Solved

Ldap authentication against active directory

Posted on 2010-09-15
3
612 Views
Last Modified: 2012-06-22
Hi ,

I was able sucessfully able to bind to the ldap server but in doing so i had to hard code in my username and password , i was wondering is there a way for me to be not hard code the uname and passwd and bind to the ldap server

my config looks like this

AuthLDAPBindDN "cn=XXXX,ou=users,ou=intra,ou=XXX,ou=XXX,ou=ad,dc=XXX,dc=XXX"
AuthLDAPBindPassword "XXXXXX"
   AuthLDAPURL "ldap://test.abc.com:4389/ou=XXX,ou=ad,dc=XXX,dc=XXX?sAMAccountName?sub?"
   AuthType Basic
   AuthBasicProvider ldap
   require valid-user
   AuthzLDAPAuthoritative off

Instead of using the username in cn and AuthLDAPBindPassword "XXXXXX" (* actual password ) is there a way to bind to the ldap server ?
0
Comment
Question by:Justin_Edmands
3 Comments
 
LVL 26

Expert Comment

by:jar3817
ID: 33687665
Not really, you need a dn and a password to bind to AD. Typically you'd create a service account in AD (not one any user uses) and hard code that in your apache config.
0
 
LVL 77

Expert Comment

by:arnold
ID: 33688099
Unfortunately you did not include what you are using this setup for.
There are alternatives such as using kerberos, samba and winbind to integrate AD and linux/unix.
I.e. centrally manage users from the AD that would then be allowed to login into the linux box.

In nsswitch.conf in the user/passwd you would have the second parameter instead of ldap you'll have winbind.

A quick search for Linux AD integration provides many examples.

http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/
http://linux.boeldt.net/Linux_active_directory.asp

The linux system gets added into the AD as a computer.
0
 
LVL 7

Accepted Solution

by:
askb earned 500 total points
ID: 33781104
The default authentication mechanism in AD is Krb5 (Kerberos). You would use winbind / nsswitch to authenticate a linux client to LDAP server. But remember that if you are using linux clients and you have PAC credentials (authorization info) on the credentials of your user/id this may not work as PAC is propritary and specific to AD/Windows entities only.  

The alternative for you to not hard code the user name and password would be to use Kerberos credentials through SASL mechanism supported in LDAP.
Assuming that you are using ldapsearch (make sure you have the LDAP / GSSAPI / SASL libs installed on your box) do the following steps:

1. kinit principalname@AD_DOMAIN.COM                               -> this will get you your init credentials.

2. ldapsearch -Y GSSAPI -h <AD Server> -o <> <search filter>              ---------->this will enable you to perform an ldap operation based on your above credentials.

Note: the above example was for doing LDAP search using kerberos credentials. For this you need to configure your krb5.conf on your linux box.

Let me know if you need more help!

 

0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to demonstrate how we can use conditional statements using Python.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question