[Samba] Authenticating Apache Against Active Directory
Andrey Repin
anrdaemon at yandex.ru
Tue May 12 08:17:40 MDT 2015
Greetings, Nico Kadel-Garcia!
>> Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate
>> users against Samba 4.2.1. When I edit 'apache2.conf' with
>>
>>
>> <Directory />
>> Options FollowSymLinks
>> AllowOverride None
>> Require all granted
>> Allow from all
>> AuthName "AD authentication"
>> AuthBasicProvider ldap
>> AuthType Basic
>> AuthLDAPGroupAttribute member
>> AuthLDAPGroupAttributeIsDN On
>> AuthLDAPURL
>> ldap://dc1.domain.local/172.16.232.29:389/cn=Users,dc=domain?sAMAccountName?sub?(objectClass=*)
>> AuthLDAPBindDN cn=apache-connect,cn=Users,domain
>> AuthLDAPBindPassword password
>> require ldap-group cn=Nagios-Admins,cn=Users,domain
> Why are you bothering to use anything outside of Kerberos? Very few
> web projects actually need any group, uid, or other information and
> are much simplified by simply relying in the inherent Kerberos of a
> modern Samba server or AD based service. It also helps eliminate any
> need for LDAP credentials with which to issue LDAP queries, and lends
> itself much more easily to genuine "single-sign-on" solutions.
You don't need any LDAP credentials other than credentials supplied by
authenticating user.
<IfModule authnz_ldap_module>
Allow from all
AuthName "Subversion repository"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://127.0.0.1/ou=Users,dc=example,dc=com?uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
# only developers may access the repository
Require ldap-group cn=CVS,ou=Groups,dc=example,dc=com
Require ldap-attribute gidNumber=600
Satisfy all
# And they should obey to SVN user permissions file
<IfModule authz_svn_module>
AuthzSVNAccessFile "/wwwroot/.svn/.registry"
</IfModule>
</IfModule>
--
With best regards,
Andrey Repin
Tuesday, May 12, 2015 17:13:42
Sorry for my terrible english...
More information about the samba
mailing list