Using ldap accounts with Xymon
Need a little help - I am setting up a RHEL5 64 bit server that has apache2 ssl enabled and other web apps using ldap to control logins.
I would like to do this for Xymon - having one set of accounts to view and another set of accounts to do the admin functions. Openssl and a php ldap setup exist on the server already. (I believe it calls openldap client under its code). I do get the certificate from the server for the ssl piece, but want to get rid of the htaccess file and replace with ldap authentication.
So my question is - can I do this , and if so, how about a how to? Google seems very sparse on this, I have the wikibook listing but wonder if there is more info out there that's useful to those of us not so familiar with ldap configurations.
Thanks in advance Brian
lurch at inorbit.com
On Tue, 2009-04-07 at 19:35 -0400, Brian Catlin wrote:
Need a little help - I am setting up a RHEL5 64 bit server that has apache2 ssl enabled and other web apps using ldap to control logins.
I would like to do this for Xymon - having one set of accounts to view and another set of accounts to do the admin functions.
Yup. Straight-forward.
Openssl and a php ldap setup exist on the server already. (I believe it calls openldap client under its code). I do get the certificate from the server for the ssl piece, but want to get rid of the htaccess file and replace with ldap authentication. So my question is - can I do this , and if so, how about a how to?
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
Just use the appropriate Require statement.
-- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
I got this working RHEL5 against Active Directory. Even got transparent NTLM Authentication set up so it authenticates the user automatically. I'd be happy to share if you're looking at an AD environment. Might work for generic LDAP as well.
Stewart
On Tue, Apr 7, 2009 at 7:35 PM, Brian Catlin <bcatlin at gmail.com> wrote:
Need a little help - I am setting up a RHEL5 64 bit server that has apache2 ssl enabled and other web apps using ldap to control logins.
I would like to do this for Xymon - having one set of accounts to view and another set of accounts to do the admin functions. Openssl and a php ldap setup exist on the server already. (I believe it calls openldap client under its code). I do get the certificate from the server for the ssl piece, but want to get rid of the htaccess file and replace with ldap authentication.
So my question is - can I do this , and if so, how about a how to? Google seems very sparse on this, I have the wikibook listing but wonder if there is more info out there that's useful to those of us not so familiar with ldap configurations.
Thanks in advance Brian
lurch at inorbit.com
-- Stewart
If you see yourself in others, then whom can you harm?
Stewart,
I'd be interested in the NTLM part. Please share.
Thanks,
Scot Kreienkamp
La-Z-Boy Inc.
From: Stewart L [mailto:stewartl42 at gmail.com] Sent: Tuesday, April 07, 2009 8:34 PM To: hobbit at hswn.dk Subject: Re: [hobbit] Using ldap accounts with Xymon
I got this working RHEL5 against Active Directory. Even got transparent NTLM Authentication set up so it authenticates the user automatically. I'd be happy to share if you're looking at an AD environment. Might work for generic LDAP as well.
Stewart
On Tue, Apr 7, 2009 at 7:35 PM, Brian Catlin <bcatlin at gmail.com> wrote:
Need a little help - I am setting up a RHEL5 64 bit server that has apache2 ssl enabled and other web apps using ldap to control logins.
I would like to do this for Xymon - having one set of accounts to view and another set of accounts to do the admin functions. Openssl and a php ldap setup exist on the server already. (I believe it calls openldap client under its code). I do get the certificate from the server for the ssl piece, but want to get rid of the htaccess file and replace with ldap authentication.
So my question is - can I do this , and if so, how about a how to? Google seems very sparse on this, I have the wikibook listing but wonder if there is more info out there that's useful to those of us not so familiar with ldap configurations.
Thanks in advance Brian
lurch at inorbit.com
-- Stewart
If you see yourself in others, then whom can you harm?
