Admin at 15:30, 10 December 2021

2021-12-10T15:30:26Z

← Older revision		Revision as of 15:30, 10 December 2021
Line 92:		Line 92:
	AuthBasicProvider ldap		AuthBasicProvider ldap
	#AuthzLDAPAuthoritative Off		#AuthzLDAPAuthoritative Off
	AuthLDAPURL "ldap://pdc.domain.com/ou=External,dc=~~hitchhiker~~,dc=com?sAMAccountName?sub?		AuthLDAPURL "ldap://pdc.domain.com/ou=External,dc=domain,dc=com?sAMAccountName?sub?
	AuthLDAPBindDN "apache-ldap@domain.com"		AuthLDAPBindDN "apache-ldap@domain.com"
	AuthLDAPBindPassword xxxxx		AuthLDAPBindPassword xxxxx

Admin at 15:29, 10 December 2021

2021-12-10T15:29:20Z

Show changes

Admin at 14:28, 15 March 2021

2021-03-15T14:28:08Z

← Older revision		Revision as of 14:28, 15 March 2021
Line 204:		Line 204:
	AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)"		AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)"
	AuthLDAPBindDN "apache-ldap@hitchhiker.com"		AuthLDAPBindDN "apache-ldap@hitchhiker.com"
	AuthLDAPBindPassword ~~0uru4w8v~~		AuthLDAPBindPassword xxxx
	Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com		Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com
	</Files>		</Files>
Line 224:		Line 224:
	AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)"		AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)"
	AuthLDAPBindDN "apache-ldap@hitchhiker.com"		AuthLDAPBindDN "apache-ldap@hitchhiker.com"
	AuthLDAPBindPassword ~~0uru4w8v~~		AuthLDAPBindPassword xxxx
	Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com		Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com
	</Directory>		</Directory>

Admin: Created page with "=Apache and LDAP= This is how to get users authenticated against LDAP on AD. We're using: Apache 2.2.16 Debian 6 *AD on Server2012 First step is to create a user called '''..."

2021-01-13T14:37:08Z

Created page with "=Apache and LDAP= This is how to get users authenticated against LDAP on AD. We're using: *Apache 2.2.16 *Debian 6 *AD on Server2012 First step is to create a user called '''..."

New page

=Apache and LDAP=
This is how to get users authenticated against LDAP on AD.
We're using:
*Apache 2.2.16
*Debian 6
*AD on Server2012

First step is to create a user called '''apache-ldap''', the user does not need to have any special permissions, it's
just to read from LDAP.

*Install the user tools:
apt-get install ldap-utils

*Enable autnz on apache (Already installed with 2.2)
a2dismod authnz_ldap
a2enmod authnz_ldap

*Set some defaults in /etc/ldap/ldap.conf
BASE dc=hitchhiker,dc=com
REFERRALS off

*Switch on debugging log in apache.conf
LogLevel debug

=Query LDAP=
*Basic Query
ldapsearch -LLL -H ldap://hh-intpdc.hitchhiker.com -x -D 'apache-ldap' -w 'xxxxx'

*Full query with no size limits, usefull to pipe the entire catalog to file
ldapsearch -LLL -E pr=1000/noprompt -x -H ldap://hh-intpdc.hitchhiker.com -x -D 'apache-ldap' -w '******'

*Sample query to show all users, NOTE THAT AD does not know the OU=Users so we have to use the common name CN=Users
ldapsearch -D "apache-ldap" -w xxxxxxxx -H ldap://hh-intpdc.hitchhiker.com -b "CN=Users,DC=hitchhiker,DC=com"

*Sample query to show all user group called Male
ldapsearch -D "apache-ldap" -w xxxxx -H ldap://hh-intpdc.hitchhiker.com -b "CN=Male,CN=Users,DC=hitchhiker,DC=com" objectclass=*

=HTACCESS=
*sample of .htaccess

AuthName "Top Secret Area"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?
AuthLDAPBindDN "apache-ldap@hitchhiker.com"
AuthLDAPBindPassword ****

*Filter criterias, pick one or more
#Filter for one or more usernames
Require ldap-user "Username"

