Penguin
Blame: ActiveDirectoryAuthenticationNotes
EditPageHistoryDiffInfoLikePages
Annotated edit history of ActiveDirectoryAuthenticationNotes version 16, including all changes. View license author blame.
Rev Author # Line
10 PerryLorier 1 I needed to authenticate a website for a school against an Active Directory server today. I found the job surprisingly easy.
6 AristotlePagaltzis 2
3 My first attempt was using a pam smb module, and an apache pam module. This worked well, but had a couple of flaws:
4 * You could only have one /etc/pam.d/ file for apache, so if you wanted different styles of authentication you are out of luck. doh.
5 * the pam smb module doesn't support groups, so I couldn't have an area just for Teachers only.
6
11 BrianCain 7 Oh well, scrapped that idea.
6 AristotlePagaltzis 8
9 I looked at the smb modules for apache. This was a port of the pam_smb module to the apache api, didn't really gain me much, except it removed the limitation on one /etc/pam.d/ file for apache. Not that this really was much of a problem if you didn't have group support.
10
11 my final approach to the problem was an ldap authentication module for apache. This hit the nail on the head.
12
13 The major stumbling block I had was trying to find out the BaseDN. If you bind anonymously you can't search or anything useful. To bind as someone useful, you have to know their dn, including the BaseDN. Turns out the BaseDN was the name of the 'domain' with dc[1]'s inserted. so if your domain is 'example.com', your baseDN is dc=example,dc=com. I'm not sure if this can be configured to be something else.
14
15 I had to learn how to write ldap url's, but it was dead basic, the configuration I used was:
16
17 <Directory ''/var/www/staff''>
18 AuthLDAPURL ldap://''ads.example.com'':389/OU=Users,OU=Teachers,DC=example,DC=com?sAMAccountName?sub?(objectClass=user)
19 AuthLDAPBindDN cn=''user'',cn=Users,dc=example,dc=com
20 AuthLDAPBindPassword ''password-here''
21 !AuthType Basic
22 !AuthName "''Mumble School Intranet''"
23 require valid-user
24 </Directory>
25
26 /var/www/staff should be the path that you want to secure.
27
28 ''ads.example.com'' should be the hostname of your ads server, I suspect you can use something like _ldap._tcp.''example.com'' here, but I didn't experiment, comments anyone?
29
14 MatthiasDallmeier 30 ''user'' should be some user which has read privilege to the directory (which is likely to be a full name with a space, so you may need to put double quotes around the entire string following AuthLDAPBindDN)
6 AristotlePagaltzis 31
32 ''password-here'' should be ''user''s password
33
34
35 and voila! It worked.
36
37 you can test the ldap stuff from active directory by using:
38 ldapsearch -x -b ''basedn'' -D cn=''user'',cn=Users,dc=example,dc=com -W
39 ;-x:use simple auth. Never got the non-simple auth to ever work
40 ;-b:use this base DN
41 ;-D:use this as the dn to bind as
42 ;-W:prompt for the binddn's password
43
44 the URL is:
45 ldap://''hostname'':389/''search basedn''?''username attribute''?''search type''?''search filter''
46
47 where:
48 ;hostname:is the hostname of the ldap server
49 ;search basedn:is the root of the search you're going to do.
50 ;username attribute:is the name of the attribute for the username
51 ;search type:is 'sub' for subtree
52 ;search filter:is a filter to apply, we only want to return user's (since we don't want people doing something silly like authenticating as a printer or a domain name)
53
54 the sAMAccountName is the ldap attribute ActiveDirectory uses for storing the username.
15 GreigMcGill 55
56 !!IMPORTANT NOTE FOR WINDOWS PEOPLE
12 GreigMcGill 57
58 Note that Windows doesn't provide any really useful ways of seeing the LDAP structure, and thus knowing how to construct your LDAP queries can be tricky. There is a very helpful tool called "Ldp.exe" in the Windows Support Tools package (see http://support.microsoft.com/default.aspx?scid=kb;en-us;301423 - and note that there is an article for win2k3 also). Using this tool can be fairly intimidating. See: http://support.microsoft.com/default.aspx?scid=kb;EN-US;224543 for an overview.
6 AristotlePagaltzis 59
60 [1]: Domain Component
61 ----
62 !!Round Two!
63
64 Going back to this, we found a problem. This appeared in apache's error log:
