Auth_LDAP with Active Directory

KsE · Posted: Mon Mar 22, 2004 8:37 pm Post subject: Auth_LDAP with Active Directory

I'm trying to get user authentication for apache to work with windows domain accounts via active directory. I haven't seen much documentation on this yet.

I'm using apache1 not 2. I have ldap installed and auth_ldap module for apache. As far as I can tell, there isn't anything else I need.

httpd.conf

rinacabj · Posted: Fri Jun 25, 2004 6:24 pm Post subject:

I'm having a sort of the same problem. Only difference is I'm using apache2. All the modules are in and apache loads, but I can't get any authentication box. It just says forbidden. Were you able to get it to work?

jayc · n00b Joined: 05 Feb 2003 Posts: 26

Theoretically, I would say that you can't use the LDAP module to authenticate against Active Directory. I don't know this for sure, but this why I think that.

AD uses a bastardized form of Kerberos for authentication. All Kerberos does is store a list of users and password and grant tickets. LDAP is used for user information, etc. Therefore, since LDAP has no idea of what the password is (only Kerberos would), you can't use the LDAP module.

I could be wrong, but that is how AD works. I'd look into an NTLM authentication module or try using the Apache Kerberos auth module. AD uses Kerberos from the MIT folks, anyhow.

rinacabj · Posted: Mon Jun 28, 2004 7:37 pm Post subject:

someone please tell me this isn't true, and if it is what can be used instead

nobspangle · Posted: Mon Jun 28, 2004 10:09 pm Post subject:

I don't know much about authentication in apache passed using .htaccess files, but if you can authenticate against pam then I would assume you could use winbind to do the authentication.

bin-doph · Guru Joined: 23 May 2003 Posts: 302

Do you have granted rights to "Everybody" or why aren't you binding with user/pass credentials to AD? By default "Everybody" doesn't have the rights to query the userdb but it doesn't aborts with something like "access denied" since "Everybody" does still have access... You should try with an account for your needs, since all "Autenticated Users" do have the rights to query those informations. Since I never used auth_ldap with apache I don't know if a normal user is enough...

maybe this helps http://www.contactor.se/~dast/svnusers/archive-2004-03/0877.shtml

hth
-fe
_________________
perl -e '$_=q;4a75737420616e6f74686572205065726c204861636b65720as;;for(s;s;s;s;s;s;s;s;s;s;s;s){s;(..)s?;qq qprint chr 0x$1 and \161 ssq;excess;}'

bin-doph · Guru Joined: 23 May 2003 Posts: 302

Well since I'm currently doing something similar and mod-ntlm is pretty crappy I tested auth_ldap ... works like a charm. So I guess a proper user is what u need. Use a bind and check that your query is ok (u don't even need an administrative account)

hth
-fe
_________________
perl -e '$_=q;4a75737420616e6f74686572205065726c204861636b65720as;;for(s;s;s;s;s;s;s;s;s;s;s;s){s;(..)s?;qq qprint chr 0x$1 and \161 ssq;excess;}'

rinacabj · Posted: Tue Jun 29, 2004 5:45 pm Post subject:

bin-doph - here's your chance to be a real hero!

A post of what I'm trying to do/my current set-up is:
https://forums.gentoo.org/viewtopic.php?t=191372

If you could pretty please take a look and tell me what you think I may need. I'm driving myself crazy with it and can't figure it out. I said pretty please

bin-doph · Guru Joined: 23 May 2003 Posts: 302

wow, I always wanted to be a real hero....lets give it a shot
_________________
perl -e '$_=q;4a75737420616e6f74686572205065726c204861636b65720as;;for(s;s;s;s;s;s;s;s;s;s;s;s){s;(..)s?;qq qprint chr 0x$1 and \161 ssq;excess;}'

mgladding4423 · n00b Joined: 12 May 2005 Posts: 15