1 |
Hi, |
2 |
Mike Williams schrieb: |
3 |
> On Thursday 12 April 2007 06:13:44 Wolfgang Liebich wrote: |
4 |
> |
5 |
>> OK - it is in testing. Has anyone here experiences on how stable it is |
6 |
>> to run? Maybe I need it b/c of a new auth module |
7 |
>> which does not seem to be available in apache 2.0.58... |
8 |
>> |
9 |
> |
10 |
> Oddly enough... |
11 |
> http://archives.gentoo.org/gentoo-server/msg_11696.xml |
12 |
> |
13 |
> (I've not used the auth modules though) |
14 |
> |
15 |
Thank you all for your answers. I will try to press forward with apache |
16 |
2.2.4. The reason I need it is that I need to authentificate/authorize users |
17 |
agains a Windows ActiveDirectory domain. This is done using LDAP. Until |
18 |
now we only had users coming from one OU served by our DC, so that |
19 |
setup worked w/o a hitch. BUT now we have gotten a user from a different |
20 |
OU, and ... well, I could not get mod_auth_ldap to lookup the user from |
21 |
a BaseDN |
22 |
one level up (BUT searching the user via "ldapsearch" cmdline worked - |
23 |
IDGI....). |
24 |
Apache's "own" mod_auth_ldap (which you get with USE="ldap") didn't |
25 |
work, either.. |
26 |
SO I decided to go forward to apache 2.2.4 and use 2 LDAP |
27 |
authentification instances, each with a working BaseDN pointing to the |
28 |
wanted OU (same server, only the |
29 |
most specific OU in the BaseDN different) and unify them with |
30 |
mod_authn_alias. For simplicity I used apache's own mod_authnz_ldap. |
31 |
This setup seems to work, with some caveats: |
32 |
- You have to mark both LDAP auth module configurations with |
33 |
AuthzLDAPAuthoritative=off |
34 |
- If you want to restrict access to your site to users belonging to a |
35 |
specified group, you cannot just juse mod_authnz_ldap's "require |
36 |
ldap-group" feature b/c the module |
37 |
doing authorization checks is mod-authn-alias -- which has NO idea what |
38 |
"require ldap-group" means. Sigh. BUT: |
39 |
-- you can do some evil tricks with the ldap URL to fake this "require |
40 |
ldap-group" trick: You modify the search string (the last part of the |
41 |
LDAP url to something like |
42 |
"(&(<original part, e.g. 'objectType=*')(memberOf=<DN of the user |
43 |
group>))". This has the effect that users not belonging to your wanted |
44 |
group are just not found. |
45 |
This is NOT the same as saying "users not in this group are not |
46 |
AUTHORIZED", but it is a working fake. |
47 |
|
48 |
Well, I've got a working system this way, therefore my boss will |
49 |
probably ask me to stop researching further :-). |
50 |
But I'm not totally satisfied with the current solution, b/c |
51 |
- I still don't get the REASON why the ldap auth modules can't find the |
52 |
user(s) but ldapsearch can. |
53 |
- The solution is ugly :-) Seriously - I want to be able to use a single |
54 |
authn/authz provider. Maybe mod_auth_kerberos would be better? |
55 |
- Earlier on I looked into mod_auth_pam (for |
56 |
authentification/authorization against our NIS/YP domain). BUT I didn't |
57 |
use it b/c it seemed to REQUIRE that apache |
58 |
gets read access for /etc/shadow. WHY? If I use pam+NIS, the local |
59 |
shadow pwd file should never needed to be read, right? (Also a fellow |
60 |
sysadmin cautioned me agains mod_auth_pam |
61 |
b/c he claimed it to be rather dead - i.e. not developed further). |
62 |
Comments/Experiences would be very welcome! |
63 |
Ciao, |
64 |
Wolf"english is NOT my native tongue:-("gang |
65 |
-- |
66 |
gentoo-user@g.o mailing list |