65 [[Mon Mar 17 16:36:07 2003] [[error] [[client 210.54.31.4] Too many failures connecting to LDAP server
66 This is caused by mod_ldap trying to use [LDAP] v2. This appears to cause some (unspecified) problems with Active Directory. So I found a patch by Jeff Costlow (j.costlow at f5.com) (may whatever deity he worships provide him with many years of good health and fortune) which allows you to force [LDAP] version 3.
67
68 This prevents the error above from occuring, and now only authorised people can login.
69
70 There is a nasty security flaw in mod_ldap that while that error is appearing in your logs you can login as __''any''__ user (even if that user doesn't exist). This is because when that error occurs mod_ldap fails and returns 0. However 0 turns out to be "success" instead of "failure". Ooops!
71
72 ----
73 !!Changing passwords
74
75 The following was posted to the NT BugTraq list (don't ask), and I thought it may be appropriate.
76
77 Here is the code I use to change a password in Active Directory. It
78 uses the perl-ldap module from http://perl-ldap.sourceforge.net/
16 ChristopherHahn 79
80 Ther perl-ldap FAQ provides examples of Active Directory password resets, and normal LDAP password resets:
81 [http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/FAQ.pod]
82 (or perldoc Net::LDAP::FAQ )
6 AristotlePagaltzis 83
84 It is part of a bigger program that we use to synchronize our LDAP to
85 Active Directory. (one way synchronization from LDAP to AD, except
86 for passwords which are two-way) I have reduced it down to a simple
87 command line program that reads name & password from stdin. It does a
88 very simplistic unicode conversion that will fail for non-ascii
89 characters. Feel free to use it for whatever you like.
90
91 Example:
92
93 % chg_passwd.pl
94 jim supersecret
95
96 Code:
97
98 #!/usr/local/bin/perl -w
99
100 use strict;
101 use Net::LDAPS;
102
103 my($Ad, $mesg, $uid, $pass, $npass, $dn, $rtn);
104
105 ($uid, $pass) = split(" ",<STDIN>);
106
7 AristotlePagaltzis 107 if (($uid eq "") or ($pass eq "")) {
6 AristotlePagaltzis 108 print "Uid and/or password missing in input\n";
109 exit 1;
110 }
111
112 print "Trying to set $uid to password $pass\n";
113
114 # Bind to the AD server
115
116 $Ad = Net::LDAPS->new("dc.test.uva.nl", version =3)
117 or print "Unable to connect to AD server\n", exit 2;
118 $Ad->bind(dn ="CN=ad,OU=Admin,DC=test,DC=uva,DC=nl", password =>
119 "gandalf")
120 or print "Unable to bind to AD server\n", exit 2;
121
122 # Do a AD lookup to get the dn for this user
123 # then change their password.
124
125 $mesg = $Ad->search(base ="DC=s-res,DC=uva,DC=nl", filter ="cn=$uid");
126 if($mesg->count != 1) {
127 print "AD lookup failed for user $uid\n";
128 exit 3;
129 }
130
131 # Add quotes and uniCode
132 map { $npass .= "$_\000" } split(//, "\"$pass\"");
133
134 # Now change it
135 $dn = $mesg->entry(0)->dn;
136
137 $rtn = $Ad->modify($dn, replace ={ "unicodePwd" =$npass });
138 if($rtn->{'resultCode'} != 0) {
139 print "User $uid, setting password failed\n";
140 exit 2;
141 }
142
143 print "Password for $uid changed in AD\n";
144 exit 0;
8 CraigBox 145 ----
9 CalRacey 146
147 Another good method for authentication with apache is to use one of the webISO's (web initial sign on) see http://middleware.internet2.edu/webiso/ . In particular the webISO provided by http://www.pubcookie.org is flexible and can be used with IIS aswell. It can either authenticate against LDAP, kerberos, unix password file (/etc/shadow), or pam modules. It give single sign on to web apps.
148
8 CraigBox 149 CategoryInteroperability
The following authors of this page have not agreed to the WlugWikiLicense. As such copyright to all content on this page is retained by the original authors.
  • BrianCain
  • CalRacey
The following authors of this page have agreed to the WlugWikiLicense.

lib/plugin/WlugLicense.php (In template 'html'):99: Warning: Invalid argument supplied for foreach()

lib/plugin/WlugLicense.php (In template 'html'):111: Notice: Undefined variable: ignore_authors

lib/plugin/WlugLicense.php (In template 'html'):111: Notice: Undefined variable: ignore_authors

lib/plugin/WlugLicense.php (In template 'html'):111: Notice: Undefined variable: ignore_authors