| 1 |
Hi, |
| 2 |
Mike Williams schrieb: |
| 3 |
> On Thursday 12 April 2007 06:13:44 Wolfgang Liebich wrote: |
| 4 |
> |
| 5 |
>> OK - it is in testing. Has anyone here experiences on how stable it is |
| 6 |
>> to run? Maybe I need it b/c of a new auth module |
| 7 |
>> which does not seem to be available in apache 2.0.58... |
| 8 |
>> |
| 9 |
> |
| 10 |
> Oddly enough... |
| 11 |
> http://archives.gentoo.org/gentoo-server/msg_11696.xml |
| 12 |
> |
| 13 |
> (I've not used the auth modules though) |
| 14 |
> |
| 15 |
Thank you all for your answers. I will try to press forward with apache |
| 16 |
2.2.4. The reason I need it is that I need to authentificate/authorize users |
| 17 |
agains a Windows ActiveDirectory domain. This is done using LDAP. Until |
| 18 |
now we only had users coming from one OU served by our DC, so that |
| 19 |
setup worked w/o a hitch. BUT now we have gotten a user from a different |
| 20 |
OU, and ... well, I could not get mod_auth_ldap to lookup the user from |
| 21 |
a BaseDN |
| 22 |
one level up (BUT searching the user via "ldapsearch" cmdline worked - |
| 23 |
IDGI....). |
| 24 |
Apache's "own" mod_auth_ldap (which you get with USE="ldap") didn't |
| 25 |
work, either.. |
| 26 |
SO I decided to go forward to apache 2.2.4 and use 2 LDAP |
| 27 |
authentification instances, each with a working BaseDN pointing to the |
| 28 |
wanted OU (same server, only the |
| 29 |
most specific OU in the BaseDN different) and unify them with |
| 30 |
mod_authn_alias. For simplicity I used apache's own mod_authnz_ldap. |
| 31 |
This setup seems to work, with some caveats: |
| 32 |
- You have to mark both LDAP auth module configurations with |
| 33 |
AuthzLDAPAuthoritative=off |
| 34 |
- If you want to restrict access to your site to users belonging to a |
| 35 |
specified group, you cannot just juse mod_authnz_ldap's "require |
| 36 |
ldap-group" feature b/c the module |
| 37 |
doing authorization checks is mod-authn-alias -- which has NO idea what |
| 38 |
"require ldap-group" means. Sigh. BUT: |
| 39 |
-- you can do some evil tricks with the ldap URL to fake this "require |
| 40 |
ldap-group" trick: You modify the search string (the last part of the |
| 41 |
LDAP url to something like |
| 42 |
"(&(<original part, e.g. 'objectType=*')(memberOf=<DN of the user |
| 43 |
group>))". This has the effect that users not belonging to your wanted |
| 44 |
group are just not found. |
| 45 |
This is NOT the same as saying "users not in this group are not |
| 46 |
AUTHORIZED", but it is a working fake. |
| 47 |
|
| 48 |
Well, I've got a working system this way, therefore my boss will |
| 49 |
probably ask me to stop researching further :-). |
| 50 |
But I'm not totally satisfied with the current solution, b/c |
| 51 |
- I still don't get the REASON why the ldap auth modules can't find the |
| 52 |
user(s) but ldapsearch can. |
| 53 |
- The solution is ugly :-) Seriously - I want to be able to use a single |
| 54 |
authn/authz provider. Maybe mod_auth_kerberos would be better? |
| 55 |
- Earlier on I looked into mod_auth_pam (for |
| 56 |
authentification/authorization against our NIS/YP domain). BUT I didn't |
| 57 |
use it b/c it seemed to REQUIRE that apache |
| 58 |
gets read access for /etc/shadow. WHY? If I use pam+NIS, the local |
| 59 |
shadow pwd file should never needed to be read, right? (Also a fellow |
| 60 |
sysadmin cautioned me agains mod_auth_pam |
| 61 |
b/c he claimed it to be rather dead - i.e. not developed further). |
| 62 |
Comments/Experiences would be very welcome! |
| 63 |
Ciao, |
| 64 |
Wolf"english is NOT my native tongue:-("gang |
| 65 |
-- |
| 66 |
gentoo-user@g.o mailing list |
Archives