Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache 2.4 how to authenticate multiple ldap OUs |
|
| Author |
|
dnp
Joined: 12 Dec 2018
Posts: 2
Location: Providence
|
 Posted: Thu 13 Dec '18 21:21 Post subject: Apache 2.4 how to authenticate multiple ldap OUs |
 |
|
Hello,
Does anyone have any idea how to authenticate a user against two different OUs on the same AD server?
I am using Apache 2.4 on Ubuntu 18.04.
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-06-07T19:43:03
The user could be in "ABC User" or "XYZ user".
AD OUs are:
AuthLDAPURL "ldap://adx.ABC.org:389/OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*)"
and
AuthLDAPURL "ldap://adx.ABC.org:389/OU=XYZ Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*)"
Part of the current conf file:
<Location />
AuthName "ABC Intranet"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPURL "ldap://adx.ABC.org:389/OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*)"
# login to AD
AuthLDAPBindDN "CN=ldap_ABCweb,OU=ABC Service Accounts,DC=ABC,DC=org"
AuthLDAPBindPassword
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
# tried this and failed
# Require ldap-filter (&(memberOf='OU=XYZ Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*')|(memberOf='OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*'))
# tried this and failed
# <RequireAny>
# Require ldap-filter (&(memberOf='OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*'))
# Require ldap-filter (&(memberOf='OU=XYZ Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*'))
# </RequireAny>
# require any is implied
require any
Require valid-user
Require ip 10.46
Require ip 130.44
Require ip 10.44
I have a userid supplied by the user via a user/password prompt supplied by Apache. In order for the user to login they need to be in either of these OUs:
"ldap://adx.ABC.org:389/OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*)"
or\
"ldap://adx.ABC.org:389/OU=XYZ Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*)".
I don’t know how to configure the auth module in Apache 2.4 to validate against more than one OU.
Dan
</Location> |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Fri 14 Dec '18 12:05 Post subject: |
|
|
If you need to add multiple OU= values in the LDAP url you must have separate LDAP urls and utilize AuthnProviderAlias to check both LDAP searches.
| Code: |
LoadModule authn_alias_module modules/mod_authn_alias.so
<AuthnProviderAlias ldap ldap-alias1>
AuthLDAPBindDN cn=youruser,o=ctx
AuthLDAPBindPassword yourpassword
AuthLDAPURL ldap://ldap.host/o=ctx
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-other-alias>
AuthLDAPBindDN cn=yourotheruser,o=dev
AuthLDAPBindPassword yourotherpassword
AuthLDAPURL ldap://other.ldap.host/o=dev?cn
</AuthnProviderAlias>
Alias /secure /webpages/secure
<Directory /webpages/secure>
Order deny,allow
Allow from all
AuthBasicProvider ldap-other-alias ldap-alias1
AuthType Basic
AuthName LDAP_Protected_Place
AuthzLDAPAuthoritative off
Require valid-user
</Directory>
|
See https://httpd.apache.org/docs/trunk/mod/mod_authn_core.html |
|
| Back to top |
|
dnp
Joined: 12 Dec 2018
Posts: 2
Location: Providence
|
| Posted: Tue 18 Dec '18 22:00 Post subject: |
|
|
James,
It works! Thank you very much for your help. I really appreciated it!
Dan |
|
| Back to top |
|
|
|
|
|
|
