[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Ldap authentication against active directory

Posted on 2010-09-15
3
Medium Priority
?
664 Views
Last Modified: 2012-06-22
Hi ,

I was able sucessfully able to bind to the ldap server but in doing so i had to hard code in my username and password , i was wondering is there a way for me to be not hard code the uname and passwd and bind to the ldap server

my config looks like this

AuthLDAPBindDN "cn=XXXX,ou=users,ou=intra,ou=XXX,ou=XXX,ou=ad,dc=XXX,dc=XXX"
AuthLDAPBindPassword "XXXXXX"
   AuthLDAPURL "ldap://test.abc.com:4389/ou=XXX,ou=ad,dc=XXX,dc=XXX?sAMAccountName?sub?"
   AuthType Basic
   AuthBasicProvider ldap
   require valid-user
   AuthzLDAPAuthoritative off

Instead of using the username in cn and AuthLDAPBindPassword "XXXXXX" (* actual password ) is there a way to bind to the ldap server ?
0
Comment
Question by:Justin_Edmands
3 Comments
 
LVL 26

Expert Comment

by:jar3817
ID: 33687665
Not really, you need a dn and a password to bind to AD. Typically you'd create a service account in AD (not one any user uses) and hard code that in your apache config.
0
 
LVL 81

Expert Comment

by:arnold
ID: 33688099
Unfortunately you did not include what you are using this setup for.
There are alternatives such as using kerberos, samba and winbind to integrate AD and linux/unix.
I.e. centrally manage users from the AD that would then be allowed to login into the linux box.

In nsswitch.conf in the user/passwd you would have the second parameter instead of ldap you'll have winbind.

A quick search for Linux AD integration provides many examples.

http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/
http://linux.boeldt.net/Linux_active_directory.asp

The linux system gets added into the AD as a computer.
0
 
LVL 7

Accepted Solution

by:
askb earned 2000 total points
ID: 33781104
The default authentication mechanism in AD is Krb5 (Kerberos). You would use winbind / nsswitch to authenticate a linux client to LDAP server. But remember that if you are using linux clients and you have PAC credentials (authorization info) on the credentials of your user/id this may not work as PAC is propritary and specific to AD/Windows entities only.  

The alternative for you to not hard code the user name and password would be to use Kerberos credentials through SASL mechanism supported in LDAP.
Assuming that you are using ldapsearch (make sure you have the LDAP / GSSAPI / SASL libs installed on your box) do the following steps:

1. kinit principalname@AD_DOMAIN.COM                               -> this will get you your init credentials.

2. ldapsearch -Y GSSAPI -h <AD Server> -o <> <search filter>              ---------->this will enable you to perform an ldap operation based on your above credentials.

Note: the above example was for doing LDAP search using kerberos credentials. For this you need to configure your krb5.conf on your linux box.

Let me know if you need more help!

 

0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This installment of Make It Better gives Media Temple customers the latest news, plugins, and tutorials to make their Grid shared hosting experience that much smoother.
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question