#Filter for existing mobile phone number and the department must be IT
Require ldap-filter &(mobile=*)(department=IT)

#Filter for Exchange attributes
Require ldap-attribute extensionAttribute3=GroupPolicy-ITAdmin

#Assumming a user calles stats within the group bookingstats at OU=IT
Require ldap-group CN=bookingstats,ou=IT,dc=hitchhiker,dc=com

*Links
See: http://stackoverflow.com/questions/1405011/ldap-directory-entry-in-net-not-working-with-ou-users 
https://www.sit.auckland.ac.nz/LDAP_authentication_with_Apache_mod_authnz_ldap 
http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication 
http://www.conigliaro.org/2008/12/31/active-directory-authentication-on-apache-with-mod_authnz_ldap/ 

=Setup sample of statistics=
bookingstats.intern and statistics.hitchhiker.net are different server in different networks, they use both different sql servers (security) but
use the same ldap server to authenticate. 
The goal of this is having both, STATUSER and External user logging in to both server. 
[[File:bookingstats.png]]
 
==Setup external OU==
Create an OU called '''External'''. Add a group called '''statistics''' and add the external users into this group: 
[[File:ads-ldap01.png]]
 

==Setup the internal Exchange Attribute==
Edit the exchange attribute number 4 and type '''STATUSER''': 
[[File:ads-ldap02.png]]

=Apache config sample for bookingstats.intern=
We use the Exchange attributes as main authentication and the external OU '''External''' as second authentication.
This is named like '''Apache authentication from multiple domains in AD with mod_authn_alias''' 

*/etc/apache2/sites-available/bookingstats

<AuthnProviderAlias ldap first-ldap>
AuthBasicProvider ldap
AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?
AuthLDAPBindDN "apache-ldap@hitchhiker.com"
AuthLDAPBindPassword xxxxx
'''Require ldap-attribute extensionAttribute4=STATUSER'''
AuthType Basic
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
</AuthnProviderAlias>
<AuthnProviderAlias ldap second-ldap>
AuthBasicProvider ldap
#AuthzLDAPAuthoritative Off
AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/ou=External,dc=hitchhiker,dc=com?sAMAccountName?sub?
AuthLDAPBindDN "apache-ldap@hitchhiker.com"
AuthLDAPBindPassword xxxxx
'''Require ldap-group CN=statistics,ou=External,dc=hitchhiker,dc=com'''
</AuthnProviderAlias>
<Directory "/usr/local/www/bookingstats/cgi-bin/">
Options IncludesNoExec
Allow from 10.0.1 192.168
Order allow,deny
Allow from all
AddHandler cgi-script .cgi .pl
PerlResponseHandler ModPerl::Registry
PerlOptions +ParseHeaders
Options +ExecCGI
AuthName "Use your Windows account"
AuthType Basic
'''AuthBasicProvider first-ldap second-ldap'''
AuthzLDAPAuthoritative off
require valid-user
</Directory>
<Virtualhost *:80>
ServerAdmin mk@hitchhiker.com
ServerName bookingstats.intern
DocumentRoot /usr/local/www/bookingstats/cgi-bin/
#Reroute to frame
DirectoryIndex frame.pl /frame.pl
ErrorLog /var/log/apache2/bookingstats.error
LogLevel info
CustomLog /var/log/apache2/bookingstats.access combined
Redirect /index.html http://bookingstats.intern/cgi-bin/start.pl
</Virtualhost>

