awesome Lee! Thank you! I've updated my notes here:
http://www.turnpike420.net/linux/Apache_ADS_AuthLDAP.txt
take care,
David McD
On Thu, 20 Jan 2005 20:55:25 -0800, Lee Garner <lee@xxxxxxxxxxxxx> wrote:
> That's pretty much it. My comments are interspersed below:
>
> David McDowell wrote:
>
> >awesome, if we are open tomorrow (snow storm coming) I shall have to
> >try this... I have a couple of embedded questions to help me
> >understand it, see comments below! thanks...
> >
> >my comment/questions are _below_ the item they are related to:
> >
> >On Thu, 20 Jan 2005 14:15:21 -0800 (PST), lee@xxxxxxxxxxxxx
> ><lee@xxxxxxxxxxxxx> wrote:
> >
> >
> >>I have mod_authz_ldap working ok. Here's a .htaccess file:
> >>
> >>AuthName "Authorized Access Only"
> >>AuthType Basic
> >>AuthzLDAPEngine on
> >>AuthzLDAPServer "serverip:389"
> >>AuthzLDAPBindDN ldap_lookup@xxxxxxxxxx
> >>
> >>
> >Does AuthzLDAPBindDN need to be the full ADS username@xxxxxxxxxx?
> >
> >
> That's the only way I could get it to work. I tried a few variations on
> "cn=(name|userid),ou=department,dc=..." and it never worked. In any
> case, it does need to be the full name. user@domain worked the easiest.
>
> >>AuthzLDAPBindPassword Ldap_Lookup_password
> >>AuthzLDAPUserKey sAMAccountName
> >>
> >>
> >So this is where this goes... not blah blah...
> >DC=com?sAMAccountName?sub?(objectClass=user)
> >
> >
> Yep. I'm not sure if authz_ldap filters on objectClass, I haven't checked.
>
> >>AuthzLDAPUserBase dc=domain,dc=com
> >>
> >>
> >With this user base, this will go set it to look at the top of the ADS
> >schema? For example, I have an OU = MyCity in case we ever expanded to
> >another city I could have another OU for those users.
> >
> >
> That's the domain ID, and it would include subordinate OUs (according to
> the entry below). I'm sure that you could restrict it somewhat by
> specifying ou=mycity,dc=...
>
> >>AuthzLDAPUserScope subtree
> >>
> >>
> >
> >and this tells it to search all subordinate OU's in the tree?
> >
> >
> Exactly.
>
> >>AuthzLDAPSetAuthorization off
> >>
> >>
> >What is AuthzLDAPSetAuthorization off for?
> >
> >
> Ah, that's an issue that I found. It's supposed to default to "off",
> but I found that with it on, or missing, the user's FQDN is passed to
> Apache ("cn=fred,ou=finance,dc=company,dc=com"). Authentication still
> works, but it messed up some of my programs which rely on REMOTE_USER.
> With the setting off, Apache gets only the sAMAccountName ("fred").
>
> >>require group CN=GroupName,CN=Users,DC=domain,DC=com
> >>
> >>
> >I can still use "require valid-user" here right?
> >require valid-user OU=MyCity,DC=domain,DC=com ??
> >
> >
> Yes. I use it for controlling access to network & systems monitoring
> apps (Nagios, Cacti, NMIS), so I restrict it to the IT dept.
>
> >Thanks for fielding my questions!! :)
> >David McD
> >
> >
> No problem. I hope this helps. Stay warm.
>
> Lee.
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxxx
> http://lists.caosity.org/mailman/listinfo/centos
>
