Yeah, this was the kind of info I was looking for. I just downloaded the newest Apache 2.2 server and was going to give it a go at implementing the included mod_authnz_ldap with FDS. I was planning on compiling everything from scratch, and wasn't sure if I could compile everything against the FDS/NS ldap libraries or if I needed to compile some or all of it against the OpenLDAP client libraries. >From Richard's comments it sounds like I should just concentrate on compiling everything against the OpenLDAP libs. However, you mention using NSS for encryption. I'm unsure if using the OpenLDAP libs will limit me in some way? If we have control over the Apache compilation is there an advantage/disadvantage to compiling against the FDS/NS libs rather than OpenLDAP? I apologize if that's too vague a question. :-) Thanks. - Kevin On 1/25/06, Richard Megginson <rmeggins at redhat.com> wrote: > > Robert Ludvik wrote: > > >Kevin Kovach pravi: > > > > > >>The HowTo for integration with Apache > >>(http://directory.fedora.redhat.com/wiki/Howto:Apache) is currently > >>blank. Can somebody advise on another source for information on getting > >>some type of mod_authnz_ldap working between FDS and Apache? Thanks. > >> > >>- Kevin > >> > >> > > > >I made it this way (see attachment). Hope it helps. > >Bye > >Robert Ludvik > > > > > >------------------------------------------------------------------------ > > > >Information source: > > > http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html#conf > > > >Download modauthldap_apache2.tar.gz and unpack it in /usr/local/src > >In /usr/local/src/modauthldap_apache2 run: > > > >./configure --with-ldap-dir=/opt/fedora-ds/shared > --with-apxs=/usr/sbin/apxs > >make > >make install > > > >Check httpd.conf: > >LoadModule ldap_module modules/mod_ldap.so > >LoadModule auth_ldap_module /usr/lib/httpd/modules/mod_auth_ldap.so > > > >I had to copy manualy these files: > >cp /opt/fedora-ds/shared/lib/libprldap50.so /lib/ > >cp /opt/fedora-ds/shared/lib/libldap50.so /lib/ > >cp /opt/fedora-ds/shared/lib/libssldap50.so /lib/ > > > > > What version of Apache is this? Note that some versions of Apache are > linked directly against /usr/lib/libldap*.so which is the OpenLDAP API > library. You may run into strange problems if you have both the Mozilla > (Fedora DS) and OpenLDAP libs linked into Apache - the APIs, while > similar, are not compatible and you will run into strange errors. It is > for this reason that I recommend just using the default OpenLDAP > libraries with mod_ldap and mod_auth_ldap. (Fedora DS Admin Server does > use the Mozilla LDAP libs despite the fact that Apache is linked with > the OpenLDAP ones - we have to jump through hoops like using LD_PRELOAD > - but we do not use any other LDAP modules at all, and we have to use > the Mozilla ones because we must use NSS for crypto). > > >In httpd.conf add folder for which you want to have LDAP authentication: > > > ><Directory "/var/www/html/a"> > >Options Indexes FollowSymLinks > >AllowOverride None > >order allow,deny > >allow from all > ># Q: I get a error message like reason: unknown require directive: > ># "xxxxxxx". What's the problem? > ># A: Use the directive AuthAuthoritative Off > >AuthAuthoritative Off > >AuthName "Only for nice people ;-)" > >AuthType Basic > >#AuthOnBind Off > >#Sub_DNou=CIS,ou=People > >#LDAP_Persistent On > >#Bind_Tries 5 > >#LDAP_Debug On > >#LDAP_Protocol_Version 3 > >#LDAP_Deref NEVER > >#LDAP_StartTLS On > >LDAP_Server dserver.domain.com > >#LDAP_Server 192.168.1.1 > >LDAP_Port 389 > ># Connect timeout in seconds #LDAP_Connect_Timeout 3 > ># If SSL is on, must specify the LDAP SSL port, usually 636 > >#LDAP_Port 636 > >#LDAP_CertDbDir /usr/foo/ssl > >Base_DN "dc=domain,dc=com" > ># If your configuration allows annonymous access you don't have to set > ># Bind_DN > >#Bind_DN "uid=admin,o=Fox Chase Cancer Center,c=US" > >#Bind_Pass "secret" > >UID_Attr uid > >#UID_Attr_Alt "mail" > >#Group_Attr uniqueMember > >#SupportNestedGroupsOff > ># You also need one of require statements: > ># any valid user: > >#require valid-user > ># OR these users: > >#require user muquit foo bar "john doe" > ># OR users that metch some condition: > >#require roomnumber "123 Center Building" > ># OR filter: > >#require filter "(&(telephonenumber=1234)(roomnumber=123))" > ># for a group of users (NOTE, without dc=domain,dc=com) > >require group cn=my_group,ou=Groups > ></Directory> > > > >Restart Apache: > >apachectl restart > > > > > > > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- Take back the web, http://www.switch2firefox.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20060125/4a5a6b60/attachment.html
