Hi, I have been reading the list archives and searching the web for how to configure Apache to authenticate users using Active Directory but I think I may be missing some obvious points. Hopefully someone can explain what I'm missing. Apache is running on the only Linux machine in a Windows network. (Fedora 10.) There is a domain controller which runs Active Directory and is reachable by LDAP (port 389). What I want is that when someone views the Apache-hosted web site, they are prompted to enter a username and password. These credentials are then checked against Active Directory, and if do not match an existing Windows user account then access is denied. (If they do match then access can be restricted based on a list of allowed usernames.) I know it is possible to use Kerberos for this but I expected that connecting to AD would be simpler. However, docs such as <http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html> imply that Apache connects to the LDAP server using a fixed username and password, and then merely queries the existence of an object in the directory that matches the username. If so how does it check the password supplied by the user? Or is mod_authnz_ldap intended just for authorization once the user has already been authenticated by some other means? The thing is, the authentication to Active Directory itself does exactly what I want. If I could configure Apache to connect to AD over LDAP using the username and password given by the user, and allow or deny access based on that, there would be no need to issue a directory query. But I guess that's not how it works? (I am trying to set up mod_authnz_ldap following those instructions but I don't know how to make the right LDAP search string. If I use the Active Directory Browser (adb.sourceforge.net) giving 'DC=wcl,DC=local' as the base DN then I can see 'WCL Logins' and under that 'WCL Users' which contains the user objects. I have been using perl's Net::LDAP module to try to find the correct search filter string before putting it into httpd.conf. However, specifying a DN 'CN=WCL Users,CN=WCL Logins,DC=wcl,DC=local' does not work. Any suggestions?) -- Ed Avis <eda@xxxxxxxxxxxxx> --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|