Apache and Ldap: Difference between revisions

From Coolscript
Jump to navigation Jump to search
No edit summary
No edit summary
Line 18: Line 18:


*Set some defaults in /etc/ldap/ldap.conf
*Set some defaults in /etc/ldap/ldap.conf
  BASE    dc=hitchhiker,dc=com
  BASE    dc=domain,dc=com
  REFERRALS off
  REFERRALS off


Line 26: Line 26:
=Query LDAP=
=Query LDAP=
*Basic Query
*Basic Query
  ldapsearch -LLL  -H ldap://hh-intpdc.hitchhiker.com -x  -D 'apache-ldap' -w 'xxxxx'
  ldapsearch -LLL  -H ldap://intpdc.domain.com -x  -D 'apache-ldap' -w 'xxxxx'


*Full query with no size limits, usefull to pipe the entire catalog to file
*Full query with no size limits, usefull to pipe the entire catalog to file
  ldapsearch -LLL  -E pr=1000/noprompt -x -H ldap://hh-intpdc.hitchhiker.com -x  -D 'apache-ldap' -w '******'
  ldapsearch -LLL  -E pr=1000/noprompt -x -H ldap://intpdc.domain.com -x  -D 'apache-ldap' -w '******'


*Sample query to show all users, NOTE THAT AD does not know the OU=Users so we have to use the common name CN=Users
*Sample query to show all users, NOTE THAT AD does not know the OU=Users so we have to use the common name CN=Users
  ldapsearch -D "apache-ldap" -w xxxxxxxx -H ldap://hh-intpdc.hitchhiker.com -b "CN=Users,DC=hitchhiker,DC=com"  
  ldapsearch -D "apache-ldap" -w xxxxxxxx -H ldap://intpdc.domain.com -b "CN=Users,DC=domain,DC=com"  


*Sample query to show all user group called Male
*Sample query to show all user group called Male
  ldapsearch -D "apache-ldap" -w xxxxx -H ldap://hh-intpdc.hitchhiker.com -b "CN=Male,CN=Users,DC=hitchhiker,DC=com" objectclass=*
  ldapsearch -D "apache-ldap" -w xxxxx -H ldap://intpdc.domain.com -b "CN=Male,CN=Users,DC=domain,DC=com" objectclass=*


=HTACCESS=
=HTACCESS=
Line 44: Line 44:
  AuthBasicProvider ldap
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative Off
  AuthzLDAPAuthoritative Off
  AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?
  AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?
  AuthLDAPBindDN "apache-ldap@hitchhiker.com"
  AuthLDAPBindDN "apache-ldap@domain.com"
  AuthLDAPBindPassword ****
  AuthLDAPBindPassword ****


Line 59: Line 59:


  #Assumming a user calles stats within the group bookingstats at OU=IT
  #Assumming a user calles stats within the group bookingstats at OU=IT
  Require ldap-group CN=bookingstats,ou=IT,dc=hitchhiker,dc=com
  Require ldap-group CN=bookingstats,ou=IT,dc=domain,dc=com




Line 68: Line 68:
http://www.conigliaro.org/2008/12/31/active-directory-authentication-on-apache-with-mod_authnz_ldap/<br>
http://www.conigliaro.org/2008/12/31/active-directory-authentication-on-apache-with-mod_authnz_ldap/<br>


=Setup sample of statistics=
bookingstats.intern and statistics.hitchhiker.net are different server in different networks, they use both different sql servers (security) but
use the same ldap server to authenticate.<br>
The goal of this is having both, STATUSER and External user logging in to both server.<br><br>
[[File:bookingstats.png]]
<br><br>
==Setup external OU==
Create an OU called '''External'''. Add a group called '''statistics''' and add the external users into this group:<br>
[[File:ads-ldap01.png]]
<br><br>


