Solved

Apache 2.2 LDAPS Authentication

Posted on 2009-05-07
4
666 Views
Last Modified: 2013-12-24
Server Details
Windows server 2003 hosting
       Apache 2.2 .10
Client certificate installed using certificate services server.
I exported the certificate and copied to c:\ldap\ldap.cer
I reference the certificate in the httpd.conf file below.


Objective for Intranet site
Authenticate clients upon arrival of protected web pages.
Authentication must be given to only members of a particular group, the  Web group.
Authentication Method: authnz_ldap_module for Apache.
Use SSL to encrypt the authentication session. Via mod_ldap.so
I have used LDAP.exe and did create a connection to the LDAP server using the LDAP.exe tool.

#LDAPTrustedClientCert c:\ldap\ldap.cer
<Directory D:\web\intranet\Information-Services\Staff>

AuthType Basic
AuthName "Web"
AuthBasicProvider ldap
AuthLDAPBindDN Web@mc.ad.ll.org
AuthLDAPBindPassword password*1

AuthLDAPURL "ldap://ActiveDirectory:389/DC=mc,DC=ad,DC=ll,DC=org?sAMAccountName?sub?(objectClass=*)"
AuthLDAPURL ldaps://ActiveDirectory:636 /DC=mc,DC=ad,DC=ll,DC=org?sAMAccountName?sub?(objectClass=*)"

require ldap-attribute objectClass=user
#when I use the above directive I can authenticate to the ldap server, however other users can authenticate that should not be able to see the content.
#Require ldap-group cn=Web, ou=Web Groups, ou=Global Security Groups, dc=mc, dc=ad, dc=ll, dc=org
#When I use the directive above I cannot authenticate at all. This is the error I receive
Thu May 07 10:33:29 2009] [error] [client 192.168.0.70] File does not exist:

</Directory>


LDAP server: Windows server 2003 SP2 Active Directory

Thanks for your help.

0
Comment
Question by:emgdave
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 24346192
This deals with how AD is setup, not how Apache is authenticating against it.

The first check, require ldap-attribute objectClass=user basically says if the user-id and password is valid, they can do whatever.

The second one is requiring that the user is part of a specific group.  Are you part of that group?
0
 

Author Comment

by:emgdave
ID: 24355571
I did manage to get this working on Friday. The people managing AD gave me the wrong group.
But i am curios to know what the strings at the end of the ldap url mean. And also on the require directive.
Can you point me to some documentation on what they mean so i can correctly craft my apache directives and know what they are actually doing?  eg. ?sAMAccountName?sub?(objectClass=*)"  , require ldap-attribute objectClass=user

Thanks
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 24355968
LDAP uses the term DN (distinguished name) to describe a group of objects. A DN is made up of multiple objects that are strung together.  However these must be strung together in the correct order.

An "objectClass" is an attribute name.  

In your case it seems your main DN is DC=mc,DC=ad,DC=ll,DC=org  which when strung together you get mc.ad.ll.org.

The sAMAccountName is SAM Account Name object, or your userid.  So the string:

DC=mc,DC=ad,DC=ll,DC=org?sAMAccountName?sub?(objectClass=*)"

Means that you want to look at all object under the object sAMAccountName in the LDAP DN mc.ad.ll.org and all "objectClass", which under the sAMAccountName would most likely be all user names.  By requiring the objectclass "user" then you would further check all entries under sAMAccoutName and verify that they had the attribute "user" associated with them.

You can search for LDAP basics to get a better understanding.  Here are just a few links that may help:

http://technet.microsoft.com/en-us/library/aa996205(EXCHG.65).aspx (mpstly about queries)
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzahy/rzahyovrco.htm
http://beginlinux.com/server_training/server-managment-topics/1015-basics-of-ldap
0
 

Author Closing Comment

by:emgdave
ID: 31579126
thank you
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Azure Functions is a solution for easily running small pieces of code, or "functions," in the cloud. This article shows how to create one of these functions to write directly to Azure Table Storage.
A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question