Re: LDAP authentication question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Arkadiy,

Take a look at this
http://httpd.apache.org/docs/trunk/mod/mod_authn_core.html
You can create multiple authentication mechanisms, one for each sub-tree perhaps, and then alias them. 


Cheers,
Tony




On 23/12/2008 19:49, Arkadiy Goykhberg wrote:

Our LDAP Active Directory tree looks like this:

DC=mycompany,DC=COM

-OU=Accounts

-OU=Usernames

-OU=Finance&Administration

-OU=Generic accounts

-OU=Security

-....

-DC=sng,DC=mycompany,DC=com

-OU=Singapore Users

-DC=uk,DC=mycompany,DC=com

-OU=Accounts

-OU=Users

If I use the following configuration, everything works, except I am not
able to

authenticate UK and SNG users because the base of the search does not
include

UK ans SNG domains.

AuthBasicProvider ldap

AuthLDAPURL

"ldap://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
<http://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>"

AuthLDAPBindDN "CN=ldap connector,OU=Generic

accounts,OU=Accounts,DC=mycompany,DC=com"

AuthLDAPBindPassword ******

AuthType Basic

AuthName "mycompany Domain"

Require ldap-group CN=JMX_Security, OU=Security, OU=Usernames,
OU=Accounts, DC=mycompany,DC=com

[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(373): [client

192.168.2.75] [3718] auth_ldap authenticate: using URL

ldap://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
<http://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>

[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(454): [client

192.168.2.75] [3718] auth_ldap authenticate: accepting testuser

[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(691): [client

192.168.2.75] [3718] auth_ldap authorise: require group: testing for group

membership in "CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts,

DC=mycompany,DC=com"

[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(697): [client

192.168.2.75] [3718] auth_ldap authorise: require group: testing for member:

CN=Test
User,OU=Finance&Administration,OU=Usernames,OU=Accounts,DC=mycompany,DC=com

(CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts,
DC=mycompany,DC=com)

[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(706): [client

192.168.2.75] [3718] auth_ldap authorise: require group: authorisation

successful (attribute member) [Comparison true (adding to
cache)][Compare True]

However, if I use the following configuration (point to the base of AD
tree), mod_authnz_ldap.c produces a seg

fault.

AuthBasicProvider ldap

AuthLDAPURL

"ldap://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
<http://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>"


AuthLDAPBindDN "CN=ldap connector,OU=Generic

accounts,OU=Accounts,DC=mycompany,DC=com"

AuthLDAPBindPassword ******

AuthType Basic

AuthName "mycompany Domain"

Require ldap-group CN=JMX_Security, OU=Security, OU=Usernames,
OU=Accounts, DC=mycompany,DC=com

[Wed Nov 26 20:24:31 2008] [debug] mod_authnz_ldap.c(373): [client

192.168.2.75] [3110] auth_ldap authenticate: using URL

ldap://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
<http://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>

[Wed Nov 26 20:24:42 2008] [notice] child pid 3110 exit signal Segmentation

fault (11)

# rpm -qi httpd

Name : httpd Relocations: (not relocatable)

Version : 2.2.3 Vendor: CentOS

Release : 11.el5_2.centos.4 Build Date: Wed 12 Nov 2008

10:44:43 AM EST

Install Date: Fri 14 Nov 2008 07:42:56 AM EST Build Host:

builder16.centos.org <http://builder16.centos.org>

Group : System Environment/Daemons Source RPM:

httpd-2.2.3-11.el5_2.centos.4.src.rpm

Size : 2899288 License: Apache Software License

Signature : DSA/SHA1, Wed 12 Nov 2008 05:54:31 PM EST, Key
IDa8a447dce8562897

URL : http://httpd.apache.org/

Summary : Apache HTTP Server

Description : The Apache HTTP Server is a powerful, efficient, and
extensible

web server.

Is there a way to make mod_authnz_ldap to search across 3 LDAP branches
where the user information is stored?



--


-----------------------------------------
Tony Stevenson
tony@xxxxxxxxxxx  //  pctony@xxxxxxxxxx
http://www.pc-tony.com/

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66
-----------------------------------------

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux