OK folks... I was having some trouble with CentOS not containing mod_auth_ldap as the FCx distros do. I use this to authenticate users via Apache on linux against my Microsoft ADS for my web apps. At any rate, CentOS does come with mod_authz_ldap which I had never been able to configure correctly. Through the wonderful world of the linux community, here's the results of my search in the thread below.
mod_authz_ldap *can* in fact be configured to work so there is no need for mod_auth_ldap. mod_authz_ldap does not appear to be as sophisticated as mod_auth_ldap but it seems to do the trick. Maybe one of our LDAP gurus can comment on some of these things *cough*Mark*cough* if he is familiar with ADS. I'm going to update my note here: http://www.turnpike420.net/linux/Apache_ADS_AuthLDAP.txt See below for the thread that helped me get going with mod_authz_ldap. ---------- Forwarded message ---------- From: Lee Garner <[EMAIL PROTECTED]> Date: Thu, 20 Jan 2005 20:55:25 -0800 Subject: Re: [Centos] in CentOS 3.4, mod_auth_ldap ? To: CentOS discussion and information list <[EMAIL PROTECTED]> That's pretty much it. My comments are interspersed below: David McDowell wrote: >awesome, if we are open tomorrow (snow storm coming) I shall have to >try this... I have a couple of embedded questions to help me >understand it, see comments below! thanks... > >my comment/questions are _below_ the item they are related to: > >On Thu, 20 Jan 2005 14:15:21 -0800 (PST), [EMAIL PROTECTED] ><[EMAIL PROTECTED]> wrote: > > >>I have mod_authz_ldap working ok. Here's a .htaccess file: >> >>AuthName "Authorized Access Only" >>AuthType Basic >>AuthzLDAPEngine on >>AuthzLDAPServer "serverip:389" >>AuthzLDAPBindDN [EMAIL PROTECTED] >> >> >Does AuthzLDAPBindDN need to be the full ADS [EMAIL PROTECTED] > > That's the only way I could get it to work. I tried a few variations on "cn=(name|userid),ou=department,dc=..." and it never worked. In any case, it does need to be the full name. [EMAIL PROTECTED] worked the easiest. >>AuthzLDAPBindPassword Ldap_Lookup_password >>AuthzLDAPUserKey sAMAccountName >> >> >So this is where this goes... not blah blah... >DC=com?sAMAccountName?sub?(objectClass=user) > > Yep. I'm not sure if authz_ldap filters on objectClass, I haven't checked. >>AuthzLDAPUserBase dc=domain,dc=com >> >> >With this user base, this will go set it to look at the top of the ADS >schema? For example, I have an OU = MyCity in case we ever expanded to >another city I could have another OU for those users. > > That's the domain ID, and it would include subordinate OUs (according to the entry below). I'm sure that you could restrict it somewhat by specifying ou=mycity,dc=... >>AuthzLDAPUserScope subtree >> >> > >and this tells it to search all subordinate OU's in the tree? > > Exactly. >>AuthzLDAPSetAuthorization off >> >> >What is AuthzLDAPSetAuthorization off for? > > Ah, that's an issue that I found. It's supposed to default to "off", but I found that with it on, or missing, the user's FQDN is passed to Apache ("cn=fred,ou=finance,dc=company,dc=com"). Authentication still works, but it messed up some of my programs which rely on REMOTE_USER. With the setting off, Apache gets only the sAMAccountName ("fred"). >>require group CN=GroupName,CN=Users,DC=domain,DC=com >> >> >I can still use "require valid-user" here right? >require valid-user OU=MyCity,DC=domain,DC=com ?? > > Yes. I use it for controlling access to network & systems monitoring apps (Nagios, Cacti, NMIS), so I restrict it to the IT dept. >Thanks for fielding my questions!! :) >David McD > > No problem. I hope this helps. Stay warm. Lee. _______________________________________________ CentOS mailing list [EMAIL PROTECTED] http://lists.caosity.org/mailman/listinfo/centos -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