==Setup the internal Exchange Attribute==
==Setup the internal Exchange Attribute==
Line 93: Line 81:
  <AuthnProviderAlias ldap first-ldap>
  <AuthnProviderAlias ldap first-ldap>
   AuthBasicProvider ldap
   AuthBasicProvider ldap
   AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?
   AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?
   AuthLDAPBindDN "apache-ldap@hitchhiker.com"
   AuthLDAPBindDN "apache-ldap@domain.com"
   AuthLDAPBindPassword xxxxx
   AuthLDAPBindPassword xxxxx
   '''Require ldap-attribute extensionAttribute4=STATUSER'''
   '''Require ldap-attribute extensionAttribute4=STATUSER'''
Line 104: Line 92:
   AuthBasicProvider ldap
   AuthBasicProvider ldap
   #AuthzLDAPAuthoritative Off
   #AuthzLDAPAuthoritative Off
   AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/ou=External,dc=hitchhiker,dc=com?sAMAccountName?sub?
   AuthLDAPURL "ldap://pdc.domain.com/ou=External,dc=hitchhiker,dc=com?sAMAccountName?sub?
   AuthLDAPBindDN "apache-ldap@hitchhiker.com"
   AuthLDAPBindDN "apache-ldap@domain.com"
   AuthLDAPBindPassword xxxxx
   AuthLDAPBindPassword xxxxx
   '''Require ldap-group CN=statistics,ou=External,dc=hitchhiker,dc=com'''
   '''Require ldap-group CN=statistics,ou=External,dc=domain,dc=com'''
  </AuthnProviderAlias>
  </AuthnProviderAlias>
  <Directory "/usr/local/www/bookingstats/cgi-bin/">
  <Directory "/usr/local/www/bookingstats/cgi-bin/">
Line 125: Line 113:
  </Directory>
  </Directory>
  <Virtualhost *:80>
  <Virtualhost *:80>
   ServerAdmin mk@hitchhiker.com
   ServerAdmin root@domain.com
   ServerName bookingstats.intern
   ServerName bookingstats.intern
   DocumentRoot /usr/local/www/bookingstats/cgi-bin/
   DocumentRoot /usr/local/www/bookingstats/cgi-bin/
Line 136: Line 124:
  </Virtualhost>
  </Virtualhost>


=Apache config sample for statistics.hitchhiker.net=
=Apache config sample for statistics.domain.com=




