Edgewall Software

Changes between Version 5 and Version 6 of ActiveDirectory


Ignore:
Timestamp:
Feb 22, 2015, 3:41:26 PM (7 years ago)
Author:
figaro
Comment:

Cosmetic changes

Legend:

Unmodified
Added
Removed
Modified
  • ActiveDirectory

    v5 v6  
     1= Setting up Apache and OpenLDAP to use Microsoft's ActiveDirectory
     2
    13This is a short HOWTO for setting up Apache and OpenLDAP to use Microsoft's !ActiveDirectory for authenticating users. As an option, you can secure LDAP by using SSL. We choose openssl.[[BR]]
    2 It will give you an idea how to set up your apache configuration.
     4It will give you an idea how to set up your Apache configuration.
    35
    4 We assume that
     6We assume that:
    57 * your AD domain is called `MYDOM`
    68 * you have a user called `MYUSER` that has read access to `sAMAccountName`
     
    810 * your basedn is `DC=mydom,DC=example,DC=org`
    911
    10 === Apache 2.0.x with [http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html mod_auth_ldap] ===
     12== Apache 2.0.x with [http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html mod_auth_ldap]
     13
    1114You need to have `mod_ldap.so` and `mod_auth_ldap.so` compiled.
    1215
     
    4245}}}
    4346
    44 === Apache 2.2.x with [http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html mod_authnz_ldap] and LDAP over SSL ===
    45 You need to have `mod_ldap.so` and `mod_authnz_ldap.so` compiled.
     47== Apache 2.2.x with [http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html mod_authnz_ldap] and LDAP over SSL
    4648
    47 To do so, compile apache with
     49You need to have `mod_ldap.so` and `mod_authnz_ldap.so` compiled. To do so, compile Apache with:
     50
    4851{{{
    4952./configure --enable-ldap=shared --enable-auth-ldap=shared --enable-ldap \
     
    5154--with-ldap-lib=</path/to/your/openldap/installation>/lib
    5255}}}
     56
    5357Of course, you'll have to provide more options to `configure`.[[BR]]
    54 Build and install apache the usual way.[[BR]]
    55 Make sure you have both `mod_ldap.so` and `mod_authnz_ldap.so` in apaches's modules directory.[[BR]]
     58Build and install Apache the usual way.[[BR]]
     59Make sure you have both `mod_ldap.so` and `mod_authnz_ldap.so` in Apaches's modules directory.[[BR]]
    5660Also make sure that your openldap has support for ssl built in.[[BR]]
    5761Get the root certificate for your DC. In this example, it is BASE64 encoded.
    5862
    5963Now for the `httpd.conf`:
     64
    6065{{{
    6166LoadModule ldap_module modules/mod_ldap.so
     
    8186}}}
    8287
    83  === Using mm_mod_auth_ldap and authentication on bind ===
     88=== Using mm_mod_auth_ldap and authentication on bind
     89
    8490Some LDAP providers require some form of authentication in order to check credentials.  There are two ways of handling this.  One is to put a specific username and password into the Apache configuration file (as shown in the above example).  This can be problematic in certain environments (the author of this section works in a US National Lab, with some occasionally insane security rules).  And it is true that burying passwords in configuration files can be a maintenance problem.  The third party mm_mod_auth_ldap (http://muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html) provides an interesting solution, which is that it attempts to use the username/password supplied by the user to do the bind to the LDAP provider.  If the bind works that's part of the authentication.  If the bind doesn't work, then the user is presumed to not be real, and the authentication fails.  This does, however, have a couple of unfortunate side effects.  One is that if the user fat-fingers the password, the bind fails and the user sees a server configuration error (bad).  The other is that since the credentials are different on each bind, there's no caching or pooling of LDAP connections possible.  However, this is a useful concept, and one that can hopefully be improved.  The gist of the configuration is
    8591{{{
     
    108114</Location>
    109115}}}
    110 Have fun!