httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stewart, Eric" <e...@lib.usf.edu>
Subject [users@httpd] Active Directory, Apache 2.2.2, and LDAP
Date Tue, 02 May 2006 19:38:12 GMT
	This would probably be more appropriately titled "Active
Directory is not LDAP".  I've been trying to get a good Apache2.2.x to
AD authenticator going, and thought I had it all set with mod_auth_ldap.
And I do ... With some major caveats.  In the hopes that someone else
has a better solution, or to possibly provide some insight to those
running into strange issues with mod_authnz_ldap and AD, here's what
I've discovered so far:

	My enviorn:
RHEL 4
Apache 2.2.2, using mod_ldap, mod_authnz_ldap, and mod_ssl
Mod_perl 2.0.2
PHP 5.1.2

	It turns out that the following set up will work - but that you
might get bitten by what I call an "AD Bug":

<Directory "/data1/webdocs/idriver">
    AllowOverride None
    Order allow,deny
    Allow from #an IP#
    AuthType Basic
    AuthName ": Secure files"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative On
    AuthUserFile /dev/null
    AuthLDAPURL
"ldap://yourdc.your.org/OU=Staff,DC=your,DC=org?sAMAccountName?sub?(&(ob
jectclass=user))"
    AuthLDAPBindDN "CN=LDAP Query,OU=Special
Accounts,OU=Dept,OU=Staff,DC=your,DC=org"
    AuthLDAPBindPassword <readonly password>
    require ldap-group CN=Domain Users,CN=Users,DC=lib,DC=usf,DC=edu
    satisfy any
</Directory>

This will work as expected, providing:

The user attempting to authenticate does not have "Domain Users" set as
his/her "Default Group".  And if you change it, it usually takes about
15 minutes to kick in.

	Side note: Do not "quote escape" the "group" listed after
"ldap-group" in the "require" - it will break authentication.

	You might be thinking at this point "That's not right".  Well,
that's what I think, but it's what I've observed so far.  If you Google
for ldap and "active directory" you should come across a page somewhere
along the line which tells you how to export your AD to the equivalent
of an LDIF file (basically, a text representation of your AD/LDAP
directory).  If you search through that, you'll find (or at least I did)
the following:

- For a user's entry, for their list of groups, no entry for their
default
  group (at least this was the case for the users I looked at).
- For a group's entry, you won't find any(?) user who has the group in
  question as their default group (again, this was the case for the
users
  I looked at).

	Feel free to start a discussion, provide insight/commentary, or
ignore as usual.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message