authz_ldap? I need to have SSO with kerberos against a AD domain

[mujzeptu]

As the title suggests, I need help setting up the latest release of Apache to use single sign-on with kerberos for an AD domain. I need users in a AD domain to automatically authenticate in apache.

 

I am guessing this is done through authz_ldap, however i Have no idea how to get it working... any help you can provide is greatly appreciated!

[steviewdr]

The following will enable auth_ldap on apache2 in debian and ubuntu:

 

a2enmod auth_ldap

 

Then the following should work in a .htaccess file:

 

LDAP_Debug On

AuthName "Only LDAP domain1 or domain2"

AuthType Basic

AuthOnBind On

LDAP_Server "ldap server ip"

LDAP_Port 389

UID_Attr cn

Sub_DN "OU=Users,ou=staff"

AltSub_DN "OU=Users,ou=undergraduate"

Base_DN "DC=ul,DC=campus"

require user first1.lastname1 first2.lastname2 first3.lastname3

 

Obviously you will have to change the above to suit.

 

-steve

 

[mujzeptu]

Thank you for the reply!  I really appreciate it.

 

Sorry for being such a noob, however, I dont have an .htaccess file.  I am on RHEL5.  I tried creating one in my html home and where my httpd.conf file exists.  In the logs it appears to be doing something different..?

 

Also, I am trying to use this SSO/kerberos for the root website, if that changes anything.

 

Do I still need to configure authz_ldap in conf.d?  Or can I leave it alone?  Do I need to do anything in httpd.conf to make it work?

 

Thank you again!

 

[mujzeptu]

Ok, so the closest ive gotten thus far is to put this in my httpd.conf.

 

 

<Directory "/">

Options All FollowSymLinks +Includes

AllowOverride None

Order allow,deny

Allow from all

AuthBasicProvider ldap

AuthLDAPGroupAttributeIsDN off

AuthLDAPGroupAttribute uid

AuthLDAPURL ldap://ldap.mydomain.com/ou=People,o=mydomain.com?sAMAccountName?sub?(objectClass=*)"

#?uid

require valid-user

AuthName "My Server"

AuthType Basic

</Directory>

 

And... all I get is, "Internal Server Error" however I say the closest I get as this is whats in my error_log.

 

Wed Feb 06 16:12:56 2008] [warn] [client my.ip.address.] [8442] auth_ldap authenticate: user adam.nielson authentication failed; URI / [ldap_search_ext_s() for user failed][bad search filter]

 

Any ideas?  All I want is for apache to automatically authenticate against EITHER an openLDAP server or an AD domain (we have both) without the need for the user to put in their information.

 

I appreciate any help!

 

[steviewdr]

Apologies, I misread your original post and missed the "automatically authenticate" part. Im afraid I have never looked into that...yet.

 

Im afraid I cant be of more assistance. Its up to Google. The answer is out there!

 

-steve

[mujzeptu]

I will take normal authentication for right now just to get THAT working.... Can you answer my above posts about where to put the .htaccess file, etc?

 

 

Thank you!

 

[steviewdr]

Put the .htaccess file in the root of the folder where you want users to login to.

So if you had the following website:

 

www.website.com/membersonly/

 

you would put the .htaccess file in /var/www/membersonly/.htaccess

(^ change to appropriate directory). Make sure to have "Allow Override All" in your apache/httpd conf.

 

As for normal authentication, the code I outlined previously will suffice. Make sure auth_ldap is enabled and uncommented in your apache/httpd conf.

Also - make sure you are using ssl for the above manual method as the password would be transferred in plain text otherwise.

 

-steve

[mujzeptu]

Ok thank you.

 

Two things.

 

1) With the latest version of Apache (2.2.3) it appears auth_ldap is no longer used, and is now using authz_ldap.  If I try to use the old module it wont load.

 

2) How do I enable SSL?

 

[steviewdr]

Humm....well if its authz_ldap that apache2.2.3 is been used, then work away. It should work the same IMO.

 

Im not going into SSL. Deal with one problem first. Just remember that if your using auth_ldap over the internet on http, that the password could be potentially sniffed, so use a temporary password/account etc.

( ssl: http://wiki.kartbuilding.net/index.php/Apache_2_%26_SSL_-_PHP4_-_MySQL_4.1 )

 

-steve

[mujzeptu]

Its all local and behind a firewall so it should be fine.

 

the .htaccess didnt work, its telling me those commands are not valid... im guessing because of the new version of apache.

 

[steviewdr]

Google reveals:

#############################################

<Location /shibboleth-idp/SSO>

      AuthzLDAPEngine on

 

      AuthzLDAPServer ldap.inst.ac.uk

      AuthzLDAPBindDN "cn=CanonicalName,cn=Users"

      AuthzLDAPBindPassword "******"

      AuthzLDAPUserBase cn=Users

      AuthzLDAPUserKey cn

      AuthzLDAPUserScope base

    # next line needed so Authz_ldap doesn't change REMOTE_USER value

    AuthzLDAPSetAuthorization  off

 

    AuthType basic

    AuthName "Enter network username and password"

    require valid-user

</Location>

 

#############################################

https://gabriel.lse.ac.uk/twiki/bin/view/Projects/WebFormAuth

 

P.S.: when you do get the final code/config, it would be great if you could post it here.

 

-steve

[mujzeptu]

In my Apache 2.2.3 httpd.conf file?

 

I get this.

 

Invalid command 'AuthzLDAPEngine', perhaps misspelled or defined by a module not included in the server configuration

 

On RHEL5.

 

I cant believe this is being such a pain....  I really do appreciate your help!

 

[steviewdr]

Make sure the following line is uncommented in your httpd.conf:

 

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

 

-steve

[mujzeptu]

It is...

 

[steviewdr]

Google is your friend:

 

https://bugzilla.redhat.com/show_bug.cgi?id=164620

 

 

-steve

[mujzeptu]

Ok, so the directive is now obsolete.  My core issue is still single sign-on (SSO) with an AD domain.  In OTRS I can already authenticate against an AD domain, but it still prompts users for their credentials.  I was told I need to set up apache for SSO....

 

I appreciate the help steve... since you are the only one responding to this thread, if you have any insight into SSO with apache, please email me.

 

Thanks for all your help!

 

mujzeptu@gmail.com

 

[steviewdr]

Google is your friend:

 

http://www.google.ie/search?hl=en&q=sign-on+with+an+AD+domain+apache&meta=

 

Second hit from above:

http://sivel.net/archives/12

 

Looks like apache wont do this out of the box. You'll have to go towards CPAN at: http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm

 

Im going to finish my assistance here. I dont have a testbed so I cant take it further.

 

I'll finish on a last note: Google is your friend.

 

-steve