-1

I recently made a centos lamp server running apache mysql and php. I have wordpress and phpbb3 installed and running on the server. The linux server is running in the same building as a windows 2003 server. Is there a way to connect the linux and windows server so that my website and forum is only viewable once the user logs into his windows account at his/her computer?

As of right now, anyone that is physically in the building and connected via ethernet will have access to my website and forum. I guess I want to restrict it to the specified users in the windows domain. I saw some stuff about ldap and active directory, but it's only confused me so much more. This is my first time setting up any form of server.

slm
  • 7,355
  • 16
  • 54
  • 72
user187558
  • 1
  • 2

2 Answers2

3

Kerberos works but it may be easier to do it with LDAP alone in this case. Put the following in your VirtualHost settings for the wordpress site. With this config ldap.company.com needs to resolve to your AD Global Catalog(s) and you need an ID ldap-auth-svc with a password of Secretpassword so Apache has rights to access AD to authenciate the users. You may want to add a line *Require ldap-group . Finally you need to a2enmod authnz_ldap

AuthBasicProvider ldap
            AuthType        basic
            AuthName "Use email as username"
            AuthLDAPURL "ldap://ldap.company.com:3268/ dc=company,dc=com?mail?sub?(&(objectClass=user)(!(objectClass=computer)))"
            AuthLDAPBindDN "CN=ldap-auth-svc,OU=ldap,OU=services,DC=site,DC=company,DC=com"
            AuthLDAPBindPassword Secretpassword
            AuthzLDAPAuthoritative on
            Order allow,deny
            require valid-user
            Allow from all

For Kerberos you want something like the following but it does NOT check group membership:

AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
Krb5KeyTab /etc/krb5.keytab
require valid-user
TheFiddlerWins
  • 2,973
  • 1
  • 14
  • 22
  • whoa I'm confused again. Would ldap, since added to wordpress, only restrict wordpress access or will it work with phpbb or the whole server too? – user187558 Aug 28 '13 at 16:01
  • Depends on how you set up your sites, you can put these settings in or etc. If you do (or whatever the board's *URL* is) it will work for anything under http://server.example.com/phpbb3. If you are doing it for everything on the box then set it in your location (assuming bb3 and wordpress share the same VirtualHost). – TheFiddlerWins Aug 28 '13 at 16:17
  • So lets say 192.1.1.1 is my ex ip. My wordpress location would be http://191.1.1.1/ and phpbb would be http://191.1.1.1/phpBB3. So what would I have to do to do the settings? <191.1.1.1/phpBB3> or I am still confused about ldap. Do i just install ldap or are those settings sufficient – user187558 Aug 28 '13 at 16:45
  • If those are the only things on the server you can put it in the configuration for your server's default VirtualHost for /. In Ubuntu it's /etc/apache2/sites-enabled/000-default – TheFiddlerWins Aug 28 '13 at 16:54
0

You can use authentication mechanism for accessing site. There are two good options if you want to use domain user authentication:

  1. Use kerberos with apache

  2. Setup kerberos/negotiate/ntlm auth-aware proxy server (squid, TMG etc) and allow access only through it

UPDATE:

If you don't have domain, then only thing you can do without password authentication is to allow access for some IP addresses from your network with access control directive of apache: http://httpd.apache.org/docs/2.2/howto/access.html

You must be sure, that machine IP addresses won't change and will be static.

