• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 686
  • Last Modified:

Apache 2.2 LDAPS Authentication

Server Details
Windows server 2003 hosting
       Apache 2.2 .10
Client certificate installed using certificate services server.
I exported the certificate and copied to c:\ldap\ldap.cer
I reference the certificate in the httpd.conf file below.


Objective for Intranet site
Authenticate clients upon arrival of protected web pages.
Authentication must be given to only members of a particular group, the  Web group.
Authentication Method: authnz_ldap_module for Apache.
Use SSL to encrypt the authentication session. Via mod_ldap.so
I have used LDAP.exe and did create a connection to the LDAP server using the LDAP.exe tool.

#LDAPTrustedClientCert c:\ldap\ldap.cer
<Directory D:\web\intranet\Information-Services\Staff>

AuthType Basic
AuthName "Web"
AuthBasicProvider ldap
AuthLDAPBindDN Web@mc.ad.ll.org
AuthLDAPBindPassword password*1

AuthLDAPURL "ldap://ActiveDirectory:389/DC=mc,DC=ad,DC=ll,DC=org?sAMAccountName?sub?(objectClass=*)"
AuthLDAPURL ldaps://ActiveDirectory:636 /DC=mc,DC=ad,DC=ll,DC=org?sAMAccountName?sub?(objectClass=*)"

require ldap-attribute objectClass=user
#when I use the above directive I can authenticate to the ldap server, however other users can authenticate that should not be able to see the content.
#Require ldap-group cn=Web, ou=Web Groups, ou=Global Security Groups, dc=mc, dc=ad, dc=ll, dc=org
#When I use the directive above I cannot authenticate at all. This is the error I receive
Thu May 07 10:33:29 2009] [error] [client 192.168.0.70] File does not exist:

</Directory>


LDAP server: Windows server 2003 SP2 Active Directory

Thanks for your help.

0
emgdave
Asked:
emgdave
  • 2
  • 2
2 Solutions
 
giltjrCommented:
This deals with how AD is setup, not how Apache is authenticating against it.

The first check, require ldap-attribute objectClass=user basically says if the user-id and password is valid, they can do whatever.

The second one is requiring that the user is part of a specific group.  Are you part of that group?
0
 
emgdaveAuthor Commented:
I did manage to get this working on Friday. The people managing AD gave me the wrong group.
But i am curios to know what the strings at the end of the ldap url mean. And also on the require directive.
Can you point me to some documentation on what they mean so i can correctly craft my apache directives and know what they are actually doing?  eg. ?sAMAccountName?sub?(objectClass=*)"  , require ldap-attribute objectClass=user

Thanks
0
 
giltjrCommented:
LDAP uses the term DN (distinguished name) to describe a group of objects. A DN is made up of multiple objects that are strung together.  However these must be strung together in the correct order.

An "objectClass" is an attribute name.  

In your case it seems your main DN is DC=mc,DC=ad,DC=ll,DC=org  which when strung together you get mc.ad.ll.org.

The sAMAccountName is SAM Account Name object, or your userid.  So the string:

DC=mc,DC=ad,DC=ll,DC=org?sAMAccountName?sub?(objectClass=*)"

Means that you want to look at all object under the object sAMAccountName in the LDAP DN mc.ad.ll.org and all "objectClass", which under the sAMAccountName would most likely be all user names.  By requiring the objectclass "user" then you would further check all entries under sAMAccoutName and verify that they had the attribute "user" associated with them.

You can search for LDAP basics to get a better understanding.  Here are just a few links that may help:

http://technet.microsoft.com/en-us/library/aa996205(EXCHG.65).aspx (mpstly about queries)
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzahy/rzahyovrco.htm
http://beginlinux.com/server_training/server-managment-topics/1015-basics-of-ldap
0
 
emgdaveAuthor Commented:
thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now