On Tue, April 7, 2009 20:33, Stewart L wrote:
I got this working RHEL5 against Active Directory. Even got transparent NTLM Authentication set up so it authenticates the user automatically. I'd be happy to share if you're looking at an AD environment. Might work for generic LDAP as well.
Like many others, I'm sure, I'm all ears. Well, if you look at a photograph, mostly ears, but still....
regards, j.
"I have great faith in fools. Self confidence, my friends call it." --E.A. Poe
Is there any way to see all the data that's coming in for a particular host?
I have some external scripts that are reporting via data messages, which of course don't show up on the web pages. So how do you verify the server is receiving those messages?
Thanks,
Scot Kreienkamp La-Z-Boy Inc.
*Transparent Authentication against Active Directory 2003 with Apache and CentOS 5*
Here, I will explain the steps I went through to get a Linux server joined to our Active Directory 2003 infrastructure and to authenticate users against the domain without them being required to enter credentials.
As I said, this is against an AD 2003 structure. If you are operating in a 200 or NT domain, this might not work for you, but it should point you on your way.
I'll make a few assumptions at this point for the example.
You are setting up a webserver to be named *web1.example.com*.
Your domain is called *EXAMPLE* and your kerberos Realm is named * EXAMPLE.COM*
You have a domain account baned *EXAMPLE\Bob* that is authorized to add machines into the domain.
Your Domain controller is *dc1.example.com.*
Install Packages
You obviously need apache installed. You will also need the mod_auth_kerb package to authenticate against the domain. It is also much easier if you use the system-config-authentication tool in the authconfig-gtk package.
yum -y install mod_auth_kerb authconfig-gtk
Join the Machine to the Domain
Before you can join a machine to a domain, you must have a few items taken care of...
The hostname (excluding the domain) should be 15 characters or less.
The system clocks should be synchronized. Use NTP for this.
Your */etc/hosts *file needs to be properly set up. You should have a localhost entry pointing to 127.0.0.1 and an entry that has your fully-qualified host name pointing to its assigned IP address.
With that out of the way, we can begin configuring authentication.
Run *system-config-authentication* as root.
On the Authentication tab, Enable Kerberos and Winbind
Configure Kerberos.
REALM = EXAMPLE.COM
-
Check the boxes for using DNS to resolve hosts to realms and locate
KDCs.
-
KDC and Admin Sevrer can be left blank
-
Click ok.
-Configure Winbind
Domain = EXAMPLE
-
Security Model = ads
-
ADS Realm = EXAMPLE.COM
-
Domain Controllers = dc1.example.com
-
Click ok
-Edit your */etc/samba/smb.conf *file* *and make sure that your netbios name is the same as your hostname. This should be the host part only, not the domain.
Join the Domain
As the root user, run the following commands. You will have to enter a password for Bob after both commands.
kinit EXAMPLE\Bob
net ads join -U EXAMPLE\Bob
That's it! You're on the domain now. By default you have to have a local account on the box to authenticate against AD, meaning if there is not a bob account on web1.example.com, bob cannot log in with his domain password. Configure an AD User
This is where things become a little convoluted. We are going to create a user account in AD that the web server will use for authentication. There are a number of different versions and service packs out there for Windows Server 2000 and 2003. I got a lot of my information from http://grolmsnet.de/kerbtut/ so check there if you have problems with this part.
Create a user in AD named http_web1.
Set this account so that the password never expires.
On the command line of the Domain Controller, run this line
ktpass -princ HTTP/web1.example.com at EXAMPLE.COM mapuser -EXMAPLE\http_web1 -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST -pass * -out c:\temp\http_web1.heytab
This will create a keytab file in C:\temp <file:///C:/temp> that you need to move to your webserver and place in */etc/http.*
Configure Apache
Your configuration should look something like this...
