<br><font size=2 face="sans-serif">Here is our configuration in /etc/httpd/conf.d/hobbit-apache.conf
that allows us to authenticate against AD. Took a lot of searching
to find the solution, which was pretty obscure, so hopefully this helps.
I've removed the default comments, so you may want to put them back
or have your own.</font>
<br>
<br><font size=2 face="sans-serif">Note the "AuthzLDAPAuthoritative
Off" ... that was the kicker in getting it all to play nice.</font>
<br>
<br><font size=2 face="sans-serif"><Directory "<xymon_install_path>/cgi-secure"></font>
<br><font size=2 face="sans-serif"> AllowOverride None</font>
<br><font size=2 face="sans-serif"> Options ExecCGI Includes</font>
<br><font size=2 face="sans-serif"> Order allow,deny</font>
<br><font size=2 face="sans-serif"> Allow from all</font>
<br><font size=2 face="sans-serif"> AuthType Basic</font>
<br><font size=2 face="sans-serif"> AuthBasicProvider ldap</font>
<br><font size=2 face="sans-serif"> AuthGroupFile <absolute_path_to_group_file></font>
<br><font size=2 face="sans-serif"> AuthLDAPURL "ldap://<ip_address>/dc=example,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"</font>
<br><font size=2 face="sans-serif"> AuthName "Xymon Admin
- Use your Windoze password"</font>
<br><font size=2 face="sans-serif"> AuthzLDAPAuthoritative
off</font>
<br><font size=2 face="sans-serif"> Require valid-user</font>
<br><font size=2 face="sans-serif"> Require group <defined_inside_of_AuthGroupFile></font>
<br><font size=2 face="sans-serif"> AuthLDAPBindDN
"CN=_<BindUser>,OU=<Org>,OU=<Another_Org>,DC=example,DC=domain,DC=com"</font>
<br><font size=2 face="sans-serif"> AuthLDAPBindPassword
"<something_unwieldy>"</font>
<br><font size=2 face="sans-serif"></Directory></font>
<br>
<br><font size=2 face="sans-serif">Unix System Administrator<br>
Computer Science Corporation<br>
General Dynamics Land Systems<br>
38500 Mound Rd.<br>
Sterling Heights, MI. 48310<br>
Desk: (586) 825-8294<br>
Oracle IM: moldvanm<br>
<br>
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. <br>
NOTE: Regardless of content, this e-mail shall not operate to bind CSC
to any order or other contract unless pursuant to explicit written agreement
or government initiative expressly permitting the use of e-mail for such
purpose.</font>
<br>
<br>
<br>
<table width=100%>
<tr>
<td><img src=cid:_1_0943498C094345A40078A03685257672>
<td width=100%>
<table width=100%>
<tr valign=top>
<td width=100%><font size=2 face="sans-serif"><b>RE: [hobbit] Password
Protected Areas?</b></font></table>
<br>
<table width=100%>
<tr>
<td><font size=2 color=#e26200 face="sans-serif"><b>wiskbroom </b></font>
<td><font size=2 color=#8f8f8f face="sans-serif">to:</font>
<td><font size=2 face="sans-serif">hobbit</font>
<td>
<div align=right><font size=1 face="sans-serif">11/13/2009 08:13 AM</font></div></table>
<br>
<table width=100%>
<tr>
<td><font size=1 face="sans-serif"><b>Please respond to hobbit</b></font>
<td>
<div align=right></div></table>
<br></table>
<br>
<br>
<hr>
<br>
<br>
<br><font size=2 face="Verdana">Thank you Henrik!<br>
<br>
> To: hobbit@hswn.dk<br>
> From: henrik@hswn.dk<br>
> Date: Fri, 13 Nov 2009 09:34:00 +0000<br>
> Subject: Re: [hobbit] Password Protected Areas?<br>
> <br>
> In <BAY133-W98025609B24B9A43D30FBB4AA0@phx.gbl> <wiskbroom>
writes:<br>
> <br>
> >Really? You know of a way in which I can auth against AD and based
on<br>
> >page/pages in apache?<br>
> <br>
> Pages and subpages are just physical directories below ~hobbit/server/www/<br>
> so you can setup standard Apache "<Directory ...>"
definitions to impose<br>
> access restrictions.<br>
> <br>
> As for authenticating against an AD, you must use the Apache mod_auth_ldap<br>
> module. If you google "apache auth active directory" it
should give you<br>
> some hints.<br>
> <br>
> <br>
> Regards,<br>
> Henrik<br>
</font>
<br>