  <AuthnProviderAlias ldap first-ldap>
  <AuthnProviderAlias ldap first-ldap>
   AuthBasicProvider ldap
   AuthBasicProvider ldap
   AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?
   AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?
   AuthLDAPBindDN "apache-ldap@hitchhiker.com"
   AuthLDAPBindDN "apache-ldap@domain.com"
   AuthLDAPBindPassword xxxx
   AuthLDAPBindPassword xxxx
   '''Require ldap-attribute extensionAttribute4=STATUSER'''
   '''Require ldap-attribute extensionAttribute4=STATUSER'''
Line 151: Line 139:
  <AuthnProviderAlias ldap second-ldap>
  <AuthnProviderAlias ldap second-ldap>
   AuthBasicProvider ldap
   AuthBasicProvider ldap
   AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/ou=External,dc=hitchhiker,dc=com?sAMAccountName?sub?
   AuthLDAPURL "ldap://pdc.domain.com/ou=External,dc=domain,dc=com?sAMAccountName?sub?
   AuthLDAPBindDN "apache-ldap@hitchhiker.com"
   AuthLDAPBindDN "apache-ldap@domain.com"
   AuthLDAPBindPassword xxxxx
   AuthLDAPBindPassword xxxxx
   '''Require ldap-group CN=statistics,ou=External,dc=hitchhiker,dc=com'''
   '''Require ldap-group CN=statistics,ou=External,dc=domain,dc=com'''
  </AuthnProviderAlias>
  </AuthnProviderAlias>
  <Directory "/ftpweb/web/statistics.hitchhiker.net/cgi-bin/">
  <Directory "/ftpweb/web/statistics.domain.com/cgi-bin/">
   Options ExecCGI
   Options ExecCGI
   DirectoryIndex frame.pl
   DirectoryIndex frame.pl
Line 174: Line 162:
  </Directory>
  </Directory>
  <VirtualHost *:80>
  <VirtualHost *:80>
   ServerName statistics.hitchhiker.net
   ServerName statistics.domain.com
   Redirect permanent / https:/statistics.hitchhiker.net/
   Redirect permanent / https:/statistics.domain.com/
  </VirtualHost>
  </VirtualHost>
  <VirtualHost *:443>
  <VirtualHost *:443>
   SSLCertificateFile /etc/apache2/ssl/statistics.hitchhiker.net.crt
   SSLCertificateFile /etc/apache2/ssl/statistics.domain.com.crt
   SSLCertificateKeyFile /etc/apache2/ssl/statistics.hitchhiker.net.key
   SSLCertificateKeyFile /etc/apache2/ssl/statistics.domain.com.key
   SSLEngine on
   SSLEngine on
   ServerAdmin mis@hitchhiker.com
   ServerAdmin admin@domain.com
   ServerName statistics.hitchhiker.net
   ServerName statistics.domain.com
   DocumentRoot /ftpweb/web/statistics.hitchhiker.net/cgi-bin
   DocumentRoot /ftpweb/web/statistics.domain.com/cgi-bin
   ErrorLog /var/log/apache2/statistics.hitchhiker.net.error
   ErrorLog /var/log/apache2/statistics.domain.com.error
   CustomLog /var/log/apache2/statistics.hitchhiker.net.access combined
   CustomLog /var/log/apache2/statistics.domain.com.access combined
   DirectoryIndex frame.pl /frame.pl
   DirectoryIndex frame.pl /frame.pl
   SSLHonorCipherOrder On
   SSLHonorCipherOrder On
Line 202: Line 190:
   AuthLDAPGroupAttribute member
   AuthLDAPGroupAttribute member
   AuthLDAPGroupAttributeIsDN On
   AuthLDAPGroupAttributeIsDN On
   AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)"
   AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
   AuthLDAPBindDN "apache-ldap@hitchhiker.com"
   AuthLDAPBindDN "apache-ldap@domain.com"
   AuthLDAPBindPassword xxxx
   AuthLDAPBindPassword xxxx
   Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com
   Require ldap-group cn=MYGROUP,cn=Users,dc=domain,dc=com
  </Files>
  </Files>


Line 222: Line 210:
   AuthLDAPGroupAttribute member
   AuthLDAPGroupAttribute member
   AuthLDAPGroupAttributeIsDN On
   AuthLDAPGroupAttributeIsDN On
   AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)"
   AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
   AuthLDAPBindDN "apache-ldap@hitchhiker.com"
   AuthLDAPBindDN "apache-ldap@domain.com"
   AuthLDAPBindPassword xxxx
   AuthLDAPBindPassword xxxx
   Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com
   Require ldap-group cn=MYGROUP,cn=Users,dc=domain,dc=com
  </Directory>
  </Directory>


Line 245: Line 233:


=Resources=
=Resources=
*[[Bookingstats.intern]]
<br>Keywords: bookingstats stats statistics statistics.domain.net bookingstats.intern ldap
*[[Bookingstats]]
<br>Keywords: bookingstats stats statistics statistics.hitchhiker.net bookingstats.intern ldap
 
Keywords: bookingstats stats statistics

Revision as of 15:29, 10 December 2021

Apache and LDAP

This is how to get users authenticated against LDAP on AD. We're using:

  • Apache 2.2.16
  • Debian 6
  • AD on Server2012

First step is to create a user called apache-ldap, the user does not need to have any special permissions, it's just to read from LDAP.

  • Install the user tools:
apt-get install ldap-utils
  • Enable autnz on apache (Already installed with 2.2)
a2dismod authnz_ldap
a2enmod authnz_ldap


  • Set some defaults in /etc/ldap/ldap.conf
BASE    dc=domain,dc=com
REFERRALS off
  • Switch on debugging log in apache.conf
LogLevel debug

