mujzeptu Posted February 4, 2008 Share Posted February 4, 2008 As the title suggests, I need help setting up the latest release of Apache to use single sign-on with kerberos for an AD domain. I need users in a AD domain to automatically authenticate in apache. I am guessing this is done through authz_ldap, however i Have no idea how to get it working... any help you can provide is greatly appreciated! Quote Link to comment Share on other sites More sharing options...
steviewdr Posted February 4, 2008 Share Posted February 4, 2008 The following will enable auth_ldap on apache2 in debian and ubuntu: a2enmod auth_ldap Then the following should work in a .htaccess file: LDAP_Debug On AuthName "Only LDAP domain1 or domain2" AuthType Basic AuthOnBind On LDAP_Server "ldap server ip" LDAP_Port 389 UID_Attr cn Sub_DN "OU=Users,ou=staff" AltSub_DN "OU=Users,ou=undergraduate" Base_DN "DC=ul,DC=campus" require user first1.lastname1 first2.lastname2 first3.lastname3 Obviously you will have to change the above to suit. -steve Quote Link to comment Share on other sites More sharing options...
mujzeptu Posted February 5, 2008 Author Share Posted February 5, 2008 Thank you for the reply! I really appreciate it. Sorry for being such a noob, however, I dont have an .htaccess file. I am on RHEL5. I tried creating one in my html home and where my httpd.conf file exists. In the logs it appears to be doing something different..? Also, I am trying to use this SSO/kerberos for the root website, if that changes anything. Do I still need to configure authz_ldap in conf.d? Or can I leave it alone? Do I need to do anything in httpd.conf to make it work? Thank you again! Quote Link to comment Share on other sites More sharing options...
mujzeptu Posted February 6, 2008 Author Share Posted February 6, 2008 Ok, so the closest ive gotten thus far is to put this in my httpd.conf. <Directory "/"> Options All FollowSymLinks +Includes AllowOverride None Order allow,deny Allow from all AuthBasicProvider ldap AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute uid AuthLDAPURL ldap://ldap.mydomain.com/ou=People,o=mydomain.com?sAMAccountName?sub?(objectClass=*)" #?uid require valid-user AuthName "My Server" AuthType Basic </Directory> And... all I get is, "Internal Server Error" however I say the closest I get as this is whats in my error_log. Wed Feb 06 16:12:56 2008] [warn] [client my.ip.address.] [8442] auth_ldap authenticate: user adam.nielson authentication failed; URI / [ldap_search_ext_s() for user failed][bad search filter] Any ideas? All I want is for apache to automatically authenticate against EITHER an openLDAP server or an AD domain (we have both) without the need for the user to put in their information. I appreciate any help! Quote Link to comment Share on other sites More sharing options...
steviewdr Posted February 6, 2008 Share Posted February 6, 2008 Apologies, I misread your original post and missed the "automatically authenticate" part. Im afraid I have never looked into that...yet. Im afraid I cant be of more assistance. Its up to Google. The answer is out there! -steve Quote Link to comment Share on other sites More sharing options...
mujzeptu Posted February 6, 2008 Author Share Posted February 6, 2008 I will take normal authentication for right now just to get THAT working.... Can you answer my above posts about where to put the .htaccess file, etc? Thank you! Quote Link to comment Share on other sites More sharing options...
steviewdr Posted February 6, 2008 Share Posted February 6, 2008 Put the .htaccess file in the root of the folder where you want users to login to. So if you had the following website: www.website.com/membersonly/ you would put the .htaccess file in /var/www/membersonly/.htaccess (^ change to appropriate directory). Make sure to have "Allow Override All" in your apache/httpd conf. As for normal authentication, the code I outlined previously will suffice. Make sure auth_ldap is enabled and uncommented in your apache/httpd conf. Also - make sure you are using ssl for the above manual method as the password would be transferred in plain text otherwise. -steve Quote Link to comment Share on other sites More sharing options...