<Location />
AuthName "Welcome to EXAMPLE"
AuthType Kerberos
Krb5Keytab /etc/httpd/http_web1.keytab
KrbAuthRealm EXAMPLE.COM
KrbMethodNegotiate On
KrbSaveCredentials off
KrbVerifyKDC off
Require valid-user
</Location>
Naturally, you can change the Authname to whatever you like. Check http://modauthkerb.sourceforge.net/ for more info on specific configurations Configure Firefox (Optional)
Type about:config in the URL bar
Modify the following "Preference Name"
Preference Name<https://bbtest.doh.state.fl.us/twiki/bin/view/SORT/TnTFirefoxNTLM?sortcol=0;table=1;up=0#sorted_table>
network.negotiate-auth.delegation-uris
Example.com
network.negotiate-auth.trusted-uris
Example.com
network.automatic-ntlm-auth.trusted-uris
Example.com
If anyone has any feedback, Let me know. Anxious to hear if this works for others.
Stewart
On Wed, Apr 8, 2009 at 12:36 PM, Stewart L <stewartl42 at gmail.com> wrote:
*Transparent Authentication against Active Directory 2003 with Apache and CentOS 5*
Here, I will explain the steps I went through to get a Linux server joined to our Active Directory 2003 infrastructure and to authenticate users against the domain without them being required to enter credentials.
As I said, this is against an AD 2003 structure. If you are operating in a 200 or NT domain, this might not work for you, but it should point you on your way.
I'll make a few assumptions at this point for the example.
You are setting up a webserver to be named *web1.example.com*.
Your domain is called *EXAMPLE* and your kerberos Realm is named * EXAMPLE.COM*
You have a domain account baned *EXAMPLE\Bob* that is authorized to add machines into the domain.
Your Domain controller is *dc1.example.com.*
Install Packages
You obviously need apache installed. You will also need the mod_auth_kerb package to authenticate against the domain. It is also much easier if you use the system-config-authentication tool in the authconfig-gtk package.
yum -y install mod_auth_kerb authconfig-gtk
Join the Machine to the Domain
Before you can join a machine to a domain, you must have a few items taken care of...
The hostname (excluding the domain) should be 15 characters or less.
The system clocks should be synchronized. Use NTP for this.
Your */etc/hosts *file needs to be properly set up. You should have a localhost entry pointing to 127.0.0.1 and an entry that has your fully-qualified host name pointing to its assigned IP address.
With that out of the way, we can begin configuring authentication.
Run *system-config-authentication* as root.
On the Authentication tab, Enable Kerberos and Winbind
Configure Kerberos.
REALM = EXAMPLE.COM - Check the boxes for using DNS to resolve hosts to realms and locate KDCs. - KDC and Admin Sevrer can be left blank - Click ok. -Configure Winbind
Domain = EXAMPLE - Security Model = ads - ADS Realm = EXAMPLE.COM - Domain Controllers = dc1.example.com - Click ok -Edit your */etc/samba/smb.conf *file* *and make sure that your netbios name is the same as your hostname. This should be the host part only, not the domain.
Join the Domain
As the root user, run the following commands. You will have to enter a password for Bob after both commands.
kinit EXAMPLE\Bob
net ads join -U EXAMPLE\Bob
That's it! You're on the domain now. By default you have to have a local account on the box to authenticate against AD, meaning if there is not a bob account on web1.example.com, bob cannot log in with his domain password. Configure an AD User
This is where things become a little convoluted. We are going to create a user account in AD that the web server will use for authentication. There are a number of different versions and service packs out there for Windows Server 2000 and 2003. I got a lot of my information from http://grolmsnet.de/kerbtut/ so check there if you have problems with this part.
Create a user in AD named http_web1.
Set this account so that the password never expires.
On the command line of the Domain Controller, run this line
ktpass -princ HTTP/web1.example.com at EXAMPLE.COM mapuser -EXMAPLE\http_web1 -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST -pass * -out c:\temp\http_web1.heytab
This will create a keytab file in C:\temp that you need to move to your webserver and place in */etc/http.*
Configure Apache
Your configuration should look something like this...
