[opensuse] OpenSUSE 11.0, Windows AD and LDAP
I guess it had to come to this. I have gotten Linux login authentication working against the local Windows AD. I would next like to get apache authentication working in a similar fashion. In reading the docs on this, the first obvious thing I do not know is the user and password needed for accessing the AD server when doing the authentication. This must exist somewhere, as openSUSE is doing this. I joined the AD via YAST. So, I am guessing, this information exists somewhere on my system. Am I think correctly? If so, where could this information be. If not, how else to proceed? -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 And remember: It is RSofT and there is always something under construction. It is like talking about large city with all constructions finished. Not impossible, but very unlikely. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Sep 17, 2008 at 10:04:18PM +0200, Roger Oberholtzer wrote:
I guess it had to come to this. I have gotten Linux login authentication working against the local Windows AD. I would next like to get apache authentication working in a similar fashion. In reading the docs on this, the first obvious thing I do not know is the user and password needed for accessing the AD server when doing the authentication. This must exist somewhere, as openSUSE is doing this. I joined the AD via YAST. So, I am guessing, this information exists somewhere on my system.
You need a fitting mod_* module for Apache. There are two ways. a) apache2-mod_auth_ntlm_winbind b) apache2-mod_auth_kerb I've used a) in the past but had some trouble with keepalive and https. This is generic and known. Therfore I appreciate if any reports sucess with apache2-mod_auth_kerb. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Wed, 2008-09-17 at 23:12 +0200, Lars Müller wrote:
You need a fitting mod_* module for Apache. There are two ways.
a) apache2-mod_auth_ntlm_winbind b) apache2-mod_auth_kerb
I've used a) in the past but had some trouble with keepalive and https. This is generic and known.
Therfore I appreciate if any reports sucess with apache2-mod_auth_kerb.
using b) for single-sign-0n for mantis, and some in-house brewn php- applications hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sep 17, 2008, at 11:12 PM, Lars Müller wrote:
On Wed, Sep 17, 2008 at 10:04:18PM +0200, Roger Oberholtzer wrote:
I guess it had to come to this. I have gotten Linux login authentication working against the local Windows AD. I would next like to get apache authentication working in a similar fashion. In reading the docs on this, the first obvious thing I do not know is the user and password needed for accessing the AD server when doing the authentication. This must exist somewhere, as openSUSE is doing this. I joined the AD via YAST. So, I am guessing, this information exists somewhere on my system.
You need a fitting mod_* module for Apache. There are two ways.
a) apache2-mod_auth_ntlm_winbind b) apache2-mod_auth_kerb
I've used a) in the past but had some trouble with keepalive and https. This is generic and known.
Therfore I appreciate if any reports sucess with apache2- mod_auth_kerb.
I was looking at this description: http://blog.chadwestfall.com/2007/11/subversion-apache-active-directory.html and http://www.jejik.com/articles/2007/06/apache_and_subversion_authentication_w... Both use mod_ldap and mod_authnz_ldap In fact, I found the second link after my post. But both show that you need to define AuthLDAPBindPassword. In the Apache docs (http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html#authldapbindpassword ) they say this is only needed if you need to search the directory. Is logging in a directory search? Geesh. Of course, I do not need to use LDAP. I am 'only' after authentication in other places than login/PAM against the AD that I joined via Yast. I will be playing with this. But as I do not have any authority over the AD, and needed a user/password to allow my machine to be added, I don't have high hopes. But I will surely give it a good try! -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 And remember: It is RSofT and there is always something under construction. It is like talking about large city with all constructions finished. Not impossible, but very unlikely. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Roger Oberholtzer wrote:
On Sep 17, 2008, at 11:12 PM, Lars Müller wrote:
On Wed, Sep 17, 2008 at 10:04:18PM +0200, Roger Oberholtzer wrote:
I guess it had to come to this. I have gotten Linux login authentication working against the local Windows AD. I would next like to get apache authentication working in a similar fashion. In reading the docs on this, the first obvious thing I do not know is the user and password needed for accessing the AD server when doing the authentication. This must exist somewhere, as openSUSE is doing this. I joined the AD via YAST. So, I am guessing, this information exists somewhere on my system.
You need a fitting mod_* module for Apache. There are two ways.
a) apache2-mod_auth_ntlm_winbind b) apache2-mod_auth_kerb
I've used a) in the past but had some trouble with keepalive and https. This is generic and known.
Therfore I appreciate if any reports sucess with apache2-mod_auth_kerb.
I was looking at this description:
http://blog.chadwestfall.com/2007/11/subversion-apache-active-directory.html
and
http://www.jejik.com/articles/2007/06/apache_and_subversion_authentication_w...
Both use mod_ldap and mod_authnz_ldap
In fact, I found the second link after my post. But both show that you need to define AuthLDAPBindPassword. In the Apache docs (http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html#authldapbindpassword)
they say this is only needed if you need to search the directory. Is logging in a directory search? Geesh.
Of course, I do not need to use LDAP. I am 'only' after authentication in other places than login/PAM against the AD that I joined via Yast.
I will be playing with this. But as I do not have any authority over the AD, and needed a user/password to allow my machine to be added, I don't have high hopes. But I will surely give it a good try!
--
Roger Oberholtzer
OPQ Systems / Ramböll RST
Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden
Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696
And remember:
It is RSofT and there is always something under construction. It is like talking about large city with all constructions finished. Not impossible, but very unlikely.
I do it using pwauth through pam winbind - works great against AD. -- --Moby They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2008-09-18 at 16:01 -0500, Moby wrote:
I do it using pwauth through pam winbind - works great against AD.
Thanks for the pointer to pwauth. Passing the login to pam (so to speak), for which login authenticated against the AD is already set up and working, seems the right way to go. There really should be no need to reinvent what pam/winbind have already set up. As if I did not have something else to do this weekend :-) -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 And remember: It is RSofT and there is always something under construction. It is like talking about large city with all constructions finished. Not impossible, but very unlikely. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Hans Witvliet
-
Lars Müller
-
Moby
-
Roger Oberholtzer