LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 02-04-2008, 03:54 PM   #1
mujzeptu
LQ Newbie
 
Registered: Feb 2008
Posts: 4

Rep: Reputation: 0
Authz_ldap? I need to have SSO with kerberos against a AD domain


As the title suggests, I need help setting up the latest release of Apache to use single sign-on with kerberos for an AD domain. I need users in a AD domain to automatically authenticate in apache.

I am guessing this is done through authz_ldap, however i Have no idea how to get it working... any help you can provide is greatly appreciated!
 
Old 02-04-2008, 04:36 PM   #2
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379

Rep: Reputation: 38
I have never tried it before but I googled this:
http://support.microsoft.com/kb/555092
 
Old 02-04-2008, 05:06 PM   #3
mujzeptu
LQ Newbie
 
Registered: Feb 2008
Posts: 4

Original Poster
Rep: Reputation: 0
Yeah, unfortunately thats for the old mod_auth_kerb which now appears to have been replaced in the latest version of apache. It appears authz_ldap (or something similar) is its replacement, and I cannot find any help with it.
 
Old 02-04-2008, 05:48 PM   #4
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379

Rep: Reputation: 38
I can show you an example of using authnz_ldap here but I do not know about tying it into AD.
Sorry but maybe the working ldap example will help lead you down a path.
 
Old 02-06-2008, 06:23 PM   #5
mujzeptu
LQ Newbie
 
Registered: Feb 2008
Posts: 4

Original Poster
Rep: Reputation: 0
I tried that site and no luck.

I just want to authenticate against EITHER an openldap or AD domain automatically so the user doesnt have to put in their info.

Here is an update i posted from another site....

Ok, so the closest ive gotten thus far is to put this in my httpd.conf.


<Directory "/">
Options All FollowSymLinks +Includes
AllowOverride None
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute uid
AuthLDAPURL ldap://ldap.mydomain.com/ou=People,o=mydomain.com?sAMAccountName?sub?(objectClass=*)"
#?uid
require valid-user
AuthName "My Server"
AuthType Basic
</Directory>

And... all I get is, "Internal Server Error" however I say the closest I get as this is whats in my error_log.

Wed Feb 06 16:12:56 2008] [warn] [client my.ip.address.] [8442] auth_ldap authenticate: user adam.nielson authentication failed; URI / [ldap_search_ext_s() for user failed][Bad search filter]

Any ideas? All I want is for apache to automatically authenticate against EITHER an openLDAP server or an AD domain (we have both) without the need for the user to put in their information.

I appreciate any help!
 
Old 02-06-2008, 07:58 PM   #6
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379

Rep: Reputation: 38
This
Code:
<Directory "/">
gives access to the entire computer for anyone who authenticates. You really don't want that.

You cant really pass who is logged into a computer by sending a GET to a web server without including it in the URL like "http://www.site.com?user=foo" That would make it really fun to make a website that checked for anyone logged in as Administrator or root and do some silly stuff to them.
 
Old 02-07-2008, 11:53 AM   #7
mujzeptu
LQ Newbie
 
Registered: Feb 2008
Posts: 4

Original Poster
Rep: Reputation: 0
Its an internal webserver that has no external net access, every user logs in to an AD domain, and the only thing this stripped down server will do is host OTRS, the ticket support program... so they can submit a support ticket.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenLDAP for web application SSO integration mytto Linux - Networking 3 02-15-2006 12:23 PM
Samba/winbind and SSO question zerenia Linux - Networking 0 12-08-2005 08:16 PM
Kerberos NIS Domain/realm confusion PDock Linux - Networking 0 11-28-2005 08:13 AM
SBS2003 domain, Fedora C3 client, kerberos authentication issues Spida Linux - Networking 0 11-23-2005 11:07 PM
Enable SSO in Applications Aman25 Linux - Security 1 07-30-2004 10:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration