This would probably be more appropriately titled "Active
Directory is not LDAP". I've been trying to get a good Apache2.2.x to
AD authenticator going, and thought I had it all set with mod_auth_ldap.
And I do ... With some major caveats. In the hopes that someone else
has a better solution, or to possibly provide some insight to those
running into strange issues with mod_authnz_ldap and AD, here's what
I've discovered so far:
My enviorn:
RHEL 4
Apache 2.2.2, using mod_ldap, mod_authnz_ldap, and mod_ssl
Mod_perl 2.0.2
PHP 5.1.2
It turns out that the following set up will work - but that you
might get bitten by what I call an "AD Bug":
<Directory "/data1/webdocs/idriver">
AllowOverride None
Order allow,deny
Allow from #an IP#
AuthType Basic
AuthName ": Secure files"
AuthBasicProvider ldap
AuthzLDAPAuthoritative On
AuthUserFile /dev/null
AuthLDAPURL
"ldap://yourdc.your.org/OU=Staff,DC=your,DC=org?sAMAccountName?sub?(&(ob
jectclass=user))"
AuthLDAPBindDN "CN=LDAP Query,OU=Special
Accounts,OU=Dept,OU=Staff,DC=your,DC=org"
AuthLDAPBindPassword <readonly password>
require ldap-group CN=Domain Users,CN=Users,DC=lib,DC=usf,DC=edu
satisfy any
</Directory>
This will work as expected, providing:
The user attempting to authenticate does not have "Domain Users" set as
his/her "Default Group". And if you change it, it usually takes about
15 minutes to kick in.
Side note: Do not "quote escape" the "group" listed after
"ldap-group" in the "require" - it will break authentication.
You might be thinking at this point "That's not right". Well,
that's what I think, but it's what I've observed so far. If you Google
for ldap and "active directory" you should come across a page somewhere
along the line which tells you how to export your AD to the equivalent
of an LDIF file (basically, a text representation of your AD/LDAP
directory). If you search through that, you'll find (or at least I did)
the following:
- For a user's entry, for their list of groups, no entry for their
default
group (at least this was the case for the users I looked at).
- For a group's entry, you won't find any(?) user who has the group in
question as their default group (again, this was the case for the
users
I looked at).
Feel free to start a discussion, provide insight/commentary, or
ignore as usual.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