<Location />
AuthName "Welcome to EXAMPLE"
AuthType Kerberos
Krb5Keytab /etc/httpd/http_web1.keytab
KrbAuthRealm EXAMPLE.COM
KrbMethodNegotiate On
KrbSaveCredentials off
KrbVerifyKDC off
Require valid-user
</Location>
Naturally, you can change the Authname to whatever you like. Check http://modauthkerb.sourceforge.net/ for more info on specific configurations Configure Firefox (Optional)
Type about:config in the URL bar
Modify the following "Preference Name"
Preference Name<https://bbtest.doh.state.fl.us/twiki/bin/view/SORT/TnTFirefoxNTLM?sortcol=0;table=1;up=0#sorted_table>
network.negotiate-auth.delegation-uris
Example.com
network.negotiate-auth.trusted-uris
Example.com
network.automatic-ntlm-auth.trusted-uris
Example.com
-- Stewart
If you see yourself in others, then whom can you harm?
quick upload to here, not much editing. http://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Other_Docs/HOWTO#T...
Let me know if you disapprove this uploading.
T.J. Yang
Rediscover Hotmail®: Get e-mail storage that grows with you. http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Sto...
fine by me.
On Wed, Apr 8, 2009 at 3:28 PM, T.J. Yang <tj_yang at hotmail.com> wrote:
quick upload to here, not much editing.
http://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Other_Docs/HOWTO#T...
Let me know if you disapprove this uploading.
T.J. Yang
Rediscover Hotmail®: Get e-mail storage that grows with you. Check it out.<http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Storage1_042009>
-- Stewart
If you see yourself in others, then whom can you harm?
On Wednesday 08 April 2009 02:33:40 Stewart L wrote:
I got this working RHEL5 against Active Directory. Even got transparent NTLM Authentication set up so it authenticates the user automatically. I'd be happy to share if you're looking at an AD environment. Might work for generic LDAP as well.
Sorry to be pedantic, but the documentation you provided is not for NTLM authentication, but for Kerberized authentication. The Apache-related documentation should be valid in any Kerberos environment, but the details of how to issue keytabs depends on the implementation used for the KDC (e.g., with Heimdal it is possible to create the keytab from the host that needs it, in place, no copying is required, but this is not the case with MIT).
Your howto has nothing to do with LDAP btw ...
I posted what I had because a bunch of folks asked me to off list. While not specific to LDAP, I'm sure some folks will find it useful. Don't think I mention NTLM or LDAP in the final docs I posted and the title was pretty specific about where it worked.
Yes, I know it's Kerberos, not NTLM and I linked to the page where I gained a bunch of this info which provides details on the keytabs for a bunch of different environments.
Stewart
On Thu, Apr 9, 2009 at 2:48 AM, Buchan Milne <bgmilne at staff.telkomsa.net>wrote:
On Wednesday 08 April 2009 02:33:40 Stewart L wrote:
I got this working RHEL5 against Active Directory. Even got transparent NTLM Authentication set up so it authenticates the user automatically. I'd be happy to share if you're looking at an AD environment. Might work for generic LDAP as well.
Sorry to be pedantic, but the documentation you provided is not for NTLM authentication, but for Kerberized authentication. The Apache-related documentation should be valid in any Kerberos environment, but the details of how to issue keytabs depends on the implementation used for the KDC (e.g., with Heimdal it is possible to create the keytab from the host that needs it, in place, no copying is required, but this is not the case with MIT).
Your howto has nothing to do with LDAP btw ...
-- Stewart
If you see yourself in others, then whom can you harm?
participants (7)
-
bcatlin@gmail.com
-
bgmilne@staff.telkomsa.net
-
Dan.McDonald@austinenergy.com
-
hobbit@epperson.homelinux.net
-
SKreien@la-z-boy.com
-
stewartl42@gmail.com
-
tj_yang@hotmail.com