[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 660
  • Last Modified:

Ldap authentication against active directory

Hi ,

I was able sucessfully able to bind to the ldap server but in doing so i had to hard code in my username and password , i was wondering is there a way for me to be not hard code the uname and passwd and bind to the ldap server

my config looks like this

AuthLDAPBindDN "cn=XXXX,ou=users,ou=intra,ou=XXX,ou=XXX,ou=ad,dc=XXX,dc=XXX"
AuthLDAPBindPassword "XXXXXX"
   AuthLDAPURL "ldap://test.abc.com:4389/ou=XXX,ou=ad,dc=XXX,dc=XXX?sAMAccountName?sub?"
   AuthType Basic
   AuthBasicProvider ldap
   require valid-user
   AuthzLDAPAuthoritative off

Instead of using the username in cn and AuthLDAPBindPassword "XXXXXX" (* actual password ) is there a way to bind to the ldap server ?
0
Justin_Edmands
Asked:
Justin_Edmands
1 Solution
 
jar3817Commented:
Not really, you need a dn and a password to bind to AD. Typically you'd create a service account in AD (not one any user uses) and hard code that in your apache config.
0
 
arnoldCommented:
Unfortunately you did not include what you are using this setup for.
There are alternatives such as using kerberos, samba and winbind to integrate AD and linux/unix.
I.e. centrally manage users from the AD that would then be allowed to login into the linux box.

In nsswitch.conf in the user/passwd you would have the second parameter instead of ldap you'll have winbind.

A quick search for Linux AD integration provides many examples.

http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/
http://linux.boeldt.net/Linux_active_directory.asp

The linux system gets added into the AD as a computer.
0
 
askbCommented:
The default authentication mechanism in AD is Krb5 (Kerberos). You would use winbind / nsswitch to authenticate a linux client to LDAP server. But remember that if you are using linux clients and you have PAC credentials (authorization info) on the credentials of your user/id this may not work as PAC is propritary and specific to AD/Windows entities only.  

The alternative for you to not hard code the user name and password would be to use Kerberos credentials through SASL mechanism supported in LDAP.
Assuming that you are using ldapsearch (make sure you have the LDAP / GSSAPI / SASL libs installed on your box) do the following steps:

1. kinit principalname@AD_DOMAIN.COM                               -> this will get you your init credentials.

2. ldapsearch -Y GSSAPI -h <AD Server> -o <> <search filter>              ---------->this will enable you to perform an ldap operation based on your above credentials.

Note: the above example was for doing LDAP search using kerberos credentials. For this you need to configure your krb5.conf on your linux box.

Let me know if you need more help!

 

0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now