How to configure authentication and authorization in <Directory> directive against 2 Active Directory domains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

We have an AD forest with user accounts in one domain (domain_u) and group memberships for the same user accounts in a second domain (domain_g). I need to authenticate users against domain_u and use the returned distinguished name to authorize users based on group memberships in domain_g.

I can successfully authenticate users against domain_u with a config that looks like this:

<AuthnProviderAlias ldap ldap-domain_u>
  AuthLDAPBindDN "cn=….."
  AuthLDAPBindPassword …..
  AuthLDAPURL "ldap://.……"
</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap-domain_g>
  AuthLDAPBindDN "cn=….."
  AuthLDAPBindPassword …..
  AuthLDAPURL "ldap://.……"
</AuthnProviderAlias>

<Directory "${SRVROOT}/htdocs/test">
  AllowOverride none
  AuthType Basic
  AuthBasicProvider ldap-domain_u
  AuthLDAPGroupAttributeIsDN on
  LDAPReferrals Off
  <RequireAll>
    Require valid-user
  </RequireAll>
</Directory>

This authentication against domain_u works however, I cannot figure out how to authorize authenticated users against groups in domain_g. When I look at group members in domain_g using my ldap browser I see distinguished names that look exactly like the distinguished name set by apache as an environment variable after a successful authentication:  

CN=S-1-5-..-……….-……….-……….-……,CN=ForeignSecurityPrincipals,DC=domain_u,DC=edu

Note that this distinguished name exists in domain_g in the ForeignSecurityPrincipals container and specifies a SID instead of a samaccountname.

I have tried many different permutations of config options underneath the <Directory>  directive but cannot get apache to use a second AuthnProviderAlias (ldap-domain_g) to verify group membership for the distinguished name in domain_g. I've also done numerous google searches focusing on ad foreignsecurityprincipals, Active Directory and Apache configuration and have not yet found the magic post I've been looking for. 

Is what I would like to do even possible and if so could someone please respond with the correct configuration to make this work?

Also, please note that if I set the LDAPReferrals to 'On' my browser displays 'Internal Server Error' and the apache error log contains the message:
[ldap:error] … (70023) This function has not been implemented on this platform: AH01277: LDAP: Unable to add rebind cross reference entry. Out of memory?


Thank you in advance,
Theresa

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux