Hi,
Mike Williams schrieb:
> On Thursday 12 April 2007 06:13:44 Wolfgang Liebich wrote:
>
>> OK - it is in testing. Has anyone here experiences on how stable it is
>> to run? Maybe I need it b/c of a new auth module
>> which does not seem to be available in apache 2.0.58...
>>
>
> Oddly enough...
> http://archives.gentoo.org/gentoo-server/msg_11696.xml
>
> (I've not used the auth modules though)
>
Thank you all for your answers. I will try to press forward with apache
2.2.4. The reason I need it is that I need to authentificate/authorize users
agains a Windows ActiveDirectory domain. This is done using LDAP. Until
now we only had users coming from one OU served by our DC, so that
setup worked w/o a hitch. BUT now we have gotten a user from a different
OU, and ... well, I could not get mod_auth_ldap to lookup the user from
a BaseDN
one level up (BUT searching the user via "ldapsearch" cmdline worked -
IDGI....).
Apache's "own" mod_auth_ldap (which you get with USE="ldap") didn't
work, either..
SO I decided to go forward to apache 2.2.4 and use 2 LDAP
authentification instances, each with a working BaseDN pointing to the
wanted OU (same server, only the
most specific OU in the BaseDN different) and unify them with
mod_authn_alias. For simplicity I used apache's own mod_authnz_ldap.
This setup seems to work, with some caveats:
- You have to mark both LDAP auth module configurations with
AuthzLDAPAuthoritative=off
- If you want to restrict access to your site to users belonging to a
specified group, you cannot just juse mod_authnz_ldap's "require
ldap-group" feature b/c the module
doing authorization checks is mod-authn-alias -- which has NO idea what
"require ldap-group" means. Sigh. BUT:
-- you can do some evil tricks with the ldap URL to fake this "require
ldap-group" trick: You modify the search string (the last part of the
LDAP url to something like
"(&(<original part, e.g. 'objectType=*')(memberOf=<DN of the user
group>))". This has the effect that users not belonging to your wanted
group are just not found.
This is NOT the same as saying "users not in this group are not
AUTHORIZED", but it is a working fake.
Well, I've got a working system this way, therefore my boss will
probably ask me to stop researching further :-).
But I'm not totally satisfied with the current solution, b/c
- I still don't get the REASON why the ldap auth modules can't find the
user(s) but ldapsearch can.
- The solution is ugly :-) Seriously - I want to be able to use a single
authn/authz provider. Maybe mod_auth_kerberos would be better?
- Earlier on I looked into mod_auth_pam (for
authentification/authorization against our NIS/YP domain). BUT I didn't
use it b/c it seemed to REQUIRE that apache
gets read access for /etc/shadow. WHY? If I use pam+NIS, the local
shadow pwd file should never needed to be read, right? (Also a fellow
sysadmin cautioned me agains mod_auth_pam
b/c he claimed it to be rather dead - i.e. not developed further).
Comments/Experiences would be very welcome!
Ciao,
Wolf"english is NOT my native tongue:-("gang
--
[EMAIL PROTECTED] mailing list
