Apache and Ldap: Difference between revisions
Jump to navigation
Jump to search
(Created page with "=Apache and LDAP= This is how to get users authenticated against LDAP on AD. We're using: *Apache 2.2.16 *Debian 6 *AD on Server2012 First step is to create a user called '''...") |
No edit summary |
||
| Line 204: | Line 204: | ||
AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)" | AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)" | ||
AuthLDAPBindDN "apache-ldap@hitchhiker.com" | AuthLDAPBindDN "apache-ldap@hitchhiker.com" | ||
AuthLDAPBindPassword | AuthLDAPBindPassword xxxx | ||
Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com | Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com | ||
</Files> | </Files> | ||
| Line 224: | Line 224: | ||
AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)" | AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)" | ||
AuthLDAPBindDN "apache-ldap@hitchhiker.com" | AuthLDAPBindDN "apache-ldap@hitchhiker.com" | ||
AuthLDAPBindPassword | AuthLDAPBindPassword xxxx | ||
Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com | Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com | ||
</Directory> | </Directory> | ||
Revision as of 14:28, 15 March 2021
Apache and LDAP
This is how to get users authenticated against LDAP on AD. We're using:
- Apache 2.2.16
- Debian 6
- AD on Server2012
First step is to create a user called apache-ldap, the user does not need to have any special permissions, it's just to read from LDAP.
- Install the user tools:
apt-get install ldap-utils
- Enable autnz on apache (Already installed with 2.2)
a2dismod authnz_ldap a2enmod authnz_ldap
- Set some defaults in /etc/ldap/ldap.conf
BASE dc=hitchhiker,dc=com REFERRALS off
- Switch on debugging log in apache.conf
LogLevel debug
Query LDAP
- Basic Query
ldapsearch -LLL -H ldap://hh-intpdc.hitchhiker.com -x -D 'apache-ldap' -w 'xxxxx'
- Full query with no size limits, usefull to pipe the entire catalog to file
ldapsearch -LLL -E pr=1000/noprompt -x -H ldap://hh-intpdc.hitchhiker.com -x -D 'apache-ldap' -w '******'
- Sample query to show all users, NOTE THAT AD does not know the OU=Users so we have to use the common name CN=Users
ldapsearch -D "apache-ldap" -w xxxxxxxx -H ldap://hh-intpdc.hitchhiker.com -b "CN=Users,DC=hitchhiker,DC=com"
- Sample query to show all user group called Male
ldapsearch -D "apache-ldap" -w xxxxx -H ldap://hh-intpdc.hitchhiker.com -b "CN=Male,CN=Users,DC=hitchhiker,DC=com" objectclass=*
HTACCESS
- sample of .htaccess
AuthName "Top Secret Area" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative Off AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub? AuthLDAPBindDN "apache-ldap@hitchhiker.com" AuthLDAPBindPassword ****
- Filter criterias, pick one or more
#Filter for one or more usernames Require ldap-user "Username"
#Filter for existing mobile phone number and the department must be IT Require ldap-filter &(mobile=*)(department=IT)
#Filter for Exchange attributes Require ldap-attribute extensionAttribute3=GroupPolicy-ITAdmin
#Assumming a user calles stats within the group bookingstats at OU=IT Require ldap-group CN=bookingstats,ou=IT,dc=hitchhiker,dc=com
- Links
See: http://stackoverflow.com/questions/1405011/ldap-directory-entry-in-net-not-working-with-ou-users
https://www.sit.auckland.ac.nz/LDAP_authentication_with_Apache_mod_authnz_ldap
http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication
http://www.conigliaro.org/2008/12/31/active-directory-authentication-on-apache-with-mod_authnz_ldap/
Setup sample of statistics
bookingstats.intern and statistics.hitchhiker.net are different server in different networks, they use both different sql servers (security) but
use the same ldap server to authenticate.
The goal of this is having both, STATUSER and External user logging in to both server.
File:Bookingstats.png
Setup external OU
Create an OU called External. Add a group called statistics and add the external users into this group:
File:Ads-ldap01.png
Setup the internal Exchange Attribute
Edit the exchange attribute number 4 and type STATUSER:
File:Ads-ldap02.png
Apache config sample for bookingstats.intern
We use the Exchange attributes as main authentication and the external OU External as second authentication.
