[hobbit] securing access Active Directory

Andy France Andy at zespri.com
Tue Apr 19 23:53:20 CEST 2005 






Hi John,


"Milburn, John A." wrote on 15/04/2005 07:18:37:

> This worked for Windows 2000. It also worked for Windows  2003 if
> the search base was not the root of the domain.
>
> I found that if you authenticate against a Global  Catalogue, it
> works for both.
>
>
> #Directory for Hobbit maintenance
> ScriptAlias  /hobbit-seccgi/ "/usr/local/hobbit/cgi-secure/"
> <Directory  /usr/local/hobbit/cgi-secure>
>     AllowOverride  None
>     Options ExecCGI  Includes
>     Order allow,deny
>     Allow from  all
>     AuthAuthoritative On
>      AuthLDAPCompareDNOnServer on
>     AuthLDAPURL ldap://gc1.mydomain.com:3268/DC=mydomain,DC=com?
> sAMAccountName?sub?(objectClass=user)
>      AuthLDAPBindDN CN=HobbitUser,CN=Users,DC=mydomain,DC=com
>      AuthLDAPBindPassword HobbitUserPassword
>     AuthType  Basic
>     AuthName "Enter your Windows logon  name/Password"
>     require group  CN=HobbitManagers,OU=Managers,DC=mydomain,DC=com
> </Directory>
>
> Setting "AuthAuthoritative Off" should allow other modules  to
> authenticate users if ldap fails. I haven't tried this  yet.


I've modified this to match my own AD configuration, but I'm still not
having any luck :-(

My apache install includes the ldap_module.so and auth_ldap_module.so files
- should these work OK by themselves, or do I need to install further
OpenLDAP libraries?  Running ldd on these files doesn't indicate any
special requirements.


> From: Taylor, Robert  [mailto:Robert.Taylor at HendrickAuto.com]
> Sent: Monday, April 04, 2005  7:36 AM
> To: hobbit at hswn.dk
> Subject: RE: [hobbit] securing  access
>
> There was a post a few  days back with an LDAP configuration.  I was
> able to change a few things  around a get that to work with our MS
> Active Directory to validate  usernames/passwords for access on a RH
> EL 3.0 box.
>
>
>
> Here is the config for  my Apache server.  It effectively let’s
> anyone access from the internal  10.x.x.x network and then requires
> a valid username/password for anyone  accessing via the Web.
>
>
>
> <Directory  "/var/www/html">
>      AllowOverride None
>      Order Deny,Allow
>      AuthType Basic
>      AuthName "<Something to display in dialog>"
>      AuthzLDAPEngine on
>      AuthzLDAPServer <IP Address of LDAP  Server>:389
>      AuthzLDAPUserKey sAMAccountName
>      AuthzLDAPBindDN <valid LDAP Username for binding to  server>
>      AuthzLDAPBindPassword <LDAP password for username  above>
>      AuthzLDAPUserBase dc=<something>,dc=<something .com, .local,
.net  etc…>
>      AuthzLDAPUserScope subtree
>      Deny  from all
>      Satisfy any
>      Require valid-user
>      Allow from 10.
>
> </Directory>
>
>
>
> Standard disclaimer  would be that I am no Apache expert and this
> took me FOREVER to get working  right, but it seems to be okay now.
>
>
>
> Robert
>
>
>
>
>
> From:David  Garaway [mailto:dave at auctionhelper.com]
> Sent: Monday, April 04, 2005 3:29  AM
> To:  hobbit at hswn.dk
> Subject:  [hobbit] securing access
>
>
>
> Does anyone know how to lock the  whole hobbit page down? I have a
> friend that would like to be able to get to  the page from anywhere
> but wants something like htaccess. Before  I  started mucking around
> with apache to try to get this working I  thought I would see if
> anyone has done  this.
>
>
>
> Thanks,
>
> Dave
>
>
#####################################################################################

This email is intended for the person to whom it is addressed
only. If you are not the intended recipient, do not read, copy
or use the contents in any way. The opinions expressed may not
necessarily reflect those of ZESPRI Group of Companies ('ZESPRI').

While every effort has been made to verify the information
contained herein, ZESPRI does not make any representations 
as to the accuracy of the information or to the performance
of any data, information or the products mentioned herein.
ZESPRI will not accept liability for any losses, damage or
consequence, however, resulting directly or indirectly from
the use of this e-mail/attachments.
#####################################################################################

More information about the Xymon mailing list