[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [hobbit] securing access Active Directory
- To: hobbit (at) hswn.dk
- Subject: RE: [hobbit] securing access Active Directory
- From: Andy France <Andy (at) zespri.com>
- Date: Wed, 20 Apr 2005 09:53:20 +1200
Hi John,
"Milburn, John A." wrote on 15/04/2005 07:18:37:
> This worked for Windows 2000. It also worked for Windows Â2003 if
> the search base was not the root of the domain.
>
> I found that if you authenticate against a Global ÂCatalogue, it
> works for both.
>
>
> #Directory for Hobbit maintenance
> ScriptAlias Â/hobbit-seccgi/ "/usr/local/hobbit/cgi-secure/"
> <Directory Â/usr/local/hobbit/cgi-secure>
> ÂÂÂ AllowOverride ÂNone
> ÂÂÂ Options ExecCGI ÂIncludes
> ÂÂÂ Order allow,deny
> ÂÂÂ Allow from Âall
> ÂÂÂ AuthAuthoritative On
> ÂÂÂ ÂAuthLDAPCompareDNOnServer on
> ÂÂÂ AuthLDAPURL ldap://gc1.mydomain.com:3268/DC=mydomain,DC=com?
> sAMAccountName?sub?(objectClass=user)
> ÂÂÂ ÂAuthLDAPBindDN CN=HobbitUser,CN=Users,DC=mydomain,DC=com
> ÂÂÂ ÂAuthLDAPBindPassword HobbitUserPassword
> ÂÂÂ AuthType ÂBasic
> ÂÂÂ AuthName "Enter your Windows logon Âname/Password"
> ÂÂÂ require group ÂCN=HobbitManagers,OU=Managers,DC=mydomain,DC=com
> </Directory>
>
> Setting "AuthAuthoritative Off" should allow other modules Âto
> authenticate users if ldapÂfails. I haven't tried this Âyet.
I've modified this to match my own AD configuration, but I'm still not
having any luck :-(
My apache install includes the ldap_module.so and auth_ldap_module.so files
- should these work OK by themselves, or do I need to install further
OpenLDAP libraries? ÂRunning ldd on these files doesn't indicate any
special requirements.
> From: Taylor, Robert Â[mailto:Robert.Taylor (at) HendrickAuto.com]
> Sent: Monday, April 04, 2005 Â7:36 AM
> To: hobbit (at) hswn.dk
> Subject: RE: [hobbit] securing Âaccess
>
> There was a post a few Âdays back with an LDAP configuration. I was
> able to change a few things Âaround a get that to work with our MS
> Active Directory to validate Âusernames/passwords for access on a RH
> EL 3.0 box.
>
>
>
> Here is the config for Âmy Apache server. It effectively letâs
> anyone access from the internal Â10.x.x.x network and then requires
> a valid username/password for anyone Âaccessing via the Web.
>
>
>
> <Directory Â"/var/www/html">
> ÂÂÂ ÂAllowOverride None
> ÂÂÂ ÂOrder Deny,Allow
> ÂÂÂ ÂAuthType Basic
> ÂÂÂ ÂAuthName "<Something to display in dialog>"
> ÂÂÂ ÂAuthzLDAPEngine on
> ÂÂÂ ÂAuthzLDAPServer <IP Address of LDAP ÂServer>:389
> ÂÂÂ ÂAuthzLDAPUserKey sAMAccountName
> ÂÂÂ ÂAuthzLDAPBindDN <valid LDAP Username for binding to Âserver>
> ÂÂÂ ÂAuthzLDAPBindPassword <LDAP password for username Âabove>
> ÂÂÂ ÂAuthzLDAPUserBase dc=<something>,dc=<something .com, .local,
.net Âetcâ>
> ÂÂÂ ÂAuthzLDAPUserScope subtree
> ÂÂÂ ÂDeny Âfrom all
> ÂÂÂ ÂSatisfy any
> ÂÂÂ ÂRequire valid-user
> ÂÂÂ ÂAllow from 10.
>
> </Directory>
>
>
>
> Standard disclaimer Âwould be that I am no Apache expert and this
> took me FOREVER to get working Âright, but it seems to be okay now.
>
>
>
> Robert
>
>
>
>
>
> From:David ÂGaraway [mailto:dave (at) auctionhelper.com]
> Sent: Monday, April 04, 2005 3:29 ÂAM
> To: Âhobbit (at) hswn.dk
> Subject: Â[hobbit] securing access
>
>
>
> Does anyone know how to lock the Âwhole hobbit page down? I have a
> friend that would like to be able to get to Âthe page from anywhere
> but wants something like htaccess. Before ÂI Âstarted mucking around
> with apache to try to get this working I Âthought I would see if
> anyone has done Âthis.
>
>
>
> Thanks,
>
> Dave
>
>
#####################################################################################
This email is intended for the person to whom it is addressed
only. If you are not the intended recipient, do not read, copy
or use the contents in any way. The opinions expressed may not
necessarily reflect those of ZESPRI Group of Companies ('ZESPRI').
While every effort has been made to verify the information
contained herein, ZESPRI does not make any representations
as to the accuracy of the information or to the performance
of any data, information or the products mentioned herein.
ZESPRI will not accept liability for any losses, damage or
consequence, however, resulting directly or indirectly from
the use of this e-mail/attachments.
#####################################################################################