Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Authenticate Apache2 against AD without entering password |
|
| Author |
|
Mark F
Joined: 17 Nov 2006
Posts: 2
|
 Posted: Fri 17 Nov '06 11:10 Post subject: Authenticate Apache2 against AD without entering password |
 |
|
Hello,
I need to set up a secure intranet within my school so that staff can access, but students can't. I have a debian sarge server running apache 2 with mod_auth_ldap, which I am authenticating against Active Directory on a Win2K server.
I have managed to get this working, but the user has to type in a user name and password.
All the users are browsing from Win2K or XP which are running identd.
Is it possible and safe to use this identd to grab the user name and use this to lookup in active directory. (Ie is it safe to assume that if identd passes a uid then that is the correct windows user).
I am operating within a secure network, so am not worried about an outside attack, but could a student send a staffs uid via an ident hack and gain access.
I could do this using php / perl to check before serving pages, but I'd prefer to do it via apache and keep the web pages simple.
Thanks,
Mark F
**** MY .htaccess file
AuthType Basic
AuthName "Test Authentication"
# DN of Active Directory server
AuthLDAPURL ldap://server/DC=server=uk?sAMAccountName
AuthLDAPBindDN "CN=ldap_lookup,OU=SysUsers,DC=myDC"
AuthLDAPBindPassword "xxxxxxxxx"
### currently only require valid user, will replace with group lookup later
require valid-user |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Mon 20 Nov '06 17:35 Post subject: |
|
|
| There is no way to use LDAP without a entering password! But if the staff pll allways use the same PCs with static IPs you can limit that per IP. But if the there is a multiple use for each PC, ypu have to enter a password. |
|
| Back to top |
|
Mark F
Joined: 17 Nov 2006
Posts: 2
|
| Posted: Mon 20 Nov '06 18:07 Post subject: |
|
|
Thanks James,
I will be authenticating against IP as well (so staff logged on in a classroom don't get confidential data appear with the kids looking over the shoulder) But i was hoping to allow different access levels to different AD groups within the staff.
The staff will just have to type in a password a second time to enter a secure area - it won't kill them.
As an aside can anyone shed any light on the reliability of identd for me?
PS sorry for being off topic, I stupidly noticed that this is a "Windows" apache site after I'd registered and posted |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Mon 20 Nov '06 18:47 Post subject: |
|
|
| Quote: |
But i was hoping to allow different access levels to different AD groups within the staff
|
Than you have to use more than one .htaccess files with different
require ldap-group
I'm not used to LDAP
Did you read the manual? |
|
| Back to top |
|
|
|
|
|
|
