Changes between Version 5 and Version 6 of ActiveDirectory
- Timestamp:
- Feb 22, 2015, 3:41:26 PM (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
ActiveDirectory
v5 v6 1 = Setting up Apache and OpenLDAP to use Microsoft's ActiveDirectory 2 1 3 This is a short HOWTO for setting up Apache and OpenLDAP to use Microsoft's !ActiveDirectory for authenticating users. As an option, you can secure LDAP by using SSL. We choose openssl.[[BR]] 2 It will give you an idea how to set up your apache configuration.4 It will give you an idea how to set up your Apache configuration. 3 5 4 We assume that 6 We assume that: 5 7 * your AD domain is called `MYDOM` 6 8 * you have a user called `MYUSER` that has read access to `sAMAccountName` … … 8 10 * your basedn is `DC=mydom,DC=example,DC=org` 9 11 10 === Apache 2.0.x with [http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html mod_auth_ldap] === 12 == Apache 2.0.x with [http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html mod_auth_ldap] 13 11 14 You need to have `mod_ldap.so` and `mod_auth_ldap.so` compiled. 12 15 … … 42 45 }}} 43 46 44 === Apache 2.2.x with [http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html mod_authnz_ldap] and LDAP over SSL === 45 You need to have `mod_ldap.so` and `mod_authnz_ldap.so` compiled. 47 == Apache 2.2.x with [http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html mod_authnz_ldap] and LDAP over SSL 46 48 47 To do so, compile apache with 49 You need to have `mod_ldap.so` and `mod_authnz_ldap.so` compiled. To do so, compile Apache with: 50 48 51 {{{ 49 52 ./configure --enable-ldap=shared --enable-auth-ldap=shared --enable-ldap \ … … 51 54 --with-ldap-lib=</path/to/your/openldap/installation>/lib 52 55 }}} 56 53 57 Of course, you'll have to provide more options to `configure`.[[BR]] 54 Build and install apache the usual way.[[BR]]55 Make sure you have both `mod_ldap.so` and `mod_authnz_ldap.so` in apaches's modules directory.[[BR]]58 Build and install Apache the usual way.[[BR]] 59 Make sure you have both `mod_ldap.so` and `mod_authnz_ldap.so` in Apaches's modules directory.[[BR]] 56 60 Also make sure that your openldap has support for ssl built in.[[BR]] 57 61 Get the root certificate for your DC. In this example, it is BASE64 encoded. 58 62 59 63 Now for the `httpd.conf`: 64 60 65 {{{ 61 66 LoadModule ldap_module modules/mod_ldap.so … … 81 86 }}} 82 87 83 === Using mm_mod_auth_ldap and authentication on bind === 88 === Using mm_mod_auth_ldap and authentication on bind 89 84 90 Some LDAP providers require some form of authentication in order to check credentials. There are two ways of handling this. One is to put a specific username and password into the Apache configuration file (as shown in the above example). This can be problematic in certain environments (the author of this section works in a US National Lab, with some occasionally insane security rules). And it is true that burying passwords in configuration files can be a maintenance problem. The third party mm_mod_auth_ldap (http://muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html) provides an interesting solution, which is that it attempts to use the username/password supplied by the user to do the bind to the LDAP provider. If the bind works that's part of the authentication. If the bind doesn't work, then the user is presumed to not be real, and the authentication fails. This does, however, have a couple of unfortunate side effects. One is that if the user fat-fingers the password, the bind fails and the user sees a server configuration error (bad). The other is that since the credentials are different on each bind, there's no caching or pooling of LDAP connections possible. However, this is a useful concept, and one that can hopefully be improved. The gist of the configuration is 85 91 {{{ … … 108 114 </Location> 109 115 }}} 110 Have fun!
