LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-27-2007, 04:25 PM   #1
Amuro-Ray2020
Member
 
Registered: Aug 2004
Location: Arizona
Distribution: Linux Mint
Posts: 81

Rep: Reputation: 15
Apache LDAP authentication


I don't know if this is the right forum to put this in, but if I'm wrong, please move this post! Okay, what I am trying to do is authenticate users through ldap to access a page on apache. My config works to a certain degree, but I need more "require" statements. Here's my httpd.conf:

Code:
<Directory /var/www/html/CCNA1>
        AuthName "Domain Authentication"
        AuthType Basic
        AuthzLDAPAuthoritative off
        AuthBasicProvider ldap
        AuthLDAPBindDN "cn=fakeuser,ou=fakeou,dc=fakedc,dc=edu"
        AuthLDAPBindPassword fakepassword
        AuthLDAPURL "ldap://172.31.1.200:389/ou=fakeou,DC=fakedc,DC=edu?sAMAccountName?sub?(objectClass=*)"
        require ldap-user fakeuser
        require ldap-group cn=LabTechs,ou=LabTechs,DC=fakedc,DC=edu
</Directory>
The problem I'm having is that if I use anything other than fakeuser, then authentication fails, even if the user is part of the ldap-group LabTechs. This is because only one query is made: the require ldap-user statement. After this statement is denied, it doesn't check the ldap-group statement. Is there any way I could make this work, or have multiple require statements? I would prefer not to have to put the username and the group into another group, because it seems inconvenient by comparison.

I should note that this config DOES work for me, but it only authenticates the fakeuser, not the LabTechs group.

Thanks!
 
Old 07-27-2007, 05:31 PM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,884

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
Since fakeuser is part of the group, you can remove the "require ldap-user" line and see if it works.
 
Old 07-27-2007, 07:31 PM   #3
Amuro-Ray2020
Member
 
Registered: Aug 2004
Location: Arizona
Distribution: Linux Mint
Posts: 81

Original Poster
Rep: Reputation: 15
Not quite

I guess I worded that a little weird, but what I was trying to say is that the reason I need both those statements is because that user isn't part of that group, and I would like not having to put fakeuser and Labtechs in the same group.

Thanks for the response though! Any more suggestions?
 
Old 07-28-2007, 09:46 AM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,884

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
Reading the mod_authnz_ldap documentation I think that you should use something like:
Code:
AuthLDAPURL ldap://172.31.1.200:389/ou=fakeou,DC=fakedc,DC=edu?uid??(|(cn=LabTechs)(uid=fakeuser))
require valid-user
You can also try the "require ldap-attribute" or "require ldap-filter" using the group dn and the fakeuser uid.

Regards
 
Old 07-28-2007, 04:44 PM   #5
Amuro-Ray2020
Member
 
Registered: Aug 2004
Location: Arizona
Distribution: Linux Mint
Posts: 81

Original Poster
Rep: Reputation: 15
Different path

Thanks bathory, your help is very much appreciated! I couldn't read that documentation well, I had looked at it before, but I think that might work.

However, I can't test that until Monday, and I'm wondering if I would be able to put the exact path to the OU Labtechs since it's not in the same location as the LDAP URL? Either that or I guess I need to change the LDAP URL to something higher up on the tree so I can search differently. There's supposed to be a way that I can search recursively, but I don't understand the objectclass things and the search filters. I also learned I need to include a third group, which I'll call Fake_Admins. Here's a better view of how the tree looks



fakedc.edu
-fakeou
--fakeuser
-Labtechs
--Labtechs(group)
-Users
--Fake_Admins(group)

So I should be able to specify the location of all three of these using those search filters? Is there any other documentation that might show me precisely how I could do this?
 
Old 07-28-2007, 06:31 PM   #6
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,884

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
You should start your search from the higher level (dc=fakedc,dc=edu) so you can find both the user (ou=fakeou,dc=fakedc,dc=edu) and the group (ou=Labtechs,dc=fakedc,dc=edu).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help in LDAP authentication chickenjoy Linux - Server 3 06-14-2007 05:28 AM
ldap authentication for Apache anjani.78 Linux - Software 1 08-03-2006 04:06 AM
LDAP Authentication and su da_kidd_er Linux - Networking 1 12-27-2005 11:24 AM
Ldap Authentication joeyBig Programming 1 08-25-2004 10:00 AM
ldap authentication box_l Mandriva 0 03-22-2004 03:24 AM


All times are GMT -5. The time now is 01:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration