[hobbit] Password Protected Areas?

Jerald Sheets questy at gmail.com
Thu Nov 19 17:21:38 CET 2009


Not directly related to this issue, but a resolution to an annoyance I
had...

It appears that all sorts of docs for Windoze people/machines are everywhere
while those of us who have an all-Posix environment are left to fend for
ourselves.  Even Apache's documentation doesn't directly address posix hosts
(Linux) connecting via Apache authentication back to an LDAP server serving
up a UNIX authentication system.

So, the next person who searches for that on our little family list here, I
want to help out.

Here's my solution:

ScriptAlias /xymon-seccgi/ "/home/xymon/cgi-secure/"
<Directory "/home/xymon/cgi-secure">
    AllowOverride None
    Options ExecCGI Includes
    Order deny,allow
    Deny from all
    AuthName "Xymon Administration"
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative Off
    AuthLDAPURL ldap://nst-ldap.foo.com/dc=foo,dc=com?uid
    AuthLDAPBindDN "cn=ldapadmin,dc=dc=foo,dc=com"
    AuthLDAPGroupAttribute memberUid
    AuthLDAPGroupAttributeIsDN off
    AuthLDAPBindPassword PASSWORD
    Require ldap-group cn=admins,ou=Group,dc=foo,dc=com
    Require ldap-attribute gidNumber=505
    Satisfy any
</Directory>

This allows me to authenticate against the store as any member of the group
"admins" that has a Group ID in Linux-land of 505.

For just a user anywhere in the store:

ScriptAlias /xymon-seccgi/ "/home/xymon/cgi-secure/"
<Directory "/home/xymon/cgi-secure">
    AllowOverride None
    Options ExecCGI Includes
    Order allow,deny
    Allow from all
    AuthName "Xymon Administration"
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative Off
    AuthLDAPURL ldap://nst-ldap.foo.com/dc=foo,dc=com?uid??(objectclass=*)
    AuthLDAPBindDN "cn=ldapadmin,dc=foo,dc=com"
    AuthLDAPBindPassword PASSWORD
    Require valid-user
</Directory>

it took a number of edits all over the place and restarts to get this
working, but I wanted to share for those in the same situation as I.


To get caught by the search at Hobbiton:

Apache mod_authnz_ldap groups authenticate httpd AuthLDAP cgi-secure seccgi

That ought to do it.


---
Jerald M. Sheets jr.


On Thu, Nov 19, 2009 at 9:15 AM, <wiskbroom at hotmail.com> wrote:

>
> Thanks Matt, can't wait to try this out!
>
> .vp
>
> >
> > Here is our configuration in /etc/httpd/conf.d/hobbit-apache.conf
> > that allows us to authenticate against AD. Took a lot of searching
> > to find the solution, which was pretty obscure, so hopefully this helps.
> > I've removed the default comments, so you may want to put them back
> > or have your own.
> >
> >
> >
> > Note the "AuthzLDAPAuthoritative
> > Off" ... that was the kicker in getting it all to play nice.
> >
> >
> >
> >
> >
> > AllowOverride None
> >
> > Options ExecCGI Includes
> >
> > Order allow,deny
> >
> > Allow from all
> >
> > AuthType Basic
> >
> > AuthBasicProvider ldap
> >
> > AuthGroupFile
> >
> > AuthLDAPURL
> "ldap:///dc=example,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
> >
> > AuthName "Xymon Admin
> > - Use your Windoze password"
> >
> > AuthzLDAPAuthoritative
> > off
> >
> > Require valid-user
> >
> > Require group
> >
> > AuthLDAPBindDN
> > "CN=_,OU=,OU=,DC=example,DC=domain,DC=com"
> >
> > AuthLDAPBindPassword
> > ""
> >
> >
> >
> >
> >
> > Unix System Administrator
> >
> > Computer Science Corporation
> >
> > General Dynamics Land Systems
> >
> > 38500 Mound Rd.
> >
> > Sterling Heights, MI. 48310
> >
> > Desk: (586) 825-8294
> >
> > Oracle IM: moldvanm
> >
> >
> >
> > This is a PRIVATE message. If you are not the intended recipient, please
> > delete without copying and kindly advise us by e-mail of the mistake in
> > delivery.
> >
> > NOTE: Regardless of content, this e-mail shall not operate to bind CSC
> > to any order or other contract unless pursuant to explicit written
> agreement
> > or government initiative expressly permitting the use of e-mail for such
> > purpose.
> >
> >
> >
> >
> >
> >
> >
> >
> > [http://gfx1.hotmail.com/mail/w4/pr01/ltr/i_safe.gif]
> >
> >
> >
> > RE: [hobbit] Password
> > Protected Areas?
> >
> >
> >
> >
> >
> > wiskbroom
> > to:
> > hobbit
> >
> > 11/13/2009 08:13 AM
> >
> >
> >
> >
> >
> > Please respond to hobbit
> >
> >
> >
> >
> >
> >
> >
> >
> > ________________________________
> >
> >
> >
> >
> >
> >
> > Thank you Henrik!
> >
> >
> >
> >> To: hobbit at hswn.dk
> >
> >> From: henrik at hswn.dk
> >
> >> Date: Fri, 13 Nov 2009 09:34:00 +0000
> >
> >> Subject: Re: [hobbit] Password Protected Areas?
> >
> >>
> >
> >> In
> > writes:
> >
> >>
> >
> >>>Really? You know of a way in which I can auth against AD and based
> > on
> >
> >>>page/pages in apache?
> >
> >>
> >
> >> Pages and subpages are just physical directories below
> ~hobbit/server/www/
> >
> >> so you can setup standard Apache ""
> > definitions to impose
> >
> >> access restrictions.
> >
> >>
> >
> >> As for authenticating against an AD, you must use the Apache
> mod_auth_ldap
> >
> >> module. If you google "apache auth active directory" it
> > should give you
> >
> >> some hints.
> >
> >>
> >
> >>
> >
> >> Regards,
> >
> >> Henrik
> >
> >
> >
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20091119/124446a2/attachment.html>


More information about the Xymon mailing list