Query LDAP

  • Basic Query
ldapsearch -LLL  -H ldap://intpdc.domain.com -x  -D 'apache-ldap' -w 'xxxxx'
  • Full query with no size limits, usefull to pipe the entire catalog to file
ldapsearch -LLL  -E pr=1000/noprompt -x -H ldap://intpdc.domain.com -x  -D 'apache-ldap' -w '******'
  • Sample query to show all users, NOTE THAT AD does not know the OU=Users so we have to use the common name CN=Users
ldapsearch -D "apache-ldap" -w xxxxxxxx -H ldap://intpdc.domain.com -b "CN=Users,DC=domain,DC=com"
  • Sample query to show all user group called Male
ldapsearch -D "apache-ldap" -w xxxxx -H ldap://intpdc.domain.com -b "CN=Male,CN=Users,DC=domain,DC=com" objectclass=*

HTACCESS

  • sample of .htaccess
AuthName "Top Secret Area"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?
AuthLDAPBindDN "apache-ldap@domain.com"
AuthLDAPBindPassword ****
  • Filter criterias, pick one or more
#Filter for one or more usernames
Require ldap-user "Username"

#Filter for existing mobile phone number and the department must be IT
Require ldap-filter &(mobile=*)(department=IT)

#Filter for Exchange attributes
Require ldap-attribute extensionAttribute3=GroupPolicy-ITAdmin

#Assumming a user calles stats within the group bookingstats at OU=IT
Require ldap-group CN=bookingstats,ou=IT,dc=domain,dc=com


  • Links

See: http://stackoverflow.com/questions/1405011/ldap-directory-entry-in-net-not-working-with-ou-users
https://www.sit.auckland.ac.nz/LDAP_authentication_with_Apache_mod_authnz_ldap
http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication
http://www.conigliaro.org/2008/12/31/active-directory-authentication-on-apache-with-mod_authnz_ldap/


Setup the internal Exchange Attribute

Edit the exchange attribute number 4 and type STATUSER:

File:Ads-ldap02.png

Apache config sample for bookingstats.intern

We use the Exchange attributes as main authentication and the external OU External as second authentication. This is named like Apache authentication from multiple domains in AD with mod_authn_alias

  • /etc/apache2/sites-available/bookingstats
<AuthnProviderAlias ldap first-ldap>
 AuthBasicProvider ldap
 AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?
 AuthLDAPBindDN "apache-ldap@domain.com"
 AuthLDAPBindPassword xxxxx
 Require ldap-attribute extensionAttribute4=STATUSER
 AuthType Basic
 # Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
 AuthUserFile /dev/null
</AuthnProviderAlias>
<AuthnProviderAlias ldap second-ldap>
 AuthBasicProvider ldap
 #AuthzLDAPAuthoritative Off
 AuthLDAPURL "ldap://pdc.domain.com/ou=External,dc=hitchhiker,dc=com?sAMAccountName?sub?
 AuthLDAPBindDN "apache-ldap@domain.com"
 AuthLDAPBindPassword xxxxx
 Require ldap-group CN=statistics,ou=External,dc=domain,dc=com
</AuthnProviderAlias>
<Directory "/usr/local/www/bookingstats/cgi-bin/">
 Options IncludesNoExec
 Allow from 10.0.1 192.168
 Order allow,deny
 Allow from all
 AddHandler cgi-script .cgi .pl
 PerlResponseHandler ModPerl::Registry
 PerlOptions +ParseHeaders
 Options +ExecCGI
 AuthName "Use your Windows account"
 AuthType Basic
 AuthBasicProvider first-ldap second-ldap
 AuthzLDAPAuthoritative off
 require valid-user
</Directory>
<Virtualhost *:80>
 ServerAdmin root@domain.com
 ServerName bookingstats.intern
 DocumentRoot /usr/local/www/bookingstats/cgi-bin/
 #Reroute to frame
 DirectoryIndex frame.pl /frame.pl
 ErrorLog /var/log/apache2/bookingstats.error
 LogLevel info
 CustomLog /var/log/apache2/bookingstats.access combined
 Redirect /index.html http://bookingstats.intern/cgi-bin/start.pl
</Virtualhost>

