[hobbit] securing access Active Directory

Milburn, John A. MilburnJA at dot.il.gov
Thu Apr 14 21:18:37 CEST 2005 

This worked for Windows 2000. It also worked for Windows 2003 if the
search base was not the root of the domain.
 
I found that if you authenticate against a Global Catalogue, it works
for both.
 
 
#Directory for Hobbit maintenance
ScriptAlias /hobbit-seccgi/ "/usr/local/hobbit/cgi-secure/"
<Directory /usr/local/hobbit/cgi-secure>
    AllowOverride None
    Options ExecCGI Includes
    Order allow,deny
    Allow from all
    AuthAuthoritative On
    AuthLDAPCompareDNOnServer on
    AuthLDAPURL
ldap://gc1.mydomain.com:3268/DC=mydomain,DC=com?sAMAccountName?sub?(obje
ctClass=user)
    AuthLDAPBindDN CN=HobbitUser,CN=Users,DC=mydomain,DC=com
    AuthLDAPBindPassword HobbitUserPassword
    AuthType Basic
    AuthName "Enter your Windows logon name/Password"
    require group CN=HobbitManagers,OU=Managers,DC=mydomain,DC=com
</Directory>

Setting "AuthAuthoritative Off" should allow other modules to
authenticate users if ldap fails. I haven't tried this yet.


________________________________

From: Taylor, Robert [mailto:Robert.Taylor at HendrickAuto.com] 
Sent: Monday, April 04, 2005 7:36 AM
To: hobbit at hswn.dk
Subject: RE: [hobbit] securing access



There was a post a few days back with an LDAP configuration.  I was able
to change a few things around a get that to work with our MS Active
Directory to validate usernames/passwords for access on a RH EL 3.0 box.

 

Here is the config for my Apache server.  It effectively let's anyone
access from the internal 10.x.x.x network and then requires a valid
username/password for anyone accessing via the Web.

 

<Directory "/var/www/html">

    AllowOverride None

    Order Deny,Allow

    AuthType Basic

    AuthName "<Something to display in dialog>"

    AuthzLDAPEngine on

    AuthzLDAPServer <IP Address of LDAP Server>:389

    AuthzLDAPUserKey sAMAccountName

    AuthzLDAPBindDN <valid LDAP Username for binding to server>

    AuthzLDAPBindPassword <LDAP password for username above>

    AuthzLDAPUserBase dc=<something>,dc=<something .com, .local, .net
etc...>

    AuthzLDAPUserScope subtree

    Deny from all

    Satisfy any

    Require valid-user

    Allow from 10.

</Directory>

 

Standard disclaimer would be that I am no Apache expert and this took me
FOREVER to get working right, but it seems to be okay now.

 

Robert

 

 

________________________________

From: David Garaway [mailto:dave at auctionhelper.com] 
Sent: Monday, April 04, 2005 3:29 AM
To: hobbit at hswn.dk
Subject: [hobbit] securing access

 

Does anyone know how to lock the whole hobbit page down? I have a friend
that would like to be able to get to the page from anywhere but wants
something like htaccess. Before I started mucking around with apache to
try to get this working I thought I would see if anyone has done this.

 

Thanks,

Dave 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20050414/31517d97/attachment.html>

More information about the Xymon mailing list