[TriLUG] Fwd: [Centos] in CentOS 3.4, mod_auth_ldap ?
turnpike420 at gmail.com
Fri Jan 21 09:20:36 EST 2005
OK folks... I was having some trouble with CentOS not containing
mod_auth_ldap as the FCx distros do. I use this to authenticate users
via Apache on linux against my Microsoft ADS for my web apps. At any
rate, CentOS does come with mod_authz_ldap which I had never been able
to configure correctly. Through the wonderful world of the linux
community, here's the results of my search in the thread below.
mod_authz_ldap *can* in fact be configured to work so there is no need
for mod_auth_ldap. mod_authz_ldap does not appear to be as
sophisticated as mod_auth_ldap but it seems to do the trick. Maybe
one of our LDAP gurus can comment on some of these things
*cough*Mark*cough* if he is familiar with ADS.
I'm going to update my note here:
See below for the thread that helped me get going with mod_authz_ldap.
---------- Forwarded message ----------
From: Lee Garner <lee at leegarner.com>
Date: Thu, 20 Jan 2005 20:55:25 -0800
Subject: Re: [Centos] in CentOS 3.4, mod_auth_ldap ?
To: CentOS discussion and information list <centos at caosity.org>
That's pretty much it. My comments are interspersed below:
David McDowell wrote:
>awesome, if we are open tomorrow (snow storm coming) I shall have to
>try this... I have a couple of embedded questions to help me
>understand it, see comments below! thanks...
>my comment/questions are _below_ the item they are related to:
>On Thu, 20 Jan 2005 14:15:21 -0800 (PST), lee at leegarner.com
><lee at leegarner.com> wrote:
>>I have mod_authz_ldap working ok. Here's a .htaccess file:
>>AuthName "Authorized Access Only"
>>AuthzLDAPBindDN ldap_lookup at domain.com
>Does AuthzLDAPBindDN need to be the full ADS username at domain.com?
That's the only way I could get it to work. I tried a few variations on
"cn=(name|userid),ou=department,dc=..." and it never worked. In any
case, it does need to be the full name. user at domain worked the easiest.
>So this is where this goes... not blah blah...
Yep. I'm not sure if authz_ldap filters on objectClass, I haven't checked.
>With this user base, this will go set it to look at the top of the ADS
>schema? For example, I have an OU = MyCity in case we ever expanded to
>another city I could have another OU for those users.
That's the domain ID, and it would include subordinate OUs (according to
the entry below). I'm sure that you could restrict it somewhat by
>and this tells it to search all subordinate OU's in the tree?
>What is AuthzLDAPSetAuthorization off for?
Ah, that's an issue that I found. It's supposed to default to "off",
but I found that with it on, or missing, the user's FQDN is passed to
Apache ("cn=fred,ou=finance,dc=company,dc=com"). Authentication still
works, but it messed up some of my programs which rely on REMOTE_USER.
With the setting off, Apache gets only the sAMAccountName ("fred").
>>require group CN=GroupName,CN=Users,DC=domain,DC=com
>I can still use "require valid-user" here right?
>require valid-user OU=MyCity,DC=domain,DC=com ??
Yes. I use it for controlling access to network & systems monitoring
apps (Nagios, Cacti, NMIS), so I restrict it to the IT dept.
>Thanks for fielding my questions!! :)
No problem. I hope this helps. Stay warm.
CentOS mailing list
CentOS at caosity.org
More information about the TriLUG