securing access Active Directory

list John A. Milburn
Tue, 19 Apr 2005 18:11:27 -0500
Message-Id: <user-25f54c988820@xymon.invalid>

----- Original Message ----- 
From: "Andy France" <user-ee2a9e4eaf57@xymon.invalid>
To: <user-ae9b8668bcde@xymon.invalid>
Sent: Tuesday, April 19, 2005 4:53 PM
Subject: RE: [hobbit] securing access Active Directory

Hi John,


"Milburn, John A." wrote on 15/04/2005 07:18:37:

This worked for Windows 2000. It also worked for Windows Â 2003 if
the search base was not the root of the domain.

I found that if you authenticate against a Global Â Catalogue, it
works for both.


#Directory for Hobbit maintenance
ScriptAlias Â /hobbit-seccgi/ "/usr/local/hobbit/cgi-secure/"
<Directory Â /usr/local/hobbit/cgi-secure>
Â Â Â AllowOverride Â None
Â Â Â Options ExecCGI Â Includes
Â Â Â Order allow,deny
Â Â Â Allow from Â all
Â Â Â AuthAuthoritative On
Â Â Â Â AuthLDAPCompareDNOnServer on
Â Â Â AuthLDAPURL ldap://gc1.mydomain.com:3268/DC=mydomain,DC=com?
sAMAccountName?sub?(objectClass=user)
Â Â Â Â AuthLDAPBindDN CN=HobbitUser,CN=Users,DC=mydomain,DC=com
Â Â Â Â AuthLDAPBindPassword HobbitUserPassword
Â Â Â AuthType Â Basic
Â Â Â AuthName "Enter your Windows logon Â name/Password"
Â Â Â require group Â CN=HobbitManagers,OU=Managers,DC=mydomain,DC=com
</Directory>

Setting "AuthAuthoritative Off" should allow other modules Â to
authenticate users if ldapÂ fails. I haven't tried this Â yet.


I've modified this to match my own AD configuration, but I'm still not
having any luck :-(

My apache install includes the ldap_module.so and auth_ldap_module.so
files
- should these work OK by themselves, or do I need to install further
OpenLDAP libraries? Â Running ldd on these files doesn't indicate any
special requirements.

I don't know of any dependencies. I do have the OpenLDAP libraries
installed.
I am using Fedora Core 3 fully updated. Almost everything was installed,
since I am not that good with Linux.