Link to home
Create AccountLog in
Avatar of nbyinfrastructure
nbyinfrastructure

asked on

Apache LDAP authentication over multiple domains

We've got Apache 2.2 running on a Win 2k3 server, mainly because of the vast number of features it offers over IIS. However I'm having trouble authenticating it against our AD forest. Is there a way to get Apache to query multiple ldap URLs?

We have a forest of domains, each with one or more DCs (i.e. europe.company.com, america.company.com). Within each domain, all non-default objects are stored in an OU named after the domain (i.e. ou=europe,dc=europe,dc=company,dc=com).

I have successfully enabled other LDAP-based software to authenticate against the entire forest using the Global Catalog (ldap://dc-uk.europe.company.com:3268), first authenticating against ou=europe,dc=europe... then ou=america..., both querying the same DC. However I can't get this to work in Apache. I've tried both multiple AuthLDAPURL predicates, and truncating the query to:
ldap://dc-uk.europe.company.com:3268/dc=company,dc=com?uid
But, even when trying different formats of login user name, this doesn't work.

Does anyone have any pointers? Is there a magic way of getting Apache to perform multiple queries, or would getting people to log on with a differently formatted user name work? I've tried all the variations I can think of. Due to the nature of our company, changes to the AD schema aren't really possible. Please find config attached below.

Any help would be greatly appreciated!
<LocationMatch "/secure">
    Allow from all
    order allow,deny
    Satisfy All
    Authtype Basic
    AuthName "Windows Passthrough"
    AuthBasicProvider ldap
    AuthLDAPBindDN "cn=guest,ou=Service Accounts,ou=uk,ou=europe,dc=europe,dc=company,dc=com"
    AuthLDAPBindPassword "guest"
# I know using CN is bad, but I know that any non-computer objects will have a unique CN for the whole forest.
    AuthLDAPURL "ldap://dc-uk.europe.company.com:389/dc=europe,dc=company,dc=com?cn?sub?(!(objectClass=computer))"
    AuthzLDAPAuthoritative On
# I can change this to a Universal group if I'm using the Global Catalog
    Require ldap-group cn=GGUK AllowSecured,ou=Groups,ou=UK,ou=europe,dc=europe,dc=company,dc=com
</LocationMatch>

Open in new window

Avatar of ahoffmann
ahoffmann
Flag of Germany image

> Is there a way to get Apache to query multiple ldap URLs?
IIRC no.
But why do you not configure your LDAP (AD) to do the query?

Also, AD is usually configured with ldaps (see your AuthLDAPURL)
Avatar of nbyinfrastructure
nbyinfrastructure

ASKER

I've got a little further with this issue, but am still having trouble.

I can query the GC with a null BN, which allows me to query all domains. However, I'm still having trouble as of course the GC doesn't contain Domain Local groups, and I'll need to use these to hold the authorised members.

As far as I can see, what I need to do is to include a redundant DC, which is just the same DC on a different port. i.e:

AuthLDAPURL http://uk-dc.europe.company.com:3268/ \
    http://uk-dc.europe.company.com/ou=europe,dc=europe,dc=company,dc=com?sAMAccountName

At the moment I'm getting referral errors, but from what I understand from forums I believe I can recompile mod_ldap with a NO_REFERRALS option to get round these?

ahoffman - thanks for your input, when you say use LDAP to do the query, how do you mean? Is there some go-between I can use and then reference in Apache?

Yes we have ldaps, but as I'm communicating with a server 12 inches away over a separate virtual network to anything much else I assumed this would only add latency?
> .. use LDAP to do the query,
most LDAP servers can be configured to forward a query, depends on the schema and the configuration of the LDAP itself, has nothing to do with the client
ASKER CERTIFIED SOLUTION
Avatar of nbyinfrastructure
nbyinfrastructure

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account