Lennart's weblog

Open source, computers, Africa and other more (or less) interesting stuff.

Using Windows AD for Apache authentication

Recently I was setting up a Subversion repository (on a Linux server) that needs to be accessed via HTTP. Users should be able connect to the repositories without authentication, but authentication is needed to perform write actions. Of course Apache’s htpasswd/htaccess combination would provide just that, but since we have a Windows 2008 Active Domain controller that provides authentication to our Windows machines I thought it would be a good idea to use it.

Configuration of the autentication and authorization is done by Apache’s mod_authnz_ldap and (on Red Hat EL) configured in /etc/httpd/conf.d/subversion.conf (which exists after installing the subversion package with yum.

Basic configuration with htaccess
For simple authentication with Apache’s htaccess mechanism the config looks like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
 
<Location /repos>
   DAV svn
   SVNParentPath /var/www/svn
   SVNReposName "My company's repository"
 
   # Limit write permission to list of valid users.
   <LimitExcept GET PROPFIND OPTIONS REPORT>
      AuthType Basic
      AuthName "Authorization Realm for SVN"
      AuthUserFile /etc/httpd/conf.d/svn_htpasswd
      Require valid-user
 
   </LimitExcept>
</Location>

After using htpasswd to create a file with usernames and passwords on the server users could commit to the repository.

Configuration for AD Global Catalog
The first LDAP-like construction I got working was when using the AD Global Catalog. Normal LDAP traffic uses port 389, but the AD’s Global Catalog uses port 3268. The username needed to commit with SVN is windows_logon_name@your_AD.suffix, the so-called userPrincipalName. Here, your_AD and suffix are the DC’s of the LDAP/AD tree. By using this userPrincipalName users from different DC trees can be authenticated. The configuration file looks this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
 
<Location /repos>
    DAV svn
    SVNParentPath /var/www/svn
    SVNReposName "My company's repository"
 
    # Limit write permission to list of valid users.
    <LimitExcept GET PROPFIND OPTIONS REPORT>
      AuthType Basic
      AuthName "Authorization using your LDAP account"
      AuthBasicProvider ldap
      AuthzLDAPAuthoritative off
      # Active Directory requires an authenticating DN to access records
      AuthLDAPBindDN "svntest@your_AD.suffix"
 
      # This is the password for the AuthLDAPBindDN user in Active Directory
      AuthLDAPBindPassword "some_good_password"
 
      # The LDAP query URL
      AuthLDAPURL "ldap://ldap.your_company.com:3268/?userPrincipalName?sub"
      AuthUserFile /dev/null
 
      # Require a valid user
      Require valid-user
    </LimitExcept>
</Location>

With this configuration I could commit with this command: svn commit -m "First AD test" --username your_windows_username@your_AD.suffix.

Configuration for AD + Windows logon Name
As mentioned earlier, the previous method allows people from different parts of the AD tree to log in. In order to restrict access to for example a specific OU, the AuthLDAPURL has to be changed. In our case the LDAP tree is not a simple OU=Users,DC=our_company,DC=com, but consists of several nested OU structures. I used the adsiedit.msc snapin (ADSI editor) on the AD controller to find out the exact structure, since I needed to find out which parts were CNs and which where OUs.
In order to authenticate against a the windows login names in a certain sub-OU the AuthLDAPURL is

AuthLDAPURL "ldap://ldap.your_company.com:389/OU=Group 1, OU=Location 1, DC=your_AD, DC=suffix?sAMAccountName?sub?(objectClass=*)"

Configuration for AD + Windows Display Name
If you want the users to use their common name (the Display Name in the AD) use:

AuthLDAPURL "ldap://ldap.your_company.com:389/OU=Group 1, OU=Location 1 DC=your_AD, DC=suffix?cn"

Users can now commit with: svn commit -m "Another AD test" --username "Firstname Lastname".

Configuration for AD + another field
In our case login authentication on the Linux/UNIX machines is not done through the AD. Furthermore, the user names are not synchronised between Linux and Windows. This poses a small inconvenience, since by default an svn commit uses the Linux username. As the AD doesn’t know about this name, the first authentication fails. subsequently Apache asks for the user name, and then the user can enter his Windows AD credentials (principle name, display name or windows login name, depending on which of the above configurations was chosen). So as a quick workaround (and just to see if I could get it to work) I entered my Linux user name into the Office field in the AD. In the ADSI Editor I found the real name of the field: physicalDeliveryOfficeName With the following AuthLDAPURL I could use the Office field to authenticate me:

AuthLDAPURL "ldap://ldap.your_company.com:389/OU=Group 1, OU=Location 1 DC=your_AD, DC=suffix?physicalDeliveryOfficeName"

Now a simple svn commit works.

Some useful links:

34 Comments

  1. Hi i am trying to setup this url AuthLDAPURL “ldap://ldap.your_company.com:3268/?userPrincipalName?sub” for my domain. How could i get right parametres for this
    i am using ldapsearch -x -H ldap://10.2.1.23:3268 -LLL -b “cn=Users,DC=DOMAIN,DC=COM” -s base ‘(objectClass=*)’ -W -D username@domain.com
    But it does not return any logins info
    How could i get the right url?

  2. This HOWTO worked for me.

  3. I am sure this piece of writig has touched all the internet users, itts really really nice article on building uup new website.

