[hobbit] securing access Active Directory

This worked for Windows 2000. It also worked for Windows 2003 if the search base was not the root of the domain.

I found that if you authenticate against a Global Catalogue, it works for both.

#Directory for Hobbit maintenance ScriptAlias /hobbit-seccgi/ "/usr/local/hobbit/cgi-secure/" <Directory /usr/local/hobbit/cgi-secure> AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all AuthAuthoritative On AuthLDAPCompareDNOnServer on AuthLDAPURL ldap://gc1.mydomain.com:3268/DC=mydomain,DC=com?sAMAccountName?sub?(obje ctClass=user) AuthLDAPBindDN CN=HobbitUser,CN=Users,DC=mydomain,DC=com AuthLDAPBindPassword HobbitUserPassword AuthType Basic AuthName "Enter your Windows logon name/Password" require group CN=HobbitManagers,OU=Managers,DC=mydomain,DC=com </Directory>

Setting "AuthAuthoritative Off" should allow other modules to authenticate users if ldap fails. I haven't tried this yet.

From: Taylor, Robert [mailto:Robert.Taylor at HendrickAuto.com] Sent: Monday, April 04, 2005 7:36 AM To: hobbit at hswn.dk Subject: RE: [hobbit] securing access

There was a post a few days back with an LDAP configuration. I was able to change a few things around a get that to work with our MS Active Directory to validate usernames/passwords for access on a RH EL 3.0 box.

Here is the config for my Apache server. It effectively let's anyone access from the internal 10.x.x.x network and then requires a valid username/password for anyone accessing via the Web.

<Directory "/var/www/html">

AllowOverride None

Order Deny,Allow

AuthType Basic

AuthName "<Something to display in dialog>"

AuthzLDAPEngine on

AuthzLDAPServer <IP Address of LDAP Server>:389

AuthzLDAPUserKey sAMAccountName

AuthzLDAPBindDN <valid LDAP Username for binding to server>

AuthzLDAPBindPassword <LDAP password for username above>

AuthzLDAPUserBase dc=<something>,dc=<something .com, .local, .net

etc...>

AuthzLDAPUserScope subtree

Deny from all

Satisfy any

Require valid-user

Allow from 10.

</Directory>

Standard disclaimer would be that I am no Apache expert and this took me FOREVER to get working right, but it seems to be okay now.

Robert

From: David Garaway [mailto:dave at auctionhelper.com] Sent: Monday, April 04, 2005 3:29 AM To: hobbit at hswn.dk Subject: [hobbit] securing access

Does anyone know how to lock the whole hobbit page down? I have a friend that would like to be able to get to the page from anywhere but wants something like htaccess. Before I started mucking around with apache to try to get this working I thought I would see if anyone has done this.

Thanks,

Dave