securing access Active Directory 🔗 link

This worked for Windows 2000. It also worked for Windows 2003 if the
search base was not the root of the domain.
 
I found that if you authenticate against a Global Catalogue, it works
for both.
 
 
#Directory for Hobbit maintenance
ScriptAlias /hobbit-seccgi/ "/usr/local/hobbit/cgi-secure/"
<Directory /usr/local/hobbit/cgi-secure>
    AllowOverride None
    Options ExecCGI Includes
    Order allow,deny
    Allow from all
    AuthAuthoritative On
    AuthLDAPCompareDNOnServer on
    AuthLDAPURL
ldap://gc1.mydomain.com:3268/DC=mydomain,DC=com?sAMAccountName?sub?(obje
ctClass=user)
    AuthLDAPBindDN CN=HobbitUser,CN=Users,DC=mydomain,DC=com
    AuthLDAPBindPassword HobbitUserPassword
    AuthType Basic
    AuthName "Enter your Windows logon name/Password"
    require group CN=HobbitManagers,OU=Managers,DC=mydomain,DC=com
</Directory>

Setting "AuthAuthoritative Off" should allow other modules to
authenticate users if ldap fails. I haven't tried this yet.


From: Taylor, Robert [mailto:user-3e97fc7d80fd@xymon.invalid] 
Sent: Monday, April 04, 2005 7:36 AM
To: user-ae9b8668bcde@xymon.invalid
Subject: RE: [hobbit] securing access


There was a post a few days back with an LDAP configuration.  I was able
to change a few things around a get that to work with our MS Active
Directory to validate usernames/passwords for access on a RH EL 3.0 box.

 
Here is the config for my Apache server.  It effectively let's anyone
access from the internal 10.x.x.x network and then requires a valid
username/password for anyone accessing via the Web.

 
<Directory "/var/www/html">

    AllowOverride None

    Order Deny,Allow

    AuthType Basic

    AuthName "<Something to display in dialog>"

    AuthzLDAPEngine on

    AuthzLDAPServer <IP Address of LDAP Server>:389

    AuthzLDAPUserKey sAMAccountName

    AuthzLDAPBindDN <valid LDAP Username for binding to server>

    AuthzLDAPBindPassword <LDAP password for username above>

    AuthzLDAPUserBase dc=<something>,dc=<something .com, .local, .net
etc...>

    AuthzLDAPUserScope subtree

    Deny from all

    Satisfy any

    Require valid-user

    Allow from 10.

</Directory>

 
Standard disclaimer would be that I am no Apache expert and this took me
FOREVER to get working right, but it seems to be okay now.

 
Robert

 
From: David Garaway [mailto:user-4528dbd32b26@xymon.invalid] 
Sent: Monday, April 04, 2005 3:29 AM
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] securing access

 
Does anyone know how to lock the whole hobbit page down? I have a friend
that would like to be able to get to the page from anywhere but wants
something like htaccess. Before I started mucking around with apache to
try to get this working I thought I would see if anyone has done this.

 
Thanks,

Dave

Hi John,


"Milburn, John A." wrote on 15/04/2005 07:18:37:

    AuthLDAPURL ldap://gc1.mydomain.com:3268/DC=mydomain,DC=com?
sAMAccountName?sub?(objectClass=user)

I've modified this to match my own AD configuration, but I'm still not
having any luck :-(

My apache install includes the ldap_module.so and auth_ldap_module.so files
- should these work OK by themselves, or do I need to install further
OpenLDAP libraries?  Running ldd on these files doesn't indicate any
special requirements.

.net  etc…>

From:David  Garaway [mailto:user-4528dbd32b26@xymon.invalid]

#####################################################################################

This email is intended for the person to whom it is addressed
only. If you are not the intended recipient, do not read, copy
or use the contents in any way. The opinions expressed may not
necessarily reflect those of ZESPRI Group of Companies ('ZESPRI').

While every effort has been made to verify the information
contained herein, ZESPRI does not make any representations 
as to the accuracy of the information or to the performance
of any data, information or the products mentioned herein.
ZESPRI will not accept liability for any losses, damage or
consequence, however, resulting directly or indirectly from
the use of this e-mail/attachments.
#####################################################################################

----- Original Message ----- 
From: "Andy France" <user-ee2a9e4eaf57@xymon.invalid>
To: <user-ae9b8668bcde@xymon.invalid>
Sent: Tuesday, April 19, 2005 4:53 PM
Subject: RE: [hobbit] securing access Active Directory

Hi John,


"Milburn, John A." wrote on 15/04/2005 07:18:37:

This worked for Windows 2000. It also worked for Windows  2003 if
the search base was not the root of the domain.

I found that if you authenticate against a Global  Catalogue, it
works for both.


#Directory for Hobbit maintenance
ScriptAlias  /hobbit-seccgi/ "/usr/local/hobbit/cgi-secure/"
<Directory  /usr/local/hobbit/cgi-secure>
   AllowOverride  None
   Options ExecCGI  Includes
   Order allow,deny
   Allow from  all
   AuthAuthoritative On
    AuthLDAPCompareDNOnServer on
   AuthLDAPURL ldap://gc1.mydomain.com:3268/DC=mydomain,DC=com?
sAMAccountName?sub?(objectClass=user)
    AuthLDAPBindDN CN=HobbitUser,CN=Users,DC=mydomain,DC=com
    AuthLDAPBindPassword HobbitUserPassword
   AuthType  Basic
   AuthName "Enter your Windows logon  name/Password"
   require group  CN=HobbitManagers,OU=Managers,DC=mydomain,DC=com
</Directory>

Setting "AuthAuthoritative Off" should allow other modules  to
authenticate users if ldap fails. I haven't tried this  yet.

OpenLDAP libraries? Â Running ldd on these files doesn't indicate any
special requirements.

I don't know of any dependencies. I do have the OpenLDAP libraries
installed.
I am using Fedora Core 3 fully updated. Almost everything was installed,
since I am not that good with Linux.