Jump to content

authz_ldap? I need to have SSO with kerberos against a AD domain


mujzeptu

Recommended Posts

As the title suggests, I need help setting up the latest release of Apache to use single sign-on with kerberos for an AD domain. I need users in a AD domain to automatically authenticate in apache.

 

I am guessing this is done through authz_ldap, however i Have no idea how to get it working... any help you can provide is greatly appreciated!

Link to comment
Share on other sites

The following will enable auth_ldap on apache2 in debian and ubuntu:

 

a2enmod auth_ldap

 

Then the following should work in a .htaccess file:

 

LDAP_Debug On

AuthName "Only LDAP domain1 or domain2"

AuthType Basic

AuthOnBind On

LDAP_Server "ldap server ip"

LDAP_Port 389

UID_Attr cn

Sub_DN "OU=Users,ou=staff"

AltSub_DN "OU=Users,ou=undergraduate"

Base_DN "DC=ul,DC=campus"

require user first1.lastname1 first2.lastname2 first3.lastname3

 

Obviously you will have to change the above to suit.

 

-steve

 

Link to comment
Share on other sites

Thank you for the reply!  I really appreciate it.

 

Sorry for being such a noob, however, I dont have an .htaccess file.  I am on RHEL5.  I tried creating one in my html home and where my httpd.conf file exists.  In the logs it appears to be doing something different..?

 

Also, I am trying to use this SSO/kerberos for the root website, if that changes anything.

 

Do I still need to configure authz_ldap in conf.d?  Or can I leave it alone?  Do I need to do anything in httpd.conf to make it work?

 

Thank you again!

 

Link to comment
Share on other sites

Ok, so the closest ive gotten thus far is to put this in my httpd.conf.

 

 

<Directory "/">

Options All FollowSymLinks +Includes

AllowOverride None

Order allow,deny

Allow from all

AuthBasicProvider ldap

AuthLDAPGroupAttributeIsDN off

AuthLDAPGroupAttribute uid

AuthLDAPURL ldap://ldap.mydomain.com/ou=People,o=mydomain.com?sAMAccountName?sub?(objectClass=*)"

#?uid

require valid-user

AuthName "My Server"

AuthType Basic

</Directory>

 

And... all I get is, "Internal Server Error" however I say the closest I get as this is whats in my error_log.

 

Wed Feb 06 16:12:56 2008] [warn] [client my.ip.address.] [8442] auth_ldap authenticate: user adam.nielson authentication failed; URI / [ldap_search_ext_s() for user failed][bad search filter]

 

Any ideas?  All I want is for apache to automatically authenticate against EITHER an openLDAP server or an AD domain (we have both) without the need for the user to put in their information.

 

I appreciate any help!

 

Link to comment
Share on other sites

Put the .htaccess file in the root of the folder where you want users to login to.

So if you had the following website:

 

www.website.com/membersonly/

 

you would put the .htaccess file in /var/www/membersonly/.htaccess

(^ change to appropriate directory). Make sure to have "Allow Override All" in your apache/httpd conf.

 

As for normal authentication, the code I outlined previously will suffice. Make sure auth_ldap is enabled and uncommented in your apache/httpd conf.

Also - make sure you are using ssl for the above manual method as the password would be transferred in plain text otherwise.

 

-steve

Link to comment
Share on other sites

Humm....well if its authz_ldap that apache2.2.3 is been used, then work away. It should work the same IMO.

 

Im not going into SSL. Deal with one problem first. Just remember that if your using auth_ldap over the internet on http, that the password could be potentially sniffed, so use a temporary password/account etc.

( ssl: http://wiki.kartbuilding.net/index.php/Apache_2_%26_SSL_-_PHP4_-_MySQL_4.1 )

 

-steve

Link to comment
Share on other sites

Google reveals:

#############################################

<Location /shibboleth-idp/SSO>

      AuthzLDAPEngine on

 

      AuthzLDAPServer ldap.inst.ac.uk

      AuthzLDAPBindDN "cn=CanonicalName,cn=Users"

      AuthzLDAPBindPassword "******"

      AuthzLDAPUserBase cn=Users

      AuthzLDAPUserKey cn

      AuthzLDAPUserScope base

    # next line needed so Authz_ldap doesn't change REMOTE_USER value

    AuthzLDAPSetAuthorization  off

 

    AuthType basic

    AuthName "Enter network username and password"

    require valid-user

</Location>

 

#############################################

https://gabriel.lse.ac.uk/twiki/bin/view/Projects/WebFormAuth

 

P.S.: when you do get the final code/config, it would be great if you could post it here.

 

-steve

Link to comment
Share on other sites

In my Apache 2.2.3 httpd.conf file?

 

I get this.

 

Invalid command 'AuthzLDAPEngine', perhaps misspelled or defined by a module not included in the server configuration

 

On RHEL5.

 

I cant believe this is being such a pain....  I really do appreciate your help!

 

Link to comment
Share on other sites

Ok, so the directive is now obsolete.  My core issue is still single sign-on (SSO) with an AD domain.  In OTRS I can already authenticate against an AD domain, but it still prompts users for their credentials.  I was told I need to set up apache for SSO....

 

I appreciate the help steve... since you are the only one responding to this thread, if you have any insight into SSO with apache, please email me.

 

Thanks for all your help!

 

mujzeptu@gmail.com

 

Link to comment
Share on other sites

Google is your friend:

 

http://www.google.ie/search?hl=en&q=sign-on+with+an+AD+domain+apache&meta=

 

Second hit from above:

http://sivel.net/archives/12

 

Looks like apache wont do this out of the box. You'll have to go towards CPAN at: http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm

 

Im going to finish my assistance here. I dont have a testbed so I cant take it further.

 

I'll finish on a last note: Google is your friend.

 

-steve

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.