That's pretty much it. My comments are interspersed below:
David McDowell wrote:
>awesome, if we are open tomorrow (snow storm coming) I shall have to
>try this... I have a couple of embedded questions to help me
>understand it, see comments below! thanks...
>
>my comment/questions are _below_ the item they are related to:
>
>On Thu, 20 Jan 2005 14:15:21 -0800 (PST), lee@xxxxxxxxxxxxx
><lee@xxxxxxxxxxxxx> wrote:
>
>
>>I have mod_authz_ldap working ok. Here's a .htaccess file:
>>
>>AuthName "Authorized Access Only"
>>AuthType Basic
>>AuthzLDAPEngine on
>>AuthzLDAPServer "serverip:389"
>>AuthzLDAPBindDN ldap_lookup@xxxxxxxxxx
>>
>>
>Does AuthzLDAPBindDN need to be the full ADS username@xxxxxxxxxx?
>
>
That's the only way I could get it to work. I tried a few variations on
"cn=(name|userid),ou=department,dc=..." and it never worked. In any
case, it does need to be the full name. user@domain worked the easiest.
>>AuthzLDAPBindPassword Ldap_Lookup_password
>>AuthzLDAPUserKey sAMAccountName
>>
>>
>So this is where this goes... not blah blah...
>DC=com?sAMAccountName?sub?(objectClass=user)
>
>
Yep. I'm not sure if authz_ldap filters on objectClass, I haven't checked.
>>AuthzLDAPUserBase dc=domain,dc=com
>>
>>
>With this user base, this will go set it to look at the top of the ADS
>schema? For example, I have an OU = MyCity in case we ever expanded to
>another city I could have another OU for those users.
>
>
That's the domain ID, and it would include subordinate OUs (according to
the entry below). I'm sure that you could restrict it somewhat by
specifying ou=mycity,dc=...
>>AuthzLDAPUserScope subtree
>>
>>
>
>and this tells it to search all subordinate OU's in the tree?
>
>
Exactly.
>>AuthzLDAPSetAuthorization off
>>
>>
>What is AuthzLDAPSetAuthorization off for?
>
>
Ah, that's an issue that I found. It's supposed to default to "off",
but I found that with it on, or missing, the user's FQDN is passed to
Apache ("cn=fred,ou=finance,dc=company,dc=com"). Authentication still
works, but it messed up some of my programs which rely on REMOTE_USER.
With the setting off, Apache gets only the sAMAccountName ("fred").
>>require group CN=GroupName,CN=Users,DC=domain,DC=com
>>
>>
>I can still use "require valid-user" here right?
>require valid-user OU=MyCity,DC=domain,DC=com ??
>
>
Yes. I use it for controlling access to network & systems monitoring
apps (Nagios, Cacti, NMIS), so I restrict it to the IT dept.
>Thanks for fielding my questions!! :)
>David McD
>
>
No problem. I hope this helps. Stay warm.
Lee.
