Solved

Apache 2.2 LDAPS Authentication

Posted on 2009-05-07
4
657 Views
Last Modified: 2013-12-24
Server Details
Windows server 2003 hosting
       Apache 2.2 .10
Client certificate installed using certificate services server.
I exported the certificate and copied to c:\ldap\ldap.cer
I reference the certificate in the httpd.conf file below.


Objective for Intranet site
Authenticate clients upon arrival of protected web pages.
Authentication must be given to only members of a particular group, the  Web group.
Authentication Method: authnz_ldap_module for Apache.
Use SSL to encrypt the authentication session. Via mod_ldap.so
I have used LDAP.exe and did create a connection to the LDAP server using the LDAP.exe tool.

#LDAPTrustedClientCert c:\ldap\ldap.cer
<Directory D:\web\intranet\Information-Services\Staff>

AuthType Basic
AuthName "Web"
AuthBasicProvider ldap
AuthLDAPBindDN Web@mc.ad.ll.org
AuthLDAPBindPassword password*1

AuthLDAPURL "ldap://ActiveDirectory:389/DC=mc,DC=ad,DC=ll,DC=org?sAMAccountName?sub?(objectClass=*)"
AuthLDAPURL ldaps://ActiveDirectory:636 /DC=mc,DC=ad,DC=ll,DC=org?sAMAccountName?sub?(objectClass=*)"

require ldap-attribute objectClass=user
#when I use the above directive I can authenticate to the ldap server, however other users can authenticate that should not be able to see the content.
#Require ldap-group cn=Web, ou=Web Groups, ou=Global Security Groups, dc=mc, dc=ad, dc=ll, dc=org
#When I use the directive above I cannot authenticate at all. This is the error I receive
Thu May 07 10:33:29 2009] [error] [client 192.168.0.70] File does not exist:

</Directory>


LDAP server: Windows server 2003 SP2 Active Directory

Thanks for your help.

0
Comment
Question by:emgdave
  • 2
  • 2
4 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 24346192
This deals with how AD is setup, not how Apache is authenticating against it.

The first check, require ldap-attribute objectClass=user basically says if the user-id and password is valid, they can do whatever.

The second one is requiring that the user is part of a specific group.  Are you part of that group?
0
 

Author Comment

by:emgdave
ID: 24355571
I did manage to get this working on Friday. The people managing AD gave me the wrong group.
But i am curios to know what the strings at the end of the ldap url mean. And also on the require directive.
Can you point me to some documentation on what they mean so i can correctly craft my apache directives and know what they are actually doing?  eg. ?sAMAccountName?sub?(objectClass=*)"  , require ldap-attribute objectClass=user

Thanks
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 24355968
LDAP uses the term DN (distinguished name) to describe a group of objects. A DN is made up of multiple objects that are strung together.  However these must be strung together in the correct order.

An "objectClass" is an attribute name.  

In your case it seems your main DN is DC=mc,DC=ad,DC=ll,DC=org  which when strung together you get mc.ad.ll.org.

The sAMAccountName is SAM Account Name object, or your userid.  So the string:

DC=mc,DC=ad,DC=ll,DC=org?sAMAccountName?sub?(objectClass=*)"

Means that you want to look at all object under the object sAMAccountName in the LDAP DN mc.ad.ll.org and all "objectClass", which under the sAMAccountName would most likely be all user names.  By requiring the objectclass "user" then you would further check all entries under sAMAccoutName and verify that they had the attribute "user" associated with them.

You can search for LDAP basics to get a better understanding.  Here are just a few links that may help:

http://technet.microsoft.com/en-us/library/aa996205(EXCHG.65).aspx (mpstly about queries)
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzahy/rzahyovrco.htm
http://beginlinux.com/server_training/server-managment-topics/1015-basics-of-ldap
0
 

Author Closing Comment

by:emgdave
ID: 31579126
thank you
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now