Using ldap accounts with Xymon 🔗 link

On Tue, 2009-04-07 at 19:35 -0400, Brian Catlin wrote:

Need  a little help - I am setting up a RHEL5 64 bit server that has
apache2 ssl enabled and other web apps using ldap to control logins.

I would like to do this for Xymon - having one set of accounts to view
and  another set of accounts to do the admin functions.

 Openssl and a php ldap setup exist on the server already. (I believe
it calls openldap client under its code). I do get the certificate from
the server for the ssl piece, but want to get rid of the htaccess file
and replace with ldap authentication.    So my question is - can I do
this , and if so, how about a how to?

On Tue, Apr 7, 2009 at 7:35 PM, Brian Catlin <user-af6e4c377507@xymon.invalid> wrote:

   Need  a little help - I am setting up a RHEL5 64 bit server that has
apache2 ssl enabled and other web apps using ldap to control logins.

I would like to do this for Xymon - having one set of accounts to view and
 another set of accounts to do the admin functions.  Openssl and a php ldap
setup exist on the server already. (I believe it calls openldap client under
its code). I do get the certificate from the server for the ssl piece, but
want to get rid of the htaccess file and replace with ldap authentication.

So my question is - can I do this , and if so, how about a how to? Google
seems very sparse on this, I have the wikibook listing but wonder if there
is more info out there that's useful to those of us not so familiar with
ldap configurations.

Thanks in advance
Brian


 user-259d6a9a548a@xymon.invalid

-- 

From: Stewart L [mailto:user-a046134cfd06@xymon.invalid] 
Sent: Tuesday, April 07, 2009 8:34 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] Using ldap accounts with Xymon

 
I got this working RHEL5 against Active Directory.  Even got transparent
NTLM Authentication set up so it authenticates the user automatically.
I'd be happy to share if you're looking at an AD environment.  Might
work for generic LDAP as well. 

Stewart

On Tue, Apr 7, 2009 at 7:35 PM, Brian Catlin <user-af6e4c377507@xymon.invalid> wrote:

Need  a little help - I am setting up a RHEL5 64 bit server that has
apache2 ssl enabled and other web apps using ldap to control logins.

I would like to do this for Xymon - having one set of accounts to view
and  another set of accounts to do the admin functions.  Openssl and a
php ldap setup exist on the server already. (I believe it calls openldap
client under its code). I do get the certificate from the server for the
ssl piece, but want to get rid of the htaccess file and replace with
ldap authentication. 

 
So my question is - can I do this , and if so, how about a how to?
Google seems very sparse on this, I have the wikibook listing but wonder
if there is more info out there that's useful to those of us not so
familiar with ldap configurations.

 
Thanks in advance
Brian

 
user-259d6a9a548a@xymon.invalid

 
-- 
Stewart
--
If you see yourself in others, then whom can you harm?

On Tue, April 7, 2009 20:33, Stewart L wrote:

I got this working RHEL5 against Active Directory.  Even got transparent
NTLM Authentication set up so it authenticates the user automatically.
I'd be happy to share if you're looking at an AD environment.  Might work
for generic LDAP as well.

On Wed, Apr 8, 2009 at 12:36 PM, Stewart L <user-a046134cfd06@xymon.invalid> wrote:

*Transparent Authentication against Active Directory 2003 with Apache and
CentOS 5*


 Here, I will explain the steps I went through to get a Linux server
joined to our Active Directory 2003 infrastructure and to authenticate users
against the domain without them being required to enter credentials.


 As I said, this is against an AD 2003 structure. If you are operating in
a 200 or NT domain, this might not work for you, but it should point you on
your way.


 I'll make a few assumptions at this point for the example.

   • You are setting up a webserver to be named *web1.example.com*.
   • Your domain is called *EXAMPLE* and your kerberos Realm is named *
   EXAMPLE.COM*
   • You have a domain account baned *EXAMPLE\Bob* that is authorized to add
   machines into the domain.
   • Your Domain controller is *dc1.example.com.*

Install Packages

You obviously need apache installed. You will also need the mod_auth_kerb
package to authenticate against the domain. It is also much easier if you
use the system-config-authentication tool in the authconfig-gtk package.

# yum -y install mod_auth_kerb authconfig-gtk
Join the Machine to the Domain

Before you can join a machine to a domain, you must have a few items taken
care of...

   • The hostname (excluding the domain) should be 15 characters or less.
   • The system clocks should be synchronized. Use NTP for this.
   • Your */etc/hosts *file needs to be properly set up. You should have a
   localhost entry pointing to 127.0.0.1 and an entry that has your
   fully-qualified host name pointing to its assigned IP address.

