Kevin Kovach wrote:
Yeah, this was the kind of info I was looking for.
I just downloaded the newest Apache 2.2 server and was going to give
it a go at implementing the included mod_authnz_ldap with FDS. I was
planning on compiling everything from scratch, and wasn't sure if I
could compile everything against the FDS/NS ldap libraries or if I
needed to compile some or all of it against the OpenLDAP client
libraries.
From Richard's comments it sounds like I should just concentrate on
compiling everything against the OpenLDAP libs. However, you mention
using NSS for encryption. I'm unsure if using the OpenLDAP libs will
limit me in some way?
No, not really. OpenLDAP uses OpenSSL for crypto. You can convert your
certs from that format to the NSS format and vice versa if needed. If
you were running in a paranoid secure environment, you probably wouldn't
be asking me these questions :-)
If we have control over the Apache compilation is there an
advantage/disadvantage to compiling against the FDS/NS libs rather
than OpenLDAP? I apologize if that's too vague a question. :-) Thanks.
I think it's probably simpler and easier to use the OpenLDAP ones. Then
you can just use the standard Apache binaries that come with most OS
distros.
- Kevin
On 1/25/06, *Richard Megginson* <rmeggins(a)redhat.com
<mailto:rmeggins@redhat.com>> wrote:
Robert Ludvik wrote:
>Kevin Kovach pravi:
>
>
>>The HowTo for integration with Apache
>>(http://directory.fedora.redhat.com/wiki/Howto:Apache
<
http://directory.fedora.redhat.com/wiki/Howto:Apache>) is currently
>>blank. Can somebody advise on another source for information on
getting
>>some type of mod_authnz_ldap working between FDS and
Apache? Thanks.
>>
>>- Kevin
>>
>>
>
>I made it this way (see attachment). Hope it helps.
>Bye
>Robert Ludvik
>
>
>------------------------------------------------------------------------
>
>Information source:
>http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html#conf
>
>Download modauthldap_apache2.tar.gz and unpack it in /usr/local/src
>In /usr/local/src/modauthldap_apache2 run:
>
>./configure --with-ldap-dir=/opt/fedora-ds/shared
--with-apxs=/usr/sbin/apxs
>make
>make install
>
>Check httpd.conf:
>LoadModule ldap_module modules/mod_ldap.so
>LoadModule auth_ldap_module /usr/lib/httpd/modules/mod_auth_ldap.so
>
>I had to copy manualy these files:
>cp /opt/fedora-ds/shared/lib/libprldap50.so /lib/
>cp /opt/fedora-ds/shared/lib/libldap50.so /lib/
>cp /opt/fedora-ds/shared/lib/libssldap50.so /lib/
>
>
What version of Apache is this? Note that some versions of Apache are
linked directly against /usr/lib/libldap*.so which is the OpenLDAP
API
library. You may run into strange problems if you have both the
Mozilla
(Fedora DS) and OpenLDAP libs linked into Apache - the APIs, while
similar, are not compatible and you will run into strange
errors. It is
for this reason that I recommend just using the default OpenLDAP
libraries with mod_ldap and mod_auth_ldap. (Fedora DS Admin
Server does
use the Mozilla LDAP libs despite the fact that Apache is linked with
the OpenLDAP ones - we have to jump through hoops like using
LD_PRELOAD
- but we do not use any other LDAP modules at all, and we have to use
the Mozilla ones because we must use NSS for crypto).
>In httpd.conf add folder for which you want to have LDAP
authentication:
>
><Directory "/var/www/html/a">
>Options Indexes FollowSymLinks
>AllowOverride None
>order allow,deny
>allow from all
># Q: I get a error message like reason: unknown require directive:
># "xxxxxxx". What's the problem?
># A: Use the directive AuthAuthoritative Off
>AuthAuthoritative Off
>AuthName "Only for nice people ;-)"
>AuthType Basic
>#AuthOnBind Off
>#Sub_DNou=CIS,ou=People
>#LDAP_Persistent On
>#Bind_Tries 5
>#LDAP_Debug On
>#LDAP_Protocol_Version 3
>#LDAP_Deref NEVER
>#LDAP_StartTLS On
>LDAP_Server
dserver.domain.com <
http://dserver.domain.com>
>#LDAP_Server 192.168.1.1 <
http://192.168.1.1>
>LDAP_Port 389
># Connect timeout in seconds #LDAP_Connect_Timeout 3
># If SSL is on, must specify the LDAP SSL port, usually 636
>#LDAP_Port 636
>#LDAP_CertDbDir /usr/foo/ssl
>Base_DN "dc=domain,dc=com"
># If your configuration allows annonymous access you don't have
to set
># