Multiple authentication sources (OUs) - AuthnProviderAlias

Multiple authentication sources (OUs) - AuthnProviderAlias

am 26.10.2009 22:43:33 von Brian Banaszynski

--_000_455DEDE840BCCA44840E7033AC282E8847D1B46F8BDSMEX01dsmn et_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

We are trying to allow Apache to authenticate users to a certain site based=
on being in one of 3 OU designations in AD.
3. A specific client OU (Client ABC in our example)
1. Service Accounts
2. Internal Support

We have set up 3 "AuthnProviderAlias" directives.
Notably, all the alias definitions use the same AuthLDAPBindDN, AuthLDAPBin=
dPassword and only slight changes to the " AuthLDAPURL" specifying the OU f=
or each grouping.


AuthLDAPBindDN ""
AuthLDAPBindPassword "test"
AuthLDAPURL "ldap://util.joesgarage.com:3268/OU=3DClient ABC,OU=3DExtern=
al,OU=3DALL_Users,DC=3Djoesgarage,DC=3Dcom?sAMAccountName?su b?(objectClass=
=3Duser)"



AuthLDAPBindDN ""
AuthLDAPBindPassword "test"
AuthLDAPURL ldap://util.joesgarage.com:3268/OU=3DSERVICE ACCOUNTS,OU=3DI=
nternal,OU=3DALL_Users,DC=3Djoesgarage,DC=3Dcom?sAMAccountNa me?sub?(objectC=
lass=3Duser)"



AuthLDAPBindDN ""
AuthLDAPBindPassword "test"
AuthLDAPURL "ldap://util.joesgarage.com:3268/OU=3DINTERNAL SUPPORT,OU=3D=
Internal,OU=3DALL_Users,DC=3Djoesgarage,DC=3Dcom?sAMAccountN ame?sub?(object=
Class=3Duser)"



Our "Directory" directive is set to try each of these aliases (different OU=
s in the same directory) in order until a match is found:


....
AuthBasicProvider CLIENT_ABC SERVICE_ACCOUNTS INTERNAL_SUPPORT
AuthType Basic
AuthName "Client ABC Login"
AuthzLDAPAuthoritative off
Require valid-user


This doesn't seem to work. I know your thinking - "why not just use groups=
"? Ans: Simply because we don't want to have to maintain groups for our ma=
ny clients. We would like to rely on the client user's presence in the OU =
(and allow our service accounts and support personnel at the same time to a=
ll sites)

Is this a bug or is there a better way to accomplish this?

Regards,
Brian

--_000_455DEDE840BCCA44840E7033AC282E8847D1B46F8BDSMEX01dsmn et_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" xmlns:p=3D"urn:schemas-m=
icrosoft-com:office:powerpoint" xmlns:a=3D"urn:schemas-microsoft-com:office=
:access" xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s=3D"=
uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs=3D"urn:schemas-microsof=
t-com:rowset" xmlns:z=3D"#RowsetSchema" xmlns:b=3D"urn:schemas-microsoft-co=
m:office:publisher" xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadshee=
t" xmlns:c=3D"urn:schemas-microsoft-com:office:component:spread sheet" xmlns=
:odc=3D"urn:schemas-microsoft-com:office:odc" xmlns:oa=3D"urn:schemas-micro=
soft-com:office:activation" xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc=3D"http://m=
icrosoft.com/officenet/conferencing" xmlns:D=3D"DAV:" xmlns:Repl=3D"http://=
schemas.microsoft.com/repl/" xmlns:mt=3D"http://schemas.microsoft.com/share=
point/soap/meetings/" xmlns:x2=3D"http://schemas.microsoft.com/office/excel=
/2003/xml" xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd" xmlns:ois=
=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir=3D"http://=
schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds=3D"http://www.w3=
..org/2000/09/xmldsig#" xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint=
/dsp" xmlns:udc=3D"http://schemas.microsoft.com/data/udc" xmlns:xsd=3D"http=
://www.w3.org/2001/XMLSchema" xmlns:sub=3D"http://schemas.microsoft.com/sha=
repoint/soap/2002/1/alerts/" xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#"=
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" xmlns:sps=3D"http://=
schemas.microsoft.com/sharepoint/soap/" xmlns:xsi=3D"http://www.w3.org/2001=
/XMLSchema-instance" xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/so=
ap" xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile " xmlns:udc=
p2p=3D"http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf=3D"http:/=
/schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss=3D"http://sche=
mas.microsoft.com/office/2006/digsig-setup" xmlns:dssi=3D"http://schemas.mi=
crosoft.com/office/2006/digsig" xmlns:mdssi=3D"http://schemas.openxmlformat=
s.org/package/2006/digital-signature" xmlns:mver=3D"http://schemas.openxmlf=
ormats.org/markup-compatibility/2006" xmlns:m=3D"http://schemas.microsoft.c=
om/office/2004/12/omml" xmlns:mrels=3D"http://schemas.openxmlformats.org/pa=
ckage/2006/relationships" xmlns:spwp=3D"http://microsoft.com/sharepoint/web=
partpages" xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/service s/20=
06/types" xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/service s/200=
6/messages" xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/ Sli=
deLibrary/" xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPor tal=
Server/PublishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" xmlns:=
st=3D"" xmlns=3D"http://www.w3.org/TR/REC-html40">


