logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Authenticate Apache2 against AD without entering password
Author
Mark F



Joined: 17 Nov 2006
Posts: 2

PostPosted: Fri 17 Nov '06 11:10    Post subject: Authenticate Apache2 against AD without entering password Reply with quote

Hello,

I need to set up a secure intranet within my school so that staff can access, but students can't. I have a debian sarge server running apache 2 with mod_auth_ldap, which I am authenticating against Active Directory on a Win2K server.

I have managed to get this working, but the user has to type in a user name and password.

All the users are browsing from Win2K or XP which are running identd.

Is it possible and safe to use this identd to grab the user name and use this to lookup in active directory. (Ie is it safe to assume that if identd passes a uid then that is the correct windows user).

I am operating within a secure network, so am not worried about an outside attack, but could a student send a staffs uid via an ident hack and gain access.

I could do this using php / perl to check before serving pages, but I'd prefer to do it via apache and keep the web pages simple.

Thanks,

Mark F


**** MY .htaccess file
AuthType Basic
AuthName "Test Authentication"

# DN of Active Directory server
AuthLDAPURL ldap://server/DC=server=uk?sAMAccountName

AuthLDAPBindDN "CN=ldap_lookup,OU=SysUsers,DC=myDC"
AuthLDAPBindPassword "xxxxxxxxx"

### currently only require valid user, will replace with group lookup later
require valid-user
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Mon 20 Nov '06 17:35    Post subject: Reply with quote

There is no way to use LDAP without a entering password! But if the staff pll allways use the same PCs with static IPs you can limit that per IP. But if the there is a multiple use for each PC, ypu have to enter a password.
Back to top
Mark F



Joined: 17 Nov 2006
Posts: 2

PostPosted: Mon 20 Nov '06 18:07    Post subject: Reply with quote

Thanks James,

I will be authenticating against IP as well (so staff logged on in a classroom don't get confidential data appear with the kids looking over the shoulder) But i was hoping to allow different access levels to different AD groups within the staff.

The staff will just have to type in a password a second time to enter a secure area - it won't kill them.

As an aside can anyone shed any light on the reliability of identd for me?

PS sorry for being off topic, I stupidly noticed that this is a "Windows" apache site after I'd registered and posted
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Mon 20 Nov '06 18:47    Post subject: Reply with quote

Quote:

But i was hoping to allow different access levels to different AD groups within the staff

Than you have to use more than one .htaccess files with different
require ldap-group

I'm not used to LDAP
Did you read the manual?
Back to top


Reply to topic   Topic: Authenticate Apache2 against AD without entering password View previous topic :: View next topic
Post new topic   Forum Index -> Apache