[hobbit] securing access Active Directory
This worked for Windows 2000. It also worked for Windows 2003 if the search base was not the root of the domain.
I found that if you authenticate against a Global Catalogue, it works for both.
#Directory for Hobbit maintenance ScriptAlias /hobbit-seccgi/ "/usr/local/hobbit/cgi-secure/" <Directory /usr/local/hobbit/cgi-secure> AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all AuthAuthoritative On AuthLDAPCompareDNOnServer on AuthLDAPURL ldap://gc1.mydomain.com:3268/DC=mydomain,DC=com?sAMAccountName?sub?(obje ctClass=user) AuthLDAPBindDN CN=HobbitUser,CN=Users,DC=mydomain,DC=com AuthLDAPBindPassword HobbitUserPassword AuthType Basic AuthName "Enter your Windows logon name/Password" require group CN=HobbitManagers,OU=Managers,DC=mydomain,DC=com </Directory>
Setting "AuthAuthoritative Off" should allow other modules to authenticate users if ldap fails. I haven't tried this yet.
From: Taylor, Robert [mailto:Robert.Taylor at HendrickAuto.com] Sent: Monday, April 04, 2005 7:36 AM To: hobbit at hswn.dk Subject: RE: [hobbit] securing access
There was a post a few days back with an LDAP configuration. I was able to change a few things around a get that to work with our MS Active Directory to validate usernames/passwords for access on a RH EL 3.0 box.
Here is the config for my Apache server. It effectively let's anyone access from the internal 10.x.x.x network and then requires a valid username/password for anyone accessing via the Web.
<Directory "/var/www/html">
AllowOverride None
Order Deny,Allow
AuthType Basic
AuthName "<Something to display in dialog>"
AuthzLDAPEngine on
AuthzLDAPServer <IP Address of LDAP Server>:389
AuthzLDAPUserKey sAMAccountName
AuthzLDAPBindDN <valid LDAP Username for binding to server>
AuthzLDAPBindPassword <LDAP password for username above>
AuthzLDAPUserBase dc=<something>,dc=<something .com, .local, .netetc...>
AuthzLDAPUserScope subtree
Deny from all
Satisfy any
Require valid-user
Allow from 10.</Directory>
Standard disclaimer would be that I am no Apache expert and this took me FOREVER to get working right, but it seems to be okay now.
Robert
From: David Garaway [mailto:dave at auctionhelper.com] Sent: Monday, April 04, 2005 3:29 AM To: hobbit at hswn.dk Subject: [hobbit] securing access
Does anyone know how to lock the whole hobbit page down? I have a friend that would like to be able to get to the page from anywhere but wants something like htaccess. Before I started mucking around with apache to try to get this working I thought I would see if anyone has done this.
Thanks,
Dave
Hi John,
"Milburn, John A." wrote on 15/04/2005 07:18:37:
This worked for Windows 2000. It also worked for Windows 2003 if the search base was not the root of the domain.
I found that if you authenticate against a Global Catalogue, it works for both.
#Directory for Hobbit maintenance ScriptAlias /hobbit-seccgi/ "/usr/local/hobbit/cgi-secure/" <Directory /usr/local/hobbit/cgi-secure> AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all AuthAuthoritative On AuthLDAPCompareDNOnServer on AuthLDAPURL ldap://gc1.mydomain.com:3268/DC=mydomain,DC=com? sAMAccountName?sub?(objectClass=user) AuthLDAPBindDN CN=HobbitUser,CN=Users,DC=mydomain,DC=com AuthLDAPBindPassword HobbitUserPassword AuthType Basic AuthName "Enter your Windows logon name/Password" require group CN=HobbitManagers,OU=Managers,DC=mydomain,DC=com </Directory>
Setting "AuthAuthoritative Off" should allow other modules to authenticate users if ldap fails. I haven't tried this yet.
I've modified this to match my own AD configuration, but I'm still not having any luck :-(
My apache install includes the ldap_module.so and auth_ldap_module.so files
- should these work OK by themselves, or do I need to install further OpenLDAP libraries? Running ldd on these files doesn't indicate any special requirements.
