
>>AuthzLDAPUserBase dc=domain,dc=com
>>
>>
>With this user base, this will go set it to look at the top of the ADS
>schema? For example, I have an OU = MyCity in case we ever expanded to
>another city I could have another OU for those users.
>
>
That's the domain ID, and it would include subordinate OUs (according to
the entry below). I'm sure that you could restrict it somewhat by
specifying ou=mycity,dc=...
>>AuthzLDAPUserScope subtree
>>
>>
>
>and this tells it to search all subordinate OU's in the tree?
>
>
Exactly.
>>AuthzLDAPSetAuthorization off
>>
>>
>What is AuthzLDAPSetAuthorization off for?
>
>
Ah, that's an issue that I found. It's supposed to default to "off",
but I found that with it on, or missing, the user's FQDN is passed to
Apache ("cn=fred,ou=finance,dc=company,dc=com"). Authentication still
works, but it messed up some of my programs which rely on REMOTE_USER.
With the setting off, Apache gets only the sAMAccountName ("fred").
>>require group CN=GroupName,CN=Users,DC=domain,DC=com
>>
>>
>I can still use "require valid-user" here right?
>require valid-user OU=MyCity,DC=domain,DC=com ??
>
>
Yes. I use it for controlling access to network & systems monitoring
apps (Nagios, Cacti, NMIS), so I restrict it to the IT dept.
>Thanks for fielding my questions!! :)
>David McD
>
>
No problem. I hope this helps. Stay warm.
Lee.
_______________________________________________
CentOS mailing list
CentOS at caosity.org
http://lists.caosity.org/mailman/listinfo/centos
More information about the TriLUG
mailing list