Xymon Mailing List Archive search

securing access Active Directory

list John A. Milburn
Thu, 14 Apr 2005 14:18:37 -0500
Message-Id: <user-3ce0082bbd0f@xymon.invalid>

This worked for Windows 2000. It also worked for Windows 2003 if the
search base was not the root of the domain.
 
I found that if you authenticate against a Global Catalogue, it works
for both.
 
 
#Directory for Hobbit maintenance
ScriptAlias /hobbit-seccgi/ "/usr/local/hobbit/cgi-secure/"
<Directory /usr/local/hobbit/cgi-secure>
    AllowOverride None
    Options ExecCGI Includes
    Order allow,deny
    Allow from all
    AuthAuthoritative On
    AuthLDAPCompareDNOnServer on
    AuthLDAPURL
ldap://gc1.mydomain.com:3268/DC=mydomain,DC=com?sAMAccountName?sub?(obje
ctClass=user)
    AuthLDAPBindDN CN=HobbitUser,CN=Users,DC=mydomain,DC=com
    AuthLDAPBindPassword HobbitUserPassword
    AuthType Basic
    AuthName "Enter your Windows logon name/Password"
    require group CN=HobbitManagers,OU=Managers,DC=mydomain,DC=com
</Directory>

Setting "AuthAuthoritative Off" should allow other modules to
authenticate users if ldap fails. I haven't tried this yet.


From: Taylor, Robert [mailto:user-3e97fc7d80fd@xymon.invalid] 
Sent: Monday, April 04, 2005 7:36 AM
To: user-ae9b8668bcde@xymon.invalid
Subject: RE: [hobbit] securing access


There was a post a few days back with an LDAP configuration.  I was able
to change a few things around a get that to work with our MS Active
Directory to validate usernames/passwords for access on a RH EL 3.0 box.

 
Here is the config for my Apache server.  It effectively let's anyone
access from the internal 10.x.x.x network and then requires a valid
username/password for anyone accessing via the Web.

 
<Directory "/var/www/html">

    AllowOverride None

    Order Deny,Allow

    AuthType Basic

    AuthName "<Something to display in dialog>"

    AuthzLDAPEngine on

    AuthzLDAPServer <IP Address of LDAP Server>:389

    AuthzLDAPUserKey sAMAccountName

    AuthzLDAPBindDN <valid LDAP Username for binding to server>

    AuthzLDAPBindPassword <LDAP password for username above>

    AuthzLDAPUserBase dc=<something>,dc=<something .com, .local, .net
etc...>

    AuthzLDAPUserScope subtree

    Deny from all

    Satisfy any

    Require valid-user

    Allow from 10.

</Directory>

 
Standard disclaimer would be that I am no Apache expert and this took me
FOREVER to get working right, but it seems to be okay now.

 
Robert

 
From: David Garaway [mailto:user-4528dbd32b26@xymon.invalid] 
Sent: Monday, April 04, 2005 3:29 AM
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] securing access

 
Does anyone know how to lock the whole hobbit page down? I have a friend
that would like to be able to get to the page from anywhere but wants
something like htaccess. Before I started mucking around with apache to
try to get this working I thought I would see if anyone has done this.

 
Thanks,

Dave