From: Taylor, Robert [mailto:Robert.Taylor at HendrickAuto.com] Sent: Monday, April 04, 2005 7:36 AM To: hobbit at hswn.dk Subject: RE: [hobbit] securing access
There was a post a few days back with an LDAP configuration. I was able to change a few things around a get that to work with our MS Active Directory to validate usernames/passwords for access on a RH EL 3.0 box.
Here is the config for my Apache server. It effectively let’s anyone access from the internal 10.x.x.x network and then requires a valid username/password for anyone accessing via the Web.
<Directory "/var/www/html"> AllowOverride None Order Deny,Allow AuthType Basic AuthName "<Something to display in dialog>" AuthzLDAPEngine on AuthzLDAPServer <IP Address of LDAP Server>:389 AuthzLDAPUserKey sAMAccountName AuthzLDAPBindDN <valid LDAP Username for binding to server> AuthzLDAPBindPassword <LDAP password for username above> AuthzLDAPUserBase dc=<something>,dc=<something .com, .local, .net etc…> AuthzLDAPUserScope subtree Deny from all Satisfy any Require valid-user Allow from 10.
</Directory>
Standard disclaimer would be that I am no Apache expert and this took me FOREVER to get working right, but it seems to be okay now.
Robert
From:David Garaway [mailto:dave at auctionhelper.com] Sent: Monday, April 04, 2005 3:29 AM To: hobbit at hswn.dk Subject: [hobbit] securing access
Does anyone know how to lock the whole hobbit page down? I have a friend that would like to be able to get to the page from anywhere but wants something like htaccess. Before I started mucking around with apache to try to get this working I thought I would see if anyone has done this.
Thanks,
Dave
#####################################################################################
This email is intended for the person to whom it is addressed only. If you are not the intended recipient, do not read, copy or use the contents in any way. The opinions expressed may not necessarily reflect those of ZESPRI Group of Companies ('ZESPRI').
While every effort has been made to verify the information contained herein, ZESPRI does not make any representations as to the accuracy of the information or to the performance of any data, information or the products mentioned herein. ZESPRI will not accept liability for any losses, damage or consequence, however, resulting directly or indirectly from the use of this e-mail/attachments. #####################################################################################
----- Original Message ----- From: "Andy France" <Andy at zespri.com> To: <hobbit at hswn.dk> Sent: Tuesday, April 19, 2005 4:53 PM Subject: RE: [hobbit] securing access Active Directory
Hi John,
"Milburn, John A." wrote on 15/04/2005 07:18:37:
This worked for Windows 2000. It also worked for Windows  2003 if the search base was not the root of the domain.
I found that if you authenticate against a Global  Catalogue, it works for both.
#Directory for Hobbit maintenance ScriptAlias  /hobbit-seccgi/ "/usr/local/hobbit/cgi-secure/" <Directory  /usr/local/hobbit/cgi-secure>    AllowOverride  None    Options ExecCGI  Includes    Order allow,deny    Allow from  all    AuthAuthoritative On     AuthLDAPCompareDNOnServer on    AuthLDAPURL ldap://gc1.mydomain.com:3268/DC=mydomain,DC=com? sAMAccountName?sub?(objectClass=user)     AuthLDAPBindDN CN=HobbitUser,CN=Users,DC=mydomain,DC=com     AuthLDAPBindPassword HobbitUserPassword    AuthType  Basic    AuthName "Enter your Windows logon  name/Password"    require group  CN=HobbitManagers,OU=Managers,DC=mydomain,DC=com </Directory>
Setting "AuthAuthoritative Off" should allow other modules  to authenticate users if ldap fails. I haven't tried this  yet.
I've modified this to match my own AD configuration, but I'm still not having any luck :-(
My apache install includes the ldap_module.so and auth_ldap_module.so
files
- should these work OK by themselves, or do I need to install further OpenLDAP libraries? Â Running ldd on these files doesn't indicate any special requirements.
I don't know of any dependencies. I do have the OpenLDAP libraries installed. I am using Fedora Core 3 fully updated. Almost everything was installed, since I am not that good with Linux.
participants (3)
-
Andy@zespri.com
-
JohnAMilburn@hotmail.com
-
MilburnJA@dot.il.gov