This is named like Apache authentication from multiple domains in AD with mod_authn_alias
- /etc/apache2/sites-available/bookingstats
<AuthnProviderAlias ldap first-ldap> AuthBasicProvider ldap AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub? AuthLDAPBindDN "apache-ldap@hitchhiker.com" AuthLDAPBindPassword xxxxx Require ldap-attribute extensionAttribute4=STATUSER AuthType Basic # Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)" AuthUserFile /dev/null </AuthnProviderAlias> <AuthnProviderAlias ldap second-ldap> AuthBasicProvider ldap #AuthzLDAPAuthoritative Off AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/ou=External,dc=hitchhiker,dc=com?sAMAccountName?sub? AuthLDAPBindDN "apache-ldap@hitchhiker.com" AuthLDAPBindPassword xxxxx Require ldap-group CN=statistics,ou=External,dc=hitchhiker,dc=com </AuthnProviderAlias> <Directory "/usr/local/www/bookingstats/cgi-bin/"> Options IncludesNoExec Allow from 10.0.1 192.168 Order allow,deny Allow from all AddHandler cgi-script .cgi .pl PerlResponseHandler ModPerl::Registry PerlOptions +ParseHeaders Options +ExecCGI AuthName "Use your Windows account" AuthType Basic AuthBasicProvider first-ldap second-ldap AuthzLDAPAuthoritative off require valid-user </Directory> <Virtualhost *:80> ServerAdmin mk@hitchhiker.com ServerName bookingstats.intern DocumentRoot /usr/local/www/bookingstats/cgi-bin/ #Reroute to frame DirectoryIndex frame.pl /frame.pl ErrorLog /var/log/apache2/bookingstats.error LogLevel info CustomLog /var/log/apache2/bookingstats.access combined Redirect /index.html http://bookingstats.intern/cgi-bin/start.pl </Virtualhost>
Apache config sample for statistics.hitchhiker.net
<AuthnProviderAlias ldap first-ldap> AuthBasicProvider ldap AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub? AuthLDAPBindDN "apache-ldap@hitchhiker.com" AuthLDAPBindPassword xxxx Require ldap-attribute extensionAttribute4=STATUSER AuthType Basic # Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)" AuthUserFile /dev/null </AuthnProviderAlias> <AuthnProviderAlias ldap second-ldap> AuthBasicProvider ldap AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/ou=External,dc=hitchhiker,dc=com?sAMAccountName?sub? AuthLDAPBindDN "apache-ldap@hitchhiker.com" AuthLDAPBindPassword xxxxx Require ldap-group CN=statistics,ou=External,dc=hitchhiker,dc=com </AuthnProviderAlias> <Directory "/ftpweb/web/statistics.hitchhiker.net/cgi-bin/"> Options ExecCGI DirectoryIndex frame.pl Options IncludesNoExec #AuthType Basic Order allow,deny Allow from all AddHandler cgi-script .cgi .pl PerlResponseHandler ModPerl::Registry PerlOptions +ParseHeaders Options +ExecCGI AuthName "Statistic Area" AuthType Basic AuthBasicProvider second-ldap first-ldap AuthzLDAPAuthoritative off require valid-user </Directory> <VirtualHost *:80> ServerName statistics.hitchhiker.net Redirect permanent / https:/statistics.hitchhiker.net/ </VirtualHost> <VirtualHost *:443> SSLCertificateFile /etc/apache2/ssl/statistics.hitchhiker.net.crt SSLCertificateKeyFile /etc/apache2/ssl/statistics.hitchhiker.net.key SSLEngine on ServerAdmin mis@hitchhiker.com ServerName statistics.hitchhiker.net DocumentRoot /ftpweb/web/statistics.hitchhiker.net/cgi-bin ErrorLog /var/log/apache2/statistics.hitchhiker.net.error CustomLog /var/log/apache2/statistics.hitchhiker.net.access combined DirectoryIndex frame.pl /frame.pl SSLHonorCipherOrder On SSLProtocol +ALL -SSLv3 -SSLv2 SSLCipherSuite DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA </VirtualHost>
Using AD Group within Directory, Location or File
Sample to use the AD Group MYGROUP' within a Files context
<Files "manage.pl"> AuthName "Use your winwods accoutn to login" AuthBasicProvider ldap AuthType Basic AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN On AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "apache-ldap@hitchhiker.com" AuthLDAPBindPassword xxxx Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com </Files>
Sample to use the AD Group MYGROUP' within a Directryy context
<Directory "/usr/local/www/testcode.internxx"> Options Indexes MultiViews ExecCGI DirectoryIndex index.htm Order allow,deny Allow from all AddHandler cgi-script .cgi .pl .htm DirectoryIndex index.htm AuthName "Use your winwods accoutn to login" AuthBasicProvider ldap AuthType Basic AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN On AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "apache-ldap@hitchhiker.com" AuthLDAPBindPassword xxxx Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com </Directory>
Caching
Caching is enabled by default, to see the stats add the following location:
<Location /server/cache-info> SetHandler ldap-status </Location>
Disable caching in eg apache.conf
LDAPOpCacheEntries 0
See: https://httpd.apache.org/docs/2.4/mod/mod_ldap.html
Links:
http://serverfault.com/questions/312281/apache-authentication-from-multiple-domains-in-ad-with-mod-authn-alias\
http://serverfault.com/questions/140858/authenticating-apache-httpd-against-multiple-ldap-servers-with-expired-accounts
Resources
Keywords: bookingstats stats statistics statistics.hitchhiker.net bookingstats.intern ldap
Keywords: bookingstats stats statistics