Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
02-04-2008, 03:54 PM
|
#1
|
LQ Newbie
Registered: Feb 2008
Posts: 4
Rep:
|
Authz_ldap? I need to have SSO with kerberos against a AD domain
As the title suggests, I need help setting up the latest release of Apache to use single sign-on with kerberos for an AD domain. I need users in a AD domain to automatically authenticate in apache.
I am guessing this is done through authz_ldap, however i Have no idea how to get it working... any help you can provide is greatly appreciated!
|
|
|
02-04-2008, 05:06 PM
|
#3
|
LQ Newbie
Registered: Feb 2008
Posts: 4
Original Poster
Rep:
|
Yeah, unfortunately thats for the old mod_auth_kerb which now appears to have been replaced in the latest version of apache. It appears authz_ldap (or something similar) is its replacement, and I cannot find any help with it.
|
|
|
02-04-2008, 05:48 PM
|
#4
|
Member
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379
Rep:
|
I can show you an example of using authnz_ldap here but I do not know about tying it into AD.
Sorry but maybe the working ldap example will help lead you down a path.
|
|
|
02-06-2008, 06:23 PM
|
#5
|
LQ Newbie
Registered: Feb 2008
Posts: 4
Original Poster
Rep:
|
I tried that site and no luck.
I just want to authenticate against EITHER an openldap or AD domain automatically so the user doesnt have to put in their info.
Here is an update i posted from another site....
Ok, so the closest ive gotten thus far is to put this in my httpd.conf.
<Directory "/">
Options All FollowSymLinks +Includes
AllowOverride None
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute uid
AuthLDAPURL ldap://ldap.mydomain.com/ou=People,o=mydomain.com?sAMAccountName?sub?(objectClass=*)"
#?uid
require valid-user
AuthName "My Server"
AuthType Basic
</Directory>
And... all I get is, "Internal Server Error" however I say the closest I get as this is whats in my error_log.
Wed Feb 06 16:12:56 2008] [warn] [client my.ip.address.] [8442] auth_ldap authenticate: user adam.nielson authentication failed; URI / [ldap_search_ext_s() for user failed][Bad search filter]
Any ideas? All I want is for apache to automatically authenticate against EITHER an openLDAP server or an AD domain (we have both) without the need for the user to put in their information.
I appreciate any help!
|
|
|
02-06-2008, 07:58 PM
|
#6
|
Member
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379
Rep:
|
This
gives access to the entire computer for anyone who authenticates. You really don't want that.
You cant really pass who is logged into a computer by sending a GET to a web server without including it in the URL like "http://www.site.com?user=foo" That would make it really fun to make a website that checked for anyone logged in as Administrator or root and do some silly stuff to them.
|
|
|
02-07-2008, 11:53 AM
|
#7
|
LQ Newbie
Registered: Feb 2008
Posts: 4
Original Poster
Rep:
|
Its an internal webserver that has no external net access, every user logs in to an AD domain, and the only thing this stripped down server will do is host OTRS, the ticket support program... so they can submit a support ticket.
|
|
|
All times are GMT -5. The time now is 09:42 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|