>









We are trying to allow Apache to authenticate users to=
a
certain site based on being in one of 3 OU designations in AD. p>

3.  A specific client OU (Client ABC in our examp=
le)



1.  Service Accounts



2.  Internal Support



 



We have set up 3 “AuthnProviderAlias”
directives.



Notably, all the alias definitions use the same
AuthLDAPBindDN, AuthLDAPBindPassword and only slight changes to the ”
AuthLDAPURL” specifying the OU for each grouping.



 



<AuthnProviderAlias ldap CLIENT_ABC><=
/p>

   AuthLDAPBindDN "<Same as
above>"



   AuthLDAPBindPassword "test" >



   AuthLDAPURL
“ldap://util.joesgarage.com:3268/OU=3DClient
ABC,OU=3DExternal,OU=3DALL_Users,DC=3Djoesgarage,DC=3Dcom?sA MAccountName?su=
b?(objectClass=3Duser)”



</AuthnProviderAlias>



 



<AuthnProviderAlias ldap SERVICE_ACCOUNTS><=
/o:p>



   AuthLDAPBindDN "<An admin user DN=
that
can bind/search>"



   AuthLDAPBindPassword "test" >



   AuthLDAPURL
ldap://util.joesgarage.com:3268/OU=3DSERVICE ACCOUNTS,OU=3DInternal,OU=3DAL=
L_Users,DC=3Djoesgarage,DC=3Dcom?sAMAccountName?sub?(objectC lass=3Duser)&qu=
ot;



</AuthnProviderAlias>



 



<AuthnProviderAlias ldap INTERNAL_SUPPORT><=
/o:p>



   AuthLDAPBindDN "<Same as
above>"



   AuthLDAPBindPassword "test" >



   AuthLDAPURL “ldap://util.joesgarage=
..com:3268/OU=3DINTERNAL
SUPPORT,OU=3DInternal,OU=3DALL_Users,DC=3Djoesgarage,DC=3Dco m?sAMAccountNam=
e?sub?(objectClass=3Duser)”



</AuthnProviderAlias>



 



 



Our “Directory” directive is set to try ea=
ch of
these aliases (different OUs in the same directory) in order until a match =
is
found:



 



<Directory “/var/www/html/Client_ABC/”&=
gt;





AuthBasicProvider CLIENT_ABC SERVICE_ACCOUNTS
INTERNAL_SUPPORT



AuthType Basic



AuthName “Client ABC Login”



AuthzLDAPAuthoritative off



Require valid-user



</Directory>



 



This doesn’t seem to work.  I know your thi=
nking –
“why not just use groups”?  Ans: Simply because we donR=
17;t
want to have to maintain groups for our many clients.  We would like t=
o
rely on the client user’s presence in the OU (and allow our service
accounts and support personnel at the same time to all sites) >

 



Is this a bug or is there a better way to accomplish t=
his?



 



Regards,



Brian









--_000_455DEDE840BCCA44840E7033AC282E8847D1B46F8BDSMEX01dsmn et_--

Re: Multiple authentication sources (OUs) -

am 26.10.2009 22:54:22 von Eric Covener

On Mon, Oct 26, 2009 at 5:43 PM, Brian Banaszynski
wrote:

>
> This doesn=92t seem to work.=A0 I know your thinking =96 =93why not just =
use
> groups=94?=A0 Ans: Simply because we don=92t want to have to maintain gro=
ups for
> our many clients.=A0 We would like to rely on the client user=92s presenc=
e in
> the OU (and allow our service accounts and support personnel at the same
> time to all sites)

Any hint about what it does (loglevel debug, or looking at what LDAP
queries it puts on the wire)?

--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Multiple authentication sources (OUs) - AuthnProviderAlias

am 27.10.2009 09:27:19 von Emmanuel Bailleul

>>
>> This doesn't seem to work.=A0 I know your thinking - "why not just use
>> groups"?=A0 Ans: Simply because we don't want to have to maintain groups=
for
>> our many clients.=A0 We would like to rely on the client user's presence=
in
>> the OU (and allow our service accounts and support personnel at the same
>> time to all sites)
>
>Any hint about what it does (loglevel debug, or looking at what LDAP
>queries it puts on the wire)?
>
>--=20
>Eric Covener
>covener@gmail.com

Hi,

Another hint : with this config I don't think you could have identical user=
names in different OUs (just in case).

Emmanuel


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org