LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-12-2019, 03:59 AM   #1
bifferos
Member
 
Registered: Jul 2009
Posts: 188

Rep: Reputation: 65
AD authentication


I would like to create a very simple website (on Slackware) which authenticates AD domain users connecting from Windows machines. I'm a bit confused about whether this needs PAM, has anyone done this without it?

thanks!
 
Old 09-12-2019, 05:22 AM   #2
Markus Wiesner
Member
 
Registered: Mar 2016
Distribution: Slackware
Posts: 46

Rep: Reputation: 82
Quote:
Originally Posted by bifferos View Post
I would like to create a very simple website (on Slackware) which authenticates AD domain users connecting from Windows machines. I'm a bit confused about whether this needs PAM, has anyone done this without it?
I am using this configuration with Apache:

Code:
AuthType Basic
AuthName "AD login"
AuthBasicProvider ldap
AuthBasicFake %{REMOTE_USER} ***HIDDEN***
AuthLDAPURL "ldaps://ADSERVER.MY.DOMAIN/dc=MY,dc=DOMAIN?sAMAccountName?sub?(&(|(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
AuthLDAPBindDN ldapagent@MY.DOMAIN
AuthLDAPBindPassword PASSWORD_OF_LDAPAGENT_USER
Require valid-user
Adjust the red parts for your environment, the rest should be copy & paste.

AuthName is a custom text shown in the browser login prompt.

AuthBasicFake is optional. It hides the password (replaces it with the text "***HIDDEN***" in this case, feel free to change it) for PHP/CGI scripts, so they only see the (authenticated) username.

In AuthLDAPURL the "sAMAccountName" is the AD field containing the username. The part behind "?" is a filter to search only users (objectclass) and to exclude disabled accounts (userAccountControl).

AuthLDAPBindDN and AuthLDAPBindPassword are only required if anonymous AD access (to search for valid users) is not allowed. Use an existing account or create a special user (I named it "ldapagent") in the AD for this that is allowed to search the AD.

Put those lines in a separate configuration file, chmod 600 (to protect the plaintext AuthLDAPBindPassword!) and Include it where required.
 
4 members found this post helpful.
Old 09-12-2019, 07:55 AM   #3
bifferos
Member
 
Registered: Jul 2009
Posts: 188

Original Poster
Rep: Reputation: 65
Thanks Markus,

I get this error:

Quote:
[LDAP: ldap_simple_bind() failed][Can't contact LDAP server]
When I've checked my ldap server is accessible and has port 389 open (and reachable). Any ideas?
 
Old 09-12-2019, 08:21 AM   #4
Markus Wiesner
Member
 
Registered: Mar 2016
Distribution: Slackware
Posts: 46

Rep: Reputation: 82
Quote:
Originally Posted by bifferos View Post
When I've checked my ldap server is accessible and has port 389 open (and reachable). Any ideas?
Change the AuthLDAPURL from ldaps:// (that's LDAP over TLS on port 636) to ldap:// (without "s").
 
Old 09-12-2019, 09:51 AM   #5
bifferos
Member
 
Registered: Jul 2009
Posts: 188

Original Poster
Rep: Reputation: 65
I don't think that was the problem, because port 636 was open as well.

However, when I enabled https it started to work properly. Guess I must have changed something else at the same time :-/.
Am I right in thinking I require Kerberos to get rid of the login prompt altogether, AKA SSO (Single Sign-On)?

Many thanks for your help.
 
Old 09-12-2019, 11:43 AM   #6
Markus Wiesner
Member
 
Registered: Mar 2016
Distribution: Slackware
Posts: 46

Rep: Reputation: 82
Quote:
Originally Posted by bifferos View Post
I don't think that was the problem, because port 636 was open as well.
Maybe the TLS certificate validation failed? Is it self-signed, from an internal CA or does not contain the hostname from AuthLDAPURL? The first two should be solved by copying it to /usr/local/share/ca-certificates/ followed by update-ca-certificates.

Quote:
Originally Posted by bifferos View Post
Am I right in thinking I require Kerberos to get rid of the login prompt altogether, AKA SSO (Single Sign-On)?
Unfortunately I can't help you with that, I haven't tried it yet.
 
Old 09-13-2019, 03:19 AM   #7
bifferos
Member
 
Registered: Jul 2009
Posts: 188

Original Poster
Rep: Reputation: 65
Quote:
Originally Posted by Markus Wiesner View Post
Maybe the TLS certificate validation failed? Is it self-signed, from an internal CA or does not contain the hostname from AuthLDAPURL? The first two should be solved by copying it to /usr/local/share/ca-certificates/ followed by update-ca-certificates.
If LDAP is using TLS I'm surprised adding an HTTPS virtual host to Apache solved anything. The HTTPS cert was self-signed, and nothing to do with the actual AD domain. I think I just screwed up some setting and later fixed it.

Quote:
Originally Posted by Markus Wiesner View Post
Unfortunately I can't help you with that, I haven't tried it yet.
It seems a somewhat specialist subject. This will do me for now, and at least I didn't have to recompile bits of Slackware to achieve it
 
Old 09-13-2019, 04:14 AM   #8
Markus Wiesner
Member
 
Registered: Mar 2016
Distribution: Slackware
Posts: 46

Rep: Reputation: 82
Quote:
Originally Posted by bifferos View Post
If LDAP is using TLS I'm surprised adding an HTTPS virtual host to Apache solved anything. The HTTPS cert was self-signed, and nothing to do with the actual AD domain. I think I just screwed up some setting and later fixed it.
I meant the certificate of the LDAP/AD server which is probably checked by Apache (in its role as client for the AD connection).
 
Old 09-13-2019, 05:45 AM   #9
Qury
Member
 
Registered: Feb 2004
Location: Dublin
Distribution: Slackware
Posts: 171

Rep: Reputation: 159Reputation: 159
Quote:
Originally Posted by bifferos View Post
I would like to create a very simple website (on Slackware) which authenticates AD domain users connecting from Windows machines. I'm a bit confused about whether this needs PAM, has anyone done this without it?
thanks!
Do you just need to control access to the vhost on apache or does your website need user details from AD (group, name, email, etc...)?
I use SimpleSAMLphp with my application to authenticate against AD and provide single sign-on.
 
Old 09-13-2019, 06:29 AM   #10
bifferos
Member
 
Registered: Jul 2009
Posts: 188

Original Poster
Rep: Reputation: 65
Quote:
Originally Posted by Markus Wiesner View Post
I meant the certificate of the LDAP/AD server which is probably checked by Apache (in its role as client for the AD connection).
Yes, I understood.
 
Old 09-13-2019, 07:19 AM   #11
bifferos
Member
 
Registered: Jul 2009
Posts: 188

Original Poster
Rep: Reputation: 65
Quote:
Originally Posted by Qury View Post
Do you just need to control access to the vhost on apache or does your website need user details from AD (group, name, email, etc...)?
I use SimpleSAMLphp with my application to authenticate against AD and provide single sign-on.
Only need access control. That looks interesting though.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Authentication service cannot retrieve authentication info joshb166 Linux - Newbie 2 08-13-2009 01:03 AM
su: Authentication service cannot retrieve authentication info. r11_kaede Linux - Newbie 3 05-17-2009 12:10 PM
Authentication service cannot retrieve authentication info - for new user yosial Linux - Newbie 2 10-28-2008 11:30 PM
scp without authentication and ssh with authentication? bkcreddy17 Linux - Server 7 10-08-2008 01:33 AM
Authentication service cannot retrieve authentication info Moffett67 Linux - Software 3 12-13-2007 03:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 08:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration