[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [hobbit] Password Protected Areas?
- To: hobbit (at) hswn.dk
- Subject: Re: [hobbit] Password Protected Areas?
- From: Jerald Sheets <questy (at) gmail.com>
- Date: Thu, 19 Nov 2009 11:21:38 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=pJTA4jUSzsQge/FZ+HDc5fv9xN1bfWtvQfm8tIRkD+g=; b=aQyxoJb8t0+MmOkEwREJwF/wpz+YNRv9F0eCSszHjCPHmoI8IAVOqkg6wBdT4ziNfx 22aXvp47256GizFChuceujFsByDW9BjkKGLf3F/qo3/y/VN7PiI1/eZLxt2sv186MRgD sxURc9Yx2/wOTkHB/Dn6bc6Y3zP9m/vqAas74=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=doY5s49QS18KznGjqNA3u0/iyfmmIqJAchAzsZvx4frsQ8LCGx6B1/NYbNmp73Gxlw 99tvguzNCIjorJ/vOcAKLLDNkMSAWGaRLTYioO3nrarjl0oeOCdRcMLobXBtQ/YZVqvu p19OT9AF9R3KMqyz93d9s86luEjfV2jm2hZEA=
- References: <BAY133-W2406AD1169C57B7F682437B4A80 (at) phx.gbl> <OF48566EEE.0E75CCC2-ON85257672.00784DE0-85257672.0078A037 (at) csc.com> <BAY133-W26D98C0F03C50E8B022B7DB4A20 (at) phx.gbl>
Not directly related to this issue, but a resolution to an annoyance I
had...
It appears that all sorts of docs for Windoze people/machines are everywhere
while those of us who have an all-Posix environment are left to fend for
ourselves. Even Apache's documentation doesn't directly address posix hosts
(Linux) connecting via Apache authentication back to an LDAP server serving
up a UNIX authentication system.
So, the next person who searches for that on our little family list here, I
want to help out.
Here's my solution:
ScriptAlias /xymon-seccgi/ "/home/xymon/cgi-secure/"
<Directory "/home/xymon/cgi-secure">
AllowOverride None
Options ExecCGI Includes
Order deny,allow
Deny from all
AuthName "Xymon Administration"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL ldap://nst-ldap.foo.com/dc=foo,dc=com?uid
AuthLDAPBindDN "cn=ldapadmin,dc=dc=foo,dc=com"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
AuthLDAPBindPassword PASSWORD
Require ldap-group cn=admins,ou=Group,dc=foo,dc=com
Require ldap-attribute gidNumber=505
Satisfy any
</Directory>
This allows me to authenticate against the store as any member of the group
"admins" that has a Group ID in Linux-land of 505.
For just a user anywhere in the store:
ScriptAlias /xymon-seccgi/ "/home/xymon/cgi-secure/"
<Directory "/home/xymon/cgi-secure">
AllowOverride None
Options ExecCGI Includes
Order allow,deny
Allow from all
AuthName "Xymon Administration"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL ldap://nst-ldap.foo.com/dc=foo,dc=com?uid??(objectclass=*)
AuthLDAPBindDN "cn=ldapadmin,dc=foo,dc=com"
AuthLDAPBindPassword PASSWORD
Require valid-user
</Directory>
it took a number of edits all over the place and restarts to get this
working, but I wanted to share for those in the same situation as I.
To get caught by the search at Hobbiton:
Apache mod_authnz_ldap groups authenticate httpd AuthLDAP cgi-secure seccgi
That ought to do it.
---
Jerald M. Sheets jr.
On Thu, Nov 19, 2009 at 9:15 AM, <wiskbroom (at) hotmail.com> wrote:
>
> Thanks Matt, can't wait to try this out!
>
> .vp
>
> >
> > Here is our configuration in /etc/httpd/conf.d/hobbit-apache.conf
> > that allows us to authenticate against AD. Took a lot of searching
> > to find the solution, which was pretty obscure, so hopefully this helps.
> > I've removed the default comments, so you may want to put them back
> > or have your own.
> >
> >
> >
> > Note the "AuthzLDAPAuthoritative
> > Off" ... that was the kicker in getting it all to play nice.
> >
> >
> >
> >
> >
> > AllowOverride None
> >
> > Options ExecCGI Includes
> >
> > Order allow,deny
> >
> > Allow from all
> >
> > AuthType Basic
> >
> > AuthBasicProvider ldap
> >
> > AuthGroupFile
> >
> > AuthLDAPURL
> "ldap:///dc=example,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
> >
> > AuthName "Xymon Admin
> > - Use your Windoze password"
> >
> > AuthzLDAPAuthoritative
> > off
> >
> > Require valid-user
> >
> > Require group
> >
> > AuthLDAPBindDN
> > "CN=_,OU=,OU=,DC=example,DC=domain,DC=com"
> >
> > AuthLDAPBindPassword
> > ""
> >
> >
> >
> >
> >
> > Unix System Administrator
> >
> > Computer Science Corporation
> >
> > General Dynamics Land Systems
> >
> > 38500 Mound Rd.
> >
> > Sterling Heights, MI. 48310
> >
> > Desk: (586) 825-8294
> >
> > Oracle IM: moldvanm
> >
> >
> >
> > This is a PRIVATE message. If you are not the intended recipient, please
> > delete without copying and kindly advise us by e-mail of the mistake in
> > delivery.
> >
> > NOTE: Regardless of content, this e-mail shall not operate to bind CSC
> > to any order or other contract unless pursuant to explicit written
> agreement
> > or government initiative expressly permitting the use of e-mail for such
> > purpose.
> >
> >
> >
> >
> >
> >
> >
> >
> > [http://gfx1.hotmail.com/mail/w4/pr01/ltr/i_safe.gif]
> >
> >
> >
> > RE: [hobbit] Password
> > Protected Areas?
> >
> >
> >
> >
> >
> > wiskbroom
> > to:
> > hobbit
> >
> > 11/13/2009 08:13 AM
> >
> >
> >
> >
> >
> > Please respond to hobbit
> >
> >
> >
> >
> >
> >
> >
> >
> > ________________________________
> >
> >
> >
> >
> >
> >
> > Thank you Henrik!
> >
> >
> >
> >> To: hobbit (at) hswn.dk
> >
> >> From: henrik (at) hswn.dk
> >
> >> Date: Fri, 13 Nov 2009 09:34:00 +0000
> >
> >> Subject: Re: [hobbit] Password Protected Areas?
> >
> >>
> >
> >> In
> > writes:
> >
> >>
> >
> >>>Really? You know of a way in which I can auth against AD and based
> > on
> >
> >>>page/pages in apache?
> >
> >>
> >
> >> Pages and subpages are just physical directories below
> ~hobbit/server/www/
> >
> >> so you can setup standard Apache ""
> > definitions to impose
> >
> >> access restrictions.
> >
> >>
> >
> >> As for authenticating against an AD, you must use the Apache
> mod_auth_ldap
> >
> >> module. If you google "apache auth active directory" it
> > should give you
> >
> >> some hints.
> >
> >>
> >
> >>
> >
> >> Regards,
> >
> >> Henrik
> >
> >
> >
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe (at) hswn.dk
>
>
>