|
We are trying to allow Apache to authenticate users to a
certain site based on being in one of 3 OU designations in AD. 3. A specific client OU (Client ABC in our example) 1. Service Accounts 2. Internal Support We have set up 3 “AuthnProviderAlias”
directives. Notably, all the alias definitions use the same
AuthLDAPBindDN, AuthLDAPBindPassword and only slight changes to the ”
AuthLDAPURL” specifying the OU for each grouping. <AuthnProviderAlias ldap CLIENT_ABC> AuthLDAPBindDN "<Same as
above>" AuthLDAPBindPassword "test" AuthLDAPURL
“ldap://util.joesgarage.com:3268/OU=Client
ABC,OU=External,OU=ALL_Users,DC=joesgarage,DC=com?sAMAccountName?sub?(objectClass=user)” </AuthnProviderAlias> <AuthnProviderAlias ldap SERVICE_ACCOUNTS> AuthLDAPBindDN "<An admin user DN that
can bind/search>" AuthLDAPBindPassword "test" AuthLDAPURL
ldap://util.joesgarage.com:3268/OU=SERVICE ACCOUNTS,OU=Internal,OU=ALL_Users,DC=joesgarage,DC=com?sAMAccountName?sub?(objectClass=user)" </AuthnProviderAlias> <AuthnProviderAlias ldap INTERNAL_SUPPORT> AuthLDAPBindDN "<Same as
above>" AuthLDAPBindPassword "test" AuthLDAPURL “ldap://util.joesgarage.com:3268/OU=INTERNAL
SUPPORT,OU=Internal,OU=ALL_Users,DC=joesgarage,DC=com?sAMAccountName?sub?(objectClass=user)” </AuthnProviderAlias> Our “Directory” directive is set to try each of
these aliases (different OUs in the same directory) in order until a match is
found: <Directory “/var/www/html/Client_ABC/”> … AuthBasicProvider CLIENT_ABC SERVICE_ACCOUNTS
INTERNAL_SUPPORT AuthType Basic AuthName “Client ABC Login” AuthzLDAPAuthoritative off Require valid-user </Directory> This doesn’t seem to work. I know your thinking –
“why not just use groups”? Ans: Simply because we don’t
want to have to maintain groups for our many clients. We would like to
rely on the client user’s presence in the OU (and allow our service
accounts and support personnel at the same time to all sites) Is this a bug or is there a better way to accomplish this? Regards, Brian |
|