GioMac
  • 4,444
  • 3
  • 24
  • 41
  • When you say kerberos It reminds me of the universities. Is it something that will prompt the user for his/her id/pw? I found this on squid http://www.cyberciti.biz/tips/howto-rhel-centos-fedora-squid-installation-configuration.html, but it's kind of confusing. Would these two methods you listed prompt the user for his/her information or allow him to connect with his windows domain if he/she is already logged in? – user187558 Aug 28 '13 at 15:33
  • No, it won't ask anything. kerberos works with mutual authentication, passwords are never sent over network, but all kerberos server (MS Domain server), client computer and proxy server know each other and use cryptography. User only has to enter its credentials when logging in to the client PC. – GioMac Aug 28 '13 at 15:37
  • LDAP auth will require passwords, but kerberos - not. – GioMac Aug 28 '13 at 15:39
  • Kerberos can require passwords depending on the browser & configuration. From domain authenticated Windows machines it usually wont but you have to tell Firefox/Chrome to permit it. Kerberos does not give you group membership the way LDAP will. – TheFiddlerWins Aug 28 '13 at 15:41
  • If machine is domain authenticated - both Firefox and Chrome work out of box in my network. Server (proxy) only needs to offer "negotiate" authentication before "ntlm" or "basic" etc. In case of squid it's enough to move these strings to the top. Regarding groups - groups are supported by the kerberos - it's easy to integrate, but I've done it via LDAP anyway. – GioMac Aug 28 '13 at 15:45
  • here's good, detailed manual for kerberos integrated squid, works for me 1-1: http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy – GioMac Aug 28 '13 at 15:46
  • @GloMac In his enviroment Kerberos would work for group information because AD has extended it, not all Kerberos servers support this (PAC). And your browser won't work on a phone or even a Kerberos authenticated Linux box with out some configuration on the client side (with SSO, it should prompt and let you sign in fine). – TheFiddlerWins Aug 28 '13 at 15:53
  • We are running Windows 2003 R2. It works, doesn't as anything in Firefox or Chrome. Is someone here running outdated Windows 2000? hm, not sure :) – GioMac Aug 28 '13 at 15:56
  • Would I need to install Active Directory on the windows server? I've never actually step foot in that room or touched the server. I'm afraid too also. Would anything be needed to be done on the server of the windows domain? Can I just do everything from my linux box. So from what I am reading, kerbero will connect to the AD get the authentication it needs and if your account is authorized it will log you in my server? or does it allow me to see my website/forum. – user187558 Aug 28 '13 at 16:03
  • If client computers are joined in domain - you don't need do to anything on windows machine. You only need to know administrator password, so you can join web or proxy server to the domain. – GioMac Aug 28 '13 at 16:04
  • Oh I would have to ask for the password then. Would I have to access the windows machine to find out its domain, proxy and the sorts? I am looking at GioMac's link and it seems to be a tutorial or guide. Can I just follow that to install kerberos? – user187558 Aug 28 '13 at 16:11
  • Yes, there were few bugs in tutorial, but already corrected. It works. You must have domain with administrator access to the domain to do "passwordless" auth. For other options - see updated answer. – GioMac Aug 28 '13 at 16:13
  • Sorry if I am redundant, but just to confirm. The tutorial is now bug free or at least all the previous bugs have been corrected? I need domain with admin access to do passwordless auth which would be a user signing into windows acc and not being prompt for any info but just be able to see my site? What do you mean by see updated answer. Do I just go on the server as admin and do ipconfig /all to see all the information I need to carry this out? – user187558 Aug 28 '13 at 16:47
  • Yes, that's correct. – GioMac Aug 28 '13 at 16:49
  • Okay would the steps be pretty similar if I am using centos 6 but the tutorial is for debian? Would the how to for centos 5 posted above be a better resource to use? – user187558 Aug 28 '13 at 16:50
  • Yes, configuration is similar. – GioMac Aug 28 '13 at 16:52
  • Alright sounds good. When you said "Yes, that's correct" was that towards my question of ipconfig /all to retrieve the info needed? – user187558 Aug 28 '13 at 16:53
  • Both :) But this is out of this question. You must be sure these addresses are static. If address is is assigned by DHCP server, then DHCP server must have static configuration for these hosts. – GioMac Aug 28 '13 at 16:54
  • aah, how do I tell if it is being assigned by a DHCP server? If the ipconfig says DHCP enabled does that mean its being assigned by a server? Another side question, but what does this line from the tutorial mean: "On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works." – user187558 Aug 28 '13 at 16:56
  • I see you'll have dozen of these questions. There are many things to learn there. Google, read manuals etc – GioMac Aug 28 '13 at 16:58
  • Yes sir haha. Alright last last question that would need your expertise. While doing this and when(not if) I screw up, can this bring down the windows server? It doesn't matter if it brings down the linux box because I can spend time working on it, but the windows server was made by someone else plus has all the important stuff so i can't have that down. But yeah in short, when I mess up, Will it affect the windows server in any way? Thanks GioMac and everyone else that helped! – user187558 Aug 28 '13 at 17:06
  • There are very small changes that only affect configuration specific to your new server, it should not - you should not touch existing records. – GioMac Aug 28 '13 at 17:07
  • From What I can tell, the changes on the windows server are just enabling programs that already exist to allow my new one to be accepted and most of the work will be done on my linux box right? I will do a bit more reading then try this out... hopefully I don't crash the windows server =(. Thank you everyone! – user187558 Aug 28 '13 at 17:17
  • In this video http://www.youtube.com/watch?v=ge_DAgwvbzA The person installs squid and integrates it to windows server 2008. If you skip to the end of the video. Everytime he accesses the internet he is prompted for information. Is this what the kerberos guide you gave me will be doing as well or will it just use the account that is already signed into. – user187558 Aug 28 '13 at 17:45
  • no no no and no :) – GioMac Aug 28 '13 at 17:46
  • is invoke-rc.d ntp restart equivalent to centos' service ntp restart – user187558 Aug 28 '13 at 18:25
  • service ntpd restart – GioMac Aug 28 '13 at 18:28
  • For creating the A record, It would be the forward loop and ticking the reverse option to automatically create one based on the forward loop right? Can I ask what the network Id is and what is a dns computer name. I am following a guide on how to make the A record and it talks about the dns computer name. i tried doing a search but it seems people just say ipconfig /all but I don't know which value is the dns computer name.Is that step just me naming my linux computer like linserv or something? – user187558 Aug 28 '13 at 19:02
  • http://serverfault.com/help/dont-ask – GioMac Aug 28 '13 at 19:04
  • Understood, sorry. – user187558 Aug 28 '13 at 19:06
  • You need to understand how every component works, at least on some level. – GioMac Aug 28 '13 at 19:09
  • okay can I ask you one more question regarding the dig command? I ran it and recieved this: ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -x 192.168.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55341 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;1.1.168.192.in-addr.arpa. IN PTR ;; Query time: 2 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri Aug 30 11:03:26 2013 ;; MSG SIZE rcvd: 42 On the guide it said make sure it passes. How can I tell if it passed or failed? – user187558 Aug 30 '13 at 18:06
  • i see no question – GioMac Aug 30 '13 at 18:07
  • Oops I Must have forgot to asked. In the guide it put out a warning saying make sure the lookup worked before moving on. How can I tell if the look up worked based on that received message? – user187558 Aug 30 '13 at 18:11
  • `ANSWER: 0`. No... – GioMac Aug 30 '13 at 18:15
  • I am now receiving .init. and stratum 16 with reach 0 and offset 0. I read that this means that the windows server has a non reliable time so ntp refuses to get timing. Before this my linux system did not have ntp installed at all. I just did a clean install for it and added. Server fileserver.local into the conf but now I have .INIT. – user187558 Aug 30 '13 at 18:58
  • This is not forum and this task is not a copy-paste thing. You must understand how EVERY component and protocol works. – GioMac Aug 30 '13 at 18:59