LDAP, Active Directory - Very specific priviledges
I'm fairly new to alot of this stuff, so bare with me here. Here's our configuration:
2 physical machines, VMWare ESXi
Several Windows 2008 r2 VMs, including an AD server
2 Red Hat VMs
Both the Red Hat VMs and the Windows VMs have joined the AD domain, and leverage AD authentication for login. Also have JIRA and SVN configured to use LDAP authentication. Everything works as expected, so far so good.
Now, we have an offshore team working for us, and I want to grant them access to a specific SVN project and a specific JIRA project. However, I don't want them to have access to any other machine on the network.
So, from everything that I've read, here's what I've gathered. I want to add them to a specific AD group (done) and grant them access to an SVN project with the following Apache configuration:
<Location "/OffshoreProject/">
Require ldap-group CN=Offshore-Developers,CN=
</Location>
Again, so far so good. They have access to this but not any other SVN project. However, they also have access to login to any computer on the network. So, I created a separate group in AD called "Deny Login" and added the users. I then edited the default domain GPO, and flipped every "Deny Login *" switch I could find. I've tried every on/off combination imaginable. However, now if I leave them in the "Deny Login" gorup, they cannot authenticate at all through Apache. If I pull them out, it works but they can login to the machines on my network. Any ideas on what I'm doing wrong here? Am I missing something?
Thanks in advance..
2 physical machines, VMWare ESXi
Several Windows 2008 r2 VMs, including an AD server
2 Red Hat VMs
Both the Red Hat VMs and the Windows VMs have joined the AD domain, and leverage AD authentication for login. Also have JIRA and SVN configured to use LDAP authentication. Everything works as expected, so far so good.
Now, we have an offshore team working for us, and I want to grant them access to a specific SVN project and a specific JIRA project. However, I don't want them to have access to any other machine on the network.
So, from everything that I've read, here's what I've gathered. I want to add them to a specific AD group (done) and grant them access to an SVN project with the following Apache configuration:
<Location "/OffshoreProject/">
Require ldap-group CN=Offshore-Developers,CN=
</Location>
Again, so far so good. They have access to this but not any other SVN project. However, they also have access to login to any computer on the network. So, I created a separate group in AD called "Deny Login" and added the users. I then edited the default domain GPO, and flipped every "Deny Login *" switch I could find. I've tried every on/off combination imaginable. However, now if I leave them in the "Deny Login" gorup, they cannot authenticate at all through Apache. If I pull them out, it works but they can login to the machines on my network. Any ideas on what I'm doing wrong here? Am I missing something?
Thanks in advance..
ASKER
Thanks for the quick response. However, I don't see these tabs within a User, Group, or OU. I'm using Windows Server 2008, R2...so I'm sure that's why it's different.
So, using GPO's is not the way to go on this?
So, using GPO's is not the way to go on this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Worked perfectly. I was using the wrong AD console, that's why I wasn't seeing these options.
Thanks.
Thanks.
AD.pdf