Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
08-02-2005, 09:58 AM
|
#1
|
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Rep: 
|
apache / ftp authenticationg against Active Directory
Is there a module for apache that could authenticate users against active directory? Like squid's ntlm_auth. Maybe there's one that used the exit code of one script (I think there's one like that for squid too).
How about a ftp server? Is there one that could authenticate against Actibve Directory?
|
|
|
|
|
08-02-2005, 10:54 AM
|
#2
|
|
Member
Registered: Feb 2004
Location: USA
Distribution: Debian
Posts: 174
Rep:
|
You can authenticate against Active Directory using either LDAP or Kerberos, and there are Apache auth modules for both of them. Don't know about FTP. LDAP is pretty easy to setup, Kerb is complicated & requires configuration on AD & with MS Resourse Kit tools - but with Kerberos you can do automatic logon when user's PC are part of an AD domain. Here's LDAP Apache 2 config:
Code:
<Location /ldap>
AuthLDAPAuthoritative on
AuthType Basic
AuthName "LDAP Test"
AuthLDAPBindDN cn=username,cn=Users,dc=yourdomain,dc=com
AuthLDAPBindPassword password
AuthLDAPURL "ldap://ldap.yourdomain.com:389/cn=Users,dc=yourdomain,dc=com?sAMAccountName?sub?(objectClass=*)"
require valid-user
</Location>
On my Debian Sarge system - mod-auth-ldap seems to be included with the Apache 2 package & libapache2-mod-auth-kerb is the Kerberos module.
Hope that helps,
Josh |
|
|
|
|
08-03-2005, 01:55 PM
|
#3
|
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Original Poster
Rep:
|
OK.... I think I'm close to getting it.
I'm still trying... but I've made some advances.
Using a LDAP browser (JXplorer), I've been able to connect to the active directory and understand what the mod_auth_ldap will do (sometime).
As much as I understand, I have to give the ldap auth module a DN with a CN to bind to the LDAP server?
Cause the CN of my user (the one I'm using for testing) has a space (it's my name plus my lastname).
Suppose I'm john hancock:
AuthLDAPBindDN CN=John Hancock,OU=Software,OU=IT,DC=domain1,DC=domain2
If I set it like that, apache complains because of the space.
Can I use the sAMAccountName instead of the CN?
|
|
|
|
|
08-03-2005, 01:57 PM
|
#4
|
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Original Poster
Rep:
|
also: How can I log the ldap activity?
|
|
|
|
|
08-03-2005, 01:58 PM
|
#5
|
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Original Poster
Rep:
|
And by the way.... I'm not in Users. Maybe that's the problem. Does it have to be someone from Users?
|
|
|
|
|
08-03-2005, 02:16 PM
|
#6
|
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Original Poster
Rep:
|
GOT IT!
the AuthLDAPBindDN is just my username.... with the GROUP:
AuthLDAPBindDN GROUP\username
|
|
|
|
|
01-04-2006, 04:00 PM
|
#7
|
|
Member
Registered: Jan 2004
Distribution: Slackware, RH, WBEL
Posts: 65
Rep:
|
Same Issue
I'm running into th same issue using mod_authz_ldap-0.26-2.
Here is my config in .htaccess file:
AuthzLDAPMethod ldapmapped
AuthName "Test LDAP"
AuthType Basic
AuthzLDAPServer hostname.domain.net
AuthzLDAPBindDN "CN=testbindacct,OU=ADManagers,DC=ads,DC=domain,DC=net"
AuthzLDAPBindPassword "Password123"
AuthzLDAPUserBase "OU=ADManagers,DC=ads,DC=domain,DC=net"
# AuthzLDAPUserKey CN
AuthzLDAPUserKey sAMAccountName
AuthzLDAPUserScope subtree
require valid-user
This configuration gives me the authentication dialogue, however I dont think that LDAP is even contacting the Active Directory Server.
I have run Ethereal while doing multiple authentication requests, and I see my http transcations, but there is NO outbound LDAP communcation to my LDAP server.
I am using an ADManager (active directory manager) account to bind with, and am also testing authentication of ADManagers as well.
Does anyone have any ideas? Pointers? Is there a logfile for mod_authz_ldap?
|
|
|
|
|
01-05-2006, 09:21 AM
|
#8
|
|
Member
Registered: Jan 2004
Distribution: Slackware, RH, WBEL
Posts: 65
Rep:
|
Some progress...
Code:
<Location /ldap>
AuthLDAPAuthoritative on
AuthType Basic
AuthName "LDAP Test"
AuthLDAPBindDN cn=username,cn=Users,dc=yourdomain,dc=com
AuthLDAPBindPassword password
AuthLDAPURL "ldap://ldap.yourdomain.com:389/cn=Users,dc=yourdomain,dc=com?sAMAccountName?sub?(objectClass=*)"
require valid-user
</Location>
by using slacky's above method (modified to my ldap URL), I am now able to see traffic to our LDAP/ActiveDirectory server. Authentication is still failing...I'm assuming it's not binding the username to the right property (ie sAMAccountName) or something comparable.
I'd still appreciate anyone elses pointers... |
|
|
|
|
01-09-2006, 12:32 PM
|
#9
|
|
Member
Registered: Jan 2004
Distribution: Slackware, RH, WBEL
Posts: 65
Rep:
|
Well, I found a solution: using mod_auth_ldap rather than mod_authz_ldap.
I had authentication working with mod_auth_ldap in under a minute using the following .htaccess file:
Code:
SSLRequireSSL
AuthName "Admin Area (ADS Manager Credentials - No ADS Prefix/Suffix)"
AuthType Basic
AuthLDAPBindDN "CN=service_account,OU=ADManagers,DC=ads,DC=domain,DC=net"
AuthLDAPBindPassword "service_password"
AuthLDAPURL ldap://ldapserver.domain.net:389/OU=ADManagers,DC=ads,DC=domain,DC=net?sAMAccountName?sub?(objectClass=*)
require valid-user
Next up, secure LDAP.
Last edited by TotalDefiance; 01-09-2006 at 12:35 PM.
|
|
|
|
|
01-09-2006, 12:34 PM
|
#10
|
|
Member
Registered: Jan 2004
Distribution: Slackware, RH, WBEL
Posts: 65
Rep:
|
[ No Text ]
Last edited by TotalDefiance; 01-09-2006 at 12:35 PM.
|
|
|
|
All times are GMT -5. The time now is 02:00 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
