robbyt.com
mXcomment 1.0.5 © 2007-2009 - visualclinic.fr
License Creative Commons - Some rights reserved
| Apache 2.2 and Active Directory |
Apache 2.2 has introduced a new authentication framework: Authn/Authz With this new framework, comes a new mod_authz_ldap module! Like every good UNIX software release, a torrent of esoteric, incompatible, and confusing configuration options present themselves! Read on for my experiences with Apache 2.2/mod_authz_ldap and Active Directory... First off, this article isn't really much of a A-Z how to get Apache/AD working. It's meant more as a reference for people who have worked with apache 2.0/mod_auth_ldap and are upgrading to Apache 2.2/mod_authz_ldap. If you need help getting things going from scratch, i recommend doing some Googling to get you going. So to get started, here is my configuration template for the inpatient: items that are new to apache 2.2/mod_authz_ldap are in bold order allow,deny allow from all AuthName "AD Authorize Me!" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative On AuthLDAPBindDN This e-mail address is being protected from spam bots, you need JavaScript enabled to view it AuthLDAPBindPassword your-plain-text-ldap-pass AuthLDAPURL ldap://domain.local:389/OU=Corporate,OU=company, DC=domain,DC=local?sAMAccountName?sub?(objectCategory=person) require ldap-group CN=Domain Admins,OU=Windows Groups,OU=Groups,OU=Corporate,OU=company,DC=domain,DC=local REQUIRE valid-user So lets go over what some of this means. AuthBasicProvider ldap is fairly self explanatory for Apache veterans. AuthType basic is a classic option that everyone knows and loves, but now you can list multiple "Providers" for each location if necessary. This option is required for every location, otherwise Apache won't know what auth plugin to use. AuthzLDAPAuthoritative On there are some howto's and postings on the internet that say to turn this off. If you listen to them and turn this off, you'll lose the ability to filter groups. Since you want your authentication to be strictly by LDAP the AuthzLDAPAuthoritative needs to be set to "on". If this option is set to Off, authentication will pass down to the GroupFile (or similar) mechanisms, and you might not have any other handlers set. So setting the LDAPAuthoritative to ON forces LDAP to do all the work (and avoids any "backup" authentication mechanisms.) AuthLDAPBindDN This e-mail address is being protected from spam bots, you need JavaScript enabled to view it is also new. Formating your BindDN this way isn't required, but it's recommended (somewhere) in the Apache documentation. I guess what this gives you is the ability to have directory agnostic binding authentication, when some noob decides to reorganize the structure of the Active Directory tree on their lunch break. (sure beats playing solitaire i suppose) require ldap-group Require groups has an additional syntax option. Other documentation and howto's on the internet were ambiguous about this. The only way I could get group filtering to work was to use "require ldap-group" and not the 2.0 formatted "require group" Well, that's all of the major stuff. I'm sure there are other surprises along the way. Best of luck, and enjoy Apache 2.2!!!
|
mXcomment 1.0.5 © 2007-2009 - visualclinic.fr
License Creative Commons - Some rights reserved
| < Prev |
|---|