mujzeptu Posted February 7, 2008 Author Share Posted February 7, 2008 Ok thank you. Two things. 1) With the latest version of Apache (2.2.3) it appears auth_ldap is no longer used, and is now using authz_ldap. If I try to use the old module it wont load. 2) How do I enable SSL? Quote Link to comment Share on other sites More sharing options...
steviewdr Posted February 7, 2008 Share Posted February 7, 2008 Humm....well if its authz_ldap that apache2.2.3 is been used, then work away. It should work the same IMO. Im not going into SSL. Deal with one problem first. Just remember that if your using auth_ldap over the internet on http, that the password could be potentially sniffed, so use a temporary password/account etc. ( ssl: http://wiki.kartbuilding.net/index.php/Apache_2_%26_SSL_-_PHP4_-_MySQL_4.1 ) -steve Quote Link to comment Share on other sites More sharing options...
mujzeptu Posted February 7, 2008 Author Share Posted February 7, 2008 Its all local and behind a firewall so it should be fine. the .htaccess didnt work, its telling me those commands are not valid... im guessing because of the new version of apache. Quote Link to comment Share on other sites More sharing options...
steviewdr Posted February 7, 2008 Share Posted February 7, 2008 Google reveals: ############################################# <Location /shibboleth-idp/SSO> AuthzLDAPEngine on AuthzLDAPServer ldap.inst.ac.uk AuthzLDAPBindDN "cn=CanonicalName,cn=Users" AuthzLDAPBindPassword "******" AuthzLDAPUserBase cn=Users AuthzLDAPUserKey cn AuthzLDAPUserScope base # next line needed so Authz_ldap doesn't change REMOTE_USER value AuthzLDAPSetAuthorization off AuthType basic AuthName "Enter network username and password" require valid-user </Location> ############################################# https://gabriel.lse.ac.uk/twiki/bin/view/Projects/WebFormAuth P.S.: when you do get the final code/config, it would be great if you could post it here. -steve Quote Link to comment Share on other sites More sharing options...
mujzeptu Posted February 8, 2008 Author Share Posted February 8, 2008 In my Apache 2.2.3 httpd.conf file? I get this. Invalid command 'AuthzLDAPEngine', perhaps misspelled or defined by a module not included in the server configuration On RHEL5. I cant believe this is being such a pain.... I really do appreciate your help! Quote Link to comment Share on other sites More sharing options...
steviewdr Posted February 10, 2008 Share Posted February 10, 2008 Make sure the following line is uncommented in your httpd.conf: LoadModule authnz_ldap_module modules/mod_authnz_ldap.so -steve Quote Link to comment Share on other sites More sharing options...
mujzeptu Posted February 11, 2008 Author Share Posted February 11, 2008 It is... Quote Link to comment Share on other sites More sharing options...
steviewdr Posted February 11, 2008 Share Posted February 11, 2008 Google is your friend: https://bugzilla.redhat.com/show_bug.cgi?id=164620 -steve Quote Link to comment Share on other sites More sharing options...
mujzeptu Posted February 12, 2008 Author Share Posted February 12, 2008 Ok, so the directive is now obsolete. My core issue is still single sign-on (SSO) with an AD domain. In OTRS I can already authenticate against an AD domain, but it still prompts users for their credentials. I was told I need to set up apache for SSO.... I appreciate the help steve... since you are the only one responding to this thread, if you have any insight into SSO with apache, please email me. Thanks for all your help! mujzeptu@gmail.com Quote Link to comment Share on other sites More sharing options...
steviewdr Posted February 12, 2008 Share Posted February 12, 2008 Google is your friend: http://www.google.ie/search?hl=en&q=sign-on+with+an+AD+domain+apache&meta= Second hit from above: http://sivel.net/archives/12 Looks like apache wont do this out of the box. You'll have to go towards CPAN at: http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm Im going to finish my assistance here. I dont have a testbed so I cant take it further. I'll finish on a last note: Google is your friend. -steve Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.