=Apache config sample for statistics.hitchhiker.net=

<AuthnProviderAlias ldap first-ldap>
AuthBasicProvider ldap
AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?
AuthLDAPBindDN "apache-ldap@hitchhiker.com"
AuthLDAPBindPassword xxxx
'''Require ldap-attribute extensionAttribute4=STATUSER'''
AuthType Basic
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
</AuthnProviderAlias>
<AuthnProviderAlias ldap second-ldap>
AuthBasicProvider ldap
AuthLDAPURL "ldap://CENTAURI.hitchhiker.com/ou=External,dc=hitchhiker,dc=com?sAMAccountName?sub?
AuthLDAPBindDN "apache-ldap@hitchhiker.com"
AuthLDAPBindPassword xxxxx
'''Require ldap-group CN=statistics,ou=External,dc=hitchhiker,dc=com'''
</AuthnProviderAlias>
<Directory "/ftpweb/web/statistics.hitchhiker.net/cgi-bin/">
Options ExecCGI
DirectoryIndex frame.pl
Options IncludesNoExec
#AuthType Basic
Order allow,deny
Allow from all
AddHandler cgi-script .cgi .pl
PerlResponseHandler ModPerl::Registry
PerlOptions +ParseHeaders
Options +ExecCGI
AuthName "Statistic Area"
AuthType Basic
'''AuthBasicProvider second-ldap first-ldap'''
AuthzLDAPAuthoritative off
require valid-user
</Directory>
<VirtualHost *:80>
ServerName statistics.hitchhiker.net
Redirect permanent / https:/statistics.hitchhiker.net/
</VirtualHost>
<VirtualHost *:443>
SSLCertificateFile /etc/apache2/ssl/statistics.hitchhiker.net.crt
SSLCertificateKeyFile /etc/apache2/ssl/statistics.hitchhiker.net.key
SSLEngine on
ServerAdmin mis@hitchhiker.com
ServerName statistics.hitchhiker.net
DocumentRoot /ftpweb/web/statistics.hitchhiker.net/cgi-bin
ErrorLog /var/log/apache2/statistics.hitchhiker.net.error
CustomLog /var/log/apache2/statistics.hitchhiker.net.access combined
DirectoryIndex frame.pl /frame.pl
SSLHonorCipherOrder On
SSLProtocol +ALL -SSLv3 -SSLv2
SSLCipherSuite DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA
</VirtualHost>

=Using AD Group within Directory, Location or File=
Sample to use the AD Group '''MYGROUP'''' within a Files context

<Files "manage.pl">
AuthName "Use your winwods accoutn to login"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "apache-ldap@hitchhiker.com"
AuthLDAPBindPassword 0uru4w8v
Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com
</Files>

Sample to use the AD Group '''MYGROUP'''' within a Directryy context

<Directory "/usr/local/www/testcode.internxx">
Options Indexes MultiViews ExecCGI
DirectoryIndex index.htm
Order allow,deny
Allow from all
AddHandler cgi-script .cgi .pl .htm
DirectoryIndex index.htm
AuthName "Use your winwods accoutn to login"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL "ldap://hh-intpdc.hitchhiker.com/cn=Users,dc=hitchhiker,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "apache-ldap@hitchhiker.com"
AuthLDAPBindPassword 0uru4w8v
Require ldap-group cn=MYGROUP,cn=Users,dc=hitchhiker,dc=com
</Directory>

=Caching=
Caching is enabled by default, to see the stats add the following location:

<Location /server/cache-info>
SetHandler ldap-status
</Location>

Disable caching in eg apache.conf
LDAPOpCacheEntries 0

See: https://httpd.apache.org/docs/2.4/mod/mod_ldap.html

=Links:=
http://serverfault.com/questions/312281/apache-authentication-from-multiple-domains-in-ad-with-mod-authn-alias\ 
http://serverfault.com/questions/140858/authenticating-apache-httpd-against-multiple-ldap-servers-with-expired-accounts 

=Resources=
*[[Bookingstats.intern]]
*[[Bookingstats]]
 Keywords: bookingstats stats statistics statistics.hitchhiker.net bookingstats.intern ldap

Keywords: bookingstats stats statistics

Apache and Ldap - Revision history

Admin at 15:30, 10 December 2021

Admin at 15:29, 10 December 2021

Admin at 14:28, 15 March 2021

Admin: Created page with "=Apache and LDAP= This is how to get users authenticated against LDAP on AD. We're using: *Apache 2.2.16 *Debian 6 *AD on Server2012 First step is to create a user called '''..."

Admin: Created page with "=Apache and LDAP= This is how to get users authenticated against LDAP on AD. We're using: Apache 2.2.16 Debian 6 *AD on Server2012 First step is to create a user called '''..."