2

I'm running Apache 2 and I need to authentificate users from multiple AD domains in one <Location/>. I tried using mod_authn_alias

ОС: Debian GNU/Linux Squueze with lastest updates
Apache/2.2.16

Modules

/etc/apache2/apache.conf:

<AuthnProviderAlias ldap first-ldap>
    AuthLDAPURL "ldap://win2003server:389/DC=first,DC=domain?sAMAccountName?sub?(objectClass=*)" NONE
    AuthLDAPBindDN "cn=user1,cn=Users,dc=first,dc=domain"
    AuthLDAPBindPassword "user1"
</AuthnProviderAlias>

<AuthnProviderAlias ldap second-ldap>
    AuthLDAPURL "ldap://win2008server:3268/DC=second,DC=domain?sAMAccountName?sub?(objectClass=*)" NONE
    AuthLDAPBindDN "cn=user2,cn=Users,dc=second,dc=domain"
    AuthLDAPBindPassword "user2"
</AuthnProviderAlias>

/etc/apache2/sites-enabled/000default:

<Location /test>

    Order allow,deny
    Allow from all

    Authtype Basic
    AuthBasicProvider first-ldap second-ldap
    AuthName "TEST"
    AuthzLDAPAuthoritative off
    require valid-user

</Location>

With this configuration it authentificates users from first domain, and for users from second domain it igves an error:

 [Fri Sep 16 20:54:39 2011] [info] [client 10.0.0.62] [25672] auth_ldap authenticate: user2 user2 authentication failed; URI /test/ [ldap_simple_bind_s() to check user2 credentials failed][Invalid credentials]

When I leave only AuthBasicProvider second-ldap users from second domain can authntificate successfully, so second domain LDAP is OK.

Does any one know solution to force mod_authn_alias to work?

quanta
  • 50,327
  • 19
  • 152
  • 213
Selivanov Pavel
  • 2,126
  • 3
  • 23
  • 47

2 Answers2

1

I don't know how to make Apache do what you want. However, you can set up OpenLDAP as a proxy in front of multiple AD instances using either the ldap or meta backends, and this will get you effectively the same behavior. You point Apache at your OpenLDAP proxy, and then OpenLDAP talks to your AD servers.

Here is my write-up on using the meta backend. This is more of a starting point than an actual solution.

I'm actually using OpenLDAP as a proxy right now to authenticate against three separate directories -- one AD domain, one remote LDAP server, and a local LDAP directory.

larsks
  • 41,276
  • 13
  • 117
  • 170
  • Thank you for answer :) I will probably use this solution, if I won't found a way to make mod_authn_alias work. But it's overkill for this task and it creates additional single point of failure, which decreases whole infrastructure stability. – Selivanov Pavel Sep 16 '11 at 20:47
0

I have found way to solution here: authenticating-apache-httpd-against-multiple-ldap-servers-with-expired-accounts

I used for testing user account from second domain, that had namesake disabled account in first domain. Deletion of disabled account helped, but deleting accounts in AD domain is bad practice: you can receive objects with unknown security descriptors. I created LDAP filter for elimination of disabled users, and now everything works fine :)

/etc/apache2/apache2.conf:

<AuthnProviderAlias ldap first-ldap>
    AuthLDAPURL "ldap://win2003server:389/DC=first,DC=domain?sAMAccountName?sub?(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" NONE
    AuthLDAPBindDN "cn=user1,cn=Users,dc=first,dc=domain"
    AuthLDAPBindPassword "user1"
</AuthnProviderAlias>

<AuthnProviderAlias ldap second-ldap>
    AuthLDAPURL "ldap://win2008server:3268/DC=second,DC=domain?sAMAccountName?sub?(&(objectCategory=person)(objectClass=user))" NONE
    AuthLDAPBindDN "cn=user2,cn=Users,dc=second,dc=domain"
    AuthLDAPBindPassword "user2"
</AuthnProviderAlias>

Note, that this filter works for AD domain with functional level "windows 2000 native", and doesn't work for AD domain with functional level "windows server 2003", I don't know why.

Community
  • 1
Selivanov Pavel
  • 2,126
  • 3
  • 23
  • 47