Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-27-2007, 04:25 PM
|
#1
|
Member
Registered: Aug 2004
Location: Arizona
Distribution: Linux Mint
Posts: 81
Rep:
|
Apache LDAP authentication
I don't know if this is the right forum to put this in, but if I'm wrong, please move this post! Okay, what I am trying to do is authenticate users through ldap to access a page on apache. My config works to a certain degree, but I need more "require" statements. Here's my httpd.conf:
Code:
<Directory /var/www/html/CCNA1>
AuthName "Domain Authentication"
AuthType Basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthLDAPBindDN "cn=fakeuser,ou=fakeou,dc=fakedc,dc=edu"
AuthLDAPBindPassword fakepassword
AuthLDAPURL "ldap://172.31.1.200:389/ou=fakeou,DC=fakedc,DC=edu?sAMAccountName?sub?(objectClass=*)"
require ldap-user fakeuser
require ldap-group cn=LabTechs,ou=LabTechs,DC=fakedc,DC=edu
</Directory>
The problem I'm having is that if I use anything other than fakeuser, then authentication fails, even if the user is part of the ldap-group LabTechs. This is because only one query is made: the require ldap-user statement. After this statement is denied, it doesn't check the ldap-group statement. Is there any way I could make this work, or have multiple require statements? I would prefer not to have to put the username and the group into another group, because it seems inconvenient by comparison.
I should note that this config DOES work for me, but it only authenticates the fakeuser, not the LabTechs group.
Thanks!
|
|
|
07-27-2007, 05:31 PM
|
#2
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,204
|
Since fakeuser is part of the group, you can remove the "require ldap-user" line and see if it works.
|
|
|
07-27-2007, 07:31 PM
|
#3
|
Member
Registered: Aug 2004
Location: Arizona
Distribution: Linux Mint
Posts: 81
Original Poster
Rep:
|
Not quite
I guess I worded that a little weird, but what I was trying to say is that the reason I need both those statements is because that user isn't part of that group, and I would like not having to put fakeuser and Labtechs in the same group.
Thanks for the response though! Any more suggestions?
|
|
|
07-28-2007, 09:46 AM
|
#4
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,204
|
Reading the mod_authnz_ldap documentation I think that you should use something like:
Code:
AuthLDAPURL ldap://172.31.1.200:389/ou=fakeou,DC=fakedc,DC=edu?uid??(|(cn=LabTechs)(uid=fakeuser))
require valid-user
You can also try the "require ldap-attribute" or "require ldap-filter" using the group dn and the fakeuser uid.
Regards
|
|
|
07-28-2007, 04:44 PM
|
#5
|
Member
Registered: Aug 2004
Location: Arizona
Distribution: Linux Mint
Posts: 81
Original Poster
Rep:
|
Different path
Thanks bathory, your help is very much appreciated! I couldn't read that documentation well, I had looked at it before, but I think that might work.
However, I can't test that until Monday, and I'm wondering if I would be able to put the exact path to the OU Labtechs since it's not in the same location as the LDAP URL? Either that or I guess I need to change the LDAP URL to something higher up on the tree so I can search differently. There's supposed to be a way that I can search recursively, but I don't understand the objectclass things and the search filters. I also learned I need to include a third group, which I'll call Fake_Admins. Here's a better view of how the tree looks
fakedc.edu
-fakeou
--fakeuser
-Labtechs
--Labtechs(group)
-Users
--Fake_Admins(group)
So I should be able to specify the location of all three of these using those search filters? Is there any other documentation that might show me precisely how I could do this?
|
|
|
07-28-2007, 06:31 PM
|
#6
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,204
|
You should start your search from the higher level (dc=fakedc,dc=edu) so you can find both the user (ou=fakeou,dc=fakedc,dc=edu) and the group (ou=Labtechs,dc=fakedc,dc=edu).
|
|
|
All times are GMT -5. The time now is 06:49 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|