  4. It is also ideal for snuggling up under and
    features both this years neutral colours as well as a faux fur trim collar
    for any little extra luxury and warmth. One thing’s for sure:
    because with the evolution of women’s fashion, dress codes
    are starting to be real mysteries that need to
    be decoded. Most of such charms are crafted in foreign nations which utilize labor intensive ways
    to prepare tantalizing units in a low manufacturing cost.

  5. I go to see daily a few sites and information sites to read posts, but this
    webpage gives feature based posts.

  6. Once upon a time a portal is arrived on the scene throughout a nine an entire world of Yggdrasil.
    And most significantly, under thiis ddal it’s also possible
    to get the latest handset which are made bby the keey
    brands ffor example Nokia, Samsung, Sony Ericsson, Motorola,
    LG and a lot off more. The cellphone keeps on working till the
    validation of Pay As You Go card.

    Havve a lolok att my web site; web page

  7. The competition to produc new models iss incredibly fierce, there doesn’t seem to be
    a finish as to thhe they’re going to design into them next.

    A broadband telephone service shall ask yyou to hav a very
    high-speed connection tto the internet preferably, DSL orr cable
    modem. Thee cell phone keeps on working till the validation of Pay
    As You Go card.

    Also visit myy website Homepage

  8. I enjoy, cause I discovered just what I used to be taking a look for.
    You’ve ended my 4 day long hunt! God Bless you man. Have a nice day.
    Bye

  9. How many times can you see skips along with other
    people’s rubbish thrown in. Now this may have happened after a while, or it could have
    been the consequence of some sort of project you’re
    doing. A skip is additionally known as a dumpster but unlike a dumpster which is emptied on location a skip is slowly removed over a lorry.

  10. I do not know if it’s just me or if everyone else encountering problems with your site.
    It appears as though some of the written text in your posts are running
    off the screen. Can someone else please provide feedback and let me know if this
    is happening to them too? This may be a issue with my browser
    because I’ve had this happen before. Appreciate it

  11. whoah this weblog is excellent i really like reading your articles.
    Keep up the good work! You realize, a lot of people are
    hunting around for this information, you can aid them greatly.

  12. Howdy very cool web site!! Man .. Beautiful ..
    Amazing .. I will bookmark your site and take the feeds additionally?
    I’m happy to search out so many helpful info right here in the put up, we need develop more techniques on this regard,
    thank you for sharing. . . . . .

  13. Thanks for the good writeup. It in fact was once a
    enjoyment account it. Look complicated to more added agreeable
    from you! By the way, how can we communicate?

    my blog progressive web apps – Krystle,

  14. Thanks for another informative site. Where else could I am getting that kind of information written in such an ideal way?

    I’ve a mission that I am simply now running on, and
    I’ve been at the glance out for such information.

  15. Hello everyone, it’s my first pay a quick visit at this
    site, and post is really fruitful for me, keep up posting such posts.

    My homepage thai bargirl, Imogene,

  16. Hi there, after reading this amazing paragraph i am
    also cheerful to share my familiarity here with colleagues.

  17. It’s in fact very difficult in this busy life to
    listen news on TV, thus I just use internet for that purpose,
    and take the most recent news.

  18. With all of this excitement, it had not been long before the
    re-birth of the bikini was solidified in society through the introduction from the string bikini in the French Riveria.
    Women who know a lot about fashion are able to combine their footwear.
    There will always be great designers banking on women’s basics, such as Calvin Klein and DKNY; however, with savants like Alexander Mc – Queen not holding back, there
    is certainly more in the future in women’s fashion clothes for 2010.

  19. Many economists found that the sweetness concept played an engaged role
    in many female lifestyles which caused these
    phones do maintenance by themselves as opposed to seeking their normal beauty agent or hairstylist.

    Women who know a great deal about fashion should be able to mix and match
    their footwear. Instead, they will be taking notice of the fashionable
    sunglasses with the beautiful gemstones.

  20. Hello to every one, it’s really a pleasant for me to pay a visit this website, it includes useful Information.

  21. This is a good enough reason to use them.

  22. Wow! At last I got a website from where I be capable of actually get useful
    data regarding my study and knowledge.

  23. Produto não faz secção de um programa de perder peso.

  24. This website was… how do I say it? Relevant!! Finally I’ve found something that helped me.
    Kudos!

  25. Aw, this was a really nice post. Taking a few minutes and actual effort to
    make a superb article… but what can I say… I put things off a lot and never seem to get anything done.

  26. Nothing really how to Play Roulette at casinos (thorjarle.com) write home about here.

  27. Awesome burgers. Either best way to play roulette at casino (Casinodeposit10.com) you
    end up with a bonus.

  28. Piggy Riches are nothing how to play roulette online; Mckinley, scoff about.

  29. A lot of machines fall into the 32% how to play the roulette wheel in vegas
    (Modesto) 33% area.

  30. I am regular reader, how are you everybody? This piece of writing posted
    at this site is in fact good.

  31. Thank you for some other informative web site. The place else may I am getting
    that type of info written in such a perfect approach? I
    have a undertaking that I am just now operating on, and I have been at the glance out
    for such information.

Leave a Reply

Your email address will not be published.

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

© 2019 Lennart's weblog

Theme by Anders NorenUp ↑