With that out of the way, we can begin configuring authentication.

   • Run *system-config-authentication* as root.
   • On the Authentication tab, Enable Kerberos and Winbind
   • Configure Kerberos.
   • REALM = EXAMPLE.COM
      • Check the boxes for using DNS to resolve hosts to realms and locate
      KDCs.
      • KDC and Admin Sevrer can be left blank
      • Click ok.
       • Configure Winbind
   • Domain = EXAMPLE
      • Security Model = ads
      • ADS Realm = EXAMPLE.COM
      • Domain Controllers = dc1.example.com
      • Click ok
       • Edit your */etc/samba/smb.conf *file* *and make sure that your netbios
   name is the same as your hostname. This should be the host part only, not
   the domain.

Join the Domain

As the root user, run the following commands. You will have to enter a
password for Bob after both commands.

# kinit EXAMPLE\Bob

# net ads join -U EXAMPLE\Bob

That's it! You're on the domain now. By default you have to have a local
account on the box to authenticate against AD, meaning if there is not a bob
account on web1.example.com, bob cannot log in with his domain password.
Configure an AD User

This is where things become a little convoluted. We are going to create a
user account in AD that the web server will use for authentication. There
are a number of different versions and service packs out there for Windows
Server 2000 and 2003. I got a lot of my information from
http://grolmsnet.de/kerbtut/ so check there if you have problems with this
part.

   • Create a user in AD named http_web1.
   • Set this account so that the password never expires.
   • On the command line of the Domain Controller, run this line
   • ktpass -princ HTTP/user-3f1d4ed4a7a0@xymon.invalid mapuser
   -EXMAPLE\http_web1 -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST -pass * -out
   c:\temp\http_web1.heytab
   • This will create a keytab file in C:\temp that you need to move to your
   webserver and place in */etc/http.*

Configure Apache

Your configuration should look something like this...

<Location />

AuthName "Welcome to EXAMPLE"

AuthType Kerberos

Krb5Keytab /etc/httpd/http_web1.keytab

KrbAuthRealm EXAMPLE.COM

KrbMethodNegotiate On

KrbSaveCredentials off

KrbVerifyKDC off

Require valid-user

</Location>

Naturally, you can change the Authname to whatever you like. Check
http://modauthkerb.sourceforge.net/ for more info on specific
configurations
Configure Firefox (Optional)

Type about:config in the URL bar

Modify the following "Preference Name"

Preference Name<https://bbtest.doh.state.fl.us/twiki/bin/view/SORT/TnTFirefoxNTLM?sortcol=0;table=1;up=0#sorted_table>;

Value<https://bbtest.doh.state.fl.us/twiki/bin/view/SORT/TnTFirefoxNTLM?sortcol=1;table=1;up=0#sorted_table>;

network.negotiate-auth.delegation-uris

Example.com

network.negotiate-auth.trusted-uris

Example.com

network.automatic-ntlm-auth.trusted-uris

Example.com

-- 
Stewart
--
If you see yourself in others, then whom can you harm?

On Wed, Apr 8, 2009 at 3:28 PM, T.J. Yang <user-8e841282cda5@xymon.invalid> wrote:

 quick upload to here, not much editing.

http://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Other_Docs/HOWTO#Transparent_Authentication_against_Active_Directory_2003_with_Apache_and_CentOS_5

Let me know if you disapprove this uploading.

T.J. Yang

-- 
Stewart
--
If you see yourself in others, then whom can you harm?

On Wednesday 08 April 2009 02:33:40 Stewart L wrote:

I got this working RHEL5 against Active Directory.  Even got transparent
NTLM Authentication set up so it authenticates the user automatically.  I'd
be happy to share if you're looking at an AD environment.  Might work for
generic LDAP as well.

On Thu, Apr 9, 2009 at 2:48 AM, Buchan Milne <user-9b139aff4dec@xymon.invalid>wrote:

On Wednesday 08 April 2009 02:33:40 Stewart L wrote:

I got this working RHEL5 against Active Directory.  Even got transparent
NTLM Authentication set up so it authenticates the user automatically.

 I'd

be happy to share if you're looking at an AD environment.  Might work for
generic LDAP as well.

Sorry to be pedantic, but the documentation you provided is not for NTLM
authentication, but for Kerberized authentication. The Apache-related
documentation should be valid in any Kerberos environment, but the details
of
how to issue keytabs depends on the implementation used for the KDC (e.g.,
with Heimdal it is possible to create the keytab from the host that needs
it,
in place, no copying is required, but this is not the case with MIT).

Your howto has nothing to do with LDAP btw ...

-- 
Stewart
--
If you see yourself in others, then whom can you harm?