?
Solved

Apache 2.2 LDAPS Authentication

Posted on 2009-05-07
4
Medium Priority
?
670 Views
Last Modified: 2013-12-24
Server Details
Windows server 2003 hosting
       Apache 2.2 .10
Client certificate installed using certificate services server.
I exported the certificate and copied to c:\ldap\ldap.cer
I reference the certificate in the httpd.conf file below.


Objective for Intranet site
Authenticate clients upon arrival of protected web pages.
Authentication must be given to only members of a particular group, the  Web group.
Authentication Method: authnz_ldap_module for Apache.
Use SSL to encrypt the authentication session. Via mod_ldap.so
I have used LDAP.exe and did create a connection to the LDAP server using the LDAP.exe tool.

#LDAPTrustedClientCert c:\ldap\ldap.cer
<Directory D:\web\intranet\Information-Services\Staff>

AuthType Basic
AuthName "Web"
AuthBasicProvider ldap
AuthLDAPBindDN Web@mc.ad.ll.org
AuthLDAPBindPassword password*1

AuthLDAPURL "ldap://ActiveDirectory:389/DC=mc,DC=ad,DC=ll,DC=org?sAMAccountName?sub?(objectClass=*)"
AuthLDAPURL ldaps://ActiveDirectory:636 /DC=mc,DC=ad,DC=ll,DC=org?sAMAccountName?sub?(objectClass=*)"

require ldap-attribute objectClass=user
#when I use the above directive I can authenticate to the ldap server, however other users can authenticate that should not be able to see the content.
#Require ldap-group cn=Web, ou=Web Groups, ou=Global Security Groups, dc=mc, dc=ad, dc=ll, dc=org
#When I use the directive above I cannot authenticate at all. This is the error I receive
Thu May 07 10:33:29 2009] [error] [client 192.168.0.70] File does not exist:

</Directory>


LDAP server: Windows server 2003 SP2 Active Directory

Thanks for your help.

0
Comment
Question by:emgdave
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 1500 total points
ID: 24346192
This deals with how AD is setup, not how Apache is authenticating against it.

The first check, require ldap-attribute objectClass=user basically says if the user-id and password is valid, they can do whatever.

The second one is requiring that the user is part of a specific group.  Are you part of that group?
0
 

Author Comment

by:emgdave
ID: 24355571
I did manage to get this working on Friday. The people managing AD gave me the wrong group.
But i am curios to know what the strings at the end of the ldap url mean. And also on the require directive.
Can you point me to some documentation on what they mean so i can correctly craft my apache directives and know what they are actually doing?  eg. ?sAMAccountName?sub?(objectClass=*)"  , require ldap-attribute objectClass=user

Thanks
0
 
LVL 57

Accepted Solution

by:
giltjr earned 1500 total points
ID: 24355968
LDAP uses the term DN (distinguished name) to describe a group of objects. A DN is made up of multiple objects that are strung together.  However these must be strung together in the correct order.

An "objectClass" is an attribute name.  

In your case it seems your main DN is DC=mc,DC=ad,DC=ll,DC=org  which when strung together you get mc.ad.ll.org.

The sAMAccountName is SAM Account Name object, or your userid.  So the string:

DC=mc,DC=ad,DC=ll,DC=org?sAMAccountName?sub?(objectClass=*)"

Means that you want to look at all object under the object sAMAccountName in the LDAP DN mc.ad.ll.org and all "objectClass", which under the sAMAccountName would most likely be all user names.  By requiring the objectclass "user" then you would further check all entries under sAMAccoutName and verify that they had the attribute "user" associated with them.

You can search for LDAP basics to get a better understanding.  Here are just a few links that may help:

http://technet.microsoft.com/en-us/library/aa996205(EXCHG.65).aspx (mpstly about queries)
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzahy/rzahyovrco.htm
http://beginlinux.com/server_training/server-managment-topics/1015-basics-of-ldap
0
 

Author Closing Comment

by:emgdave
ID: 31579126
thank you
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the steps required to install WordPress on Azure. Web Apps, Mobile Apps, API Apps, or Functions, in Azure all these run in an App Service plan. WordPress is no exception and requires an App Service Plan and Database to install
Recently I was talking with Tim Sharp, one of my colleagues from our Technical Account Manager team about MongoDB’s scalability. While doing some quick training with some of the Percona team, Tim brought something to my attention...
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question