Apache config sample for statistics.domain.com

<AuthnProviderAlias ldap first-ldap>
 AuthBasicProvider ldap
 AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?
 AuthLDAPBindDN "apache-ldap@domain.com"
 AuthLDAPBindPassword xxxx
 Require ldap-attribute extensionAttribute4=STATUSER
 AuthType Basic
 # Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
 AuthUserFile /dev/null
</AuthnProviderAlias>
<AuthnProviderAlias ldap second-ldap>
 AuthBasicProvider ldap
 AuthLDAPURL "ldap://pdc.domain.com/ou=External,dc=domain,dc=com?sAMAccountName?sub?
 AuthLDAPBindDN "apache-ldap@domain.com"
 AuthLDAPBindPassword xxxxx
 Require ldap-group CN=statistics,ou=External,dc=domain,dc=com
</AuthnProviderAlias>
<Directory "/ftpweb/web/statistics.domain.com/cgi-bin/">
 Options ExecCGI
 DirectoryIndex frame.pl
 Options IncludesNoExec
 #AuthType Basic
 Order allow,deny
 Allow from all
 AddHandler cgi-script .cgi .pl
 PerlResponseHandler ModPerl::Registry
 PerlOptions +ParseHeaders
 Options +ExecCGI
 AuthName "Statistic Area"
 AuthType Basic
 AuthBasicProvider second-ldap first-ldap
 AuthzLDAPAuthoritative off
 require valid-user
</Directory>
<VirtualHost *:80>
 ServerName statistics.domain.com
 Redirect permanent / https:/statistics.domain.com/
</VirtualHost>
<VirtualHost *:443>
 SSLCertificateFile /etc/apache2/ssl/statistics.domain.com.crt
 SSLCertificateKeyFile /etc/apache2/ssl/statistics.domain.com.key
 SSLEngine on
 ServerAdmin admin@domain.com
 ServerName statistics.domain.com
 DocumentRoot /ftpweb/web/statistics.domain.com/cgi-bin
 ErrorLog /var/log/apache2/statistics.domain.com.error
 CustomLog /var/log/apache2/statistics.domain.com.access combined
 DirectoryIndex frame.pl /frame.pl
 SSLHonorCipherOrder On
 SSLProtocol +ALL -SSLv3 -SSLv2
 SSLCipherSuite DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA
</VirtualHost>

Using AD Group within Directory, Location or File

Sample to use the AD Group MYGROUP' within a Files context 


<Files "manage.pl">
 AuthName "Use your winwods accoutn to login"
 AuthBasicProvider ldap
 AuthType Basic
 AuthLDAPGroupAttribute member
 AuthLDAPGroupAttributeIsDN On
 AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
 AuthLDAPBindDN "apache-ldap@domain.com"
 AuthLDAPBindPassword xxxx
 Require ldap-group cn=MYGROUP,cn=Users,dc=domain,dc=com
</Files>

Sample to use the AD Group MYGROUP' within a Directryy context 

<Directory "/usr/local/www/testcode.internxx">
 Options Indexes MultiViews ExecCGI
 DirectoryIndex index.htm
 Order allow,deny
 Allow from all
 AddHandler cgi-script .cgi .pl .htm
 DirectoryIndex index.htm
 AuthName "Use your winwods accoutn to login"
 AuthBasicProvider ldap
 AuthType Basic
 AuthLDAPGroupAttribute member
 AuthLDAPGroupAttributeIsDN On
 AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
 AuthLDAPBindDN "apache-ldap@domain.com"
 AuthLDAPBindPassword xxxx
 Require ldap-group cn=MYGROUP,cn=Users,dc=domain,dc=com
</Directory>

Caching

Caching is enabled by default, to see the stats add the following location: 

<Location /server/cache-info>
 SetHandler ldap-status
</Location>

Disable caching in eg apache.conf 

LDAPOpCacheEntries 0

See: https://httpd.apache.org/docs/2.4/mod/mod_ldap.html

Links:

http://serverfault.com/questions/312281/apache-authentication-from-multiple-domains-in-ad-with-mod-authn-alias\
http://serverfault.com/questions/140858/authenticating-apache-httpd-against-multiple-ldap-servers-with-expired-accounts

Resources


Keywords: bookingstats stats statistics statistics.domain.net bookingstats.intern ldap

Retrieved from "https://coolscript.org/index.php?title=Apache_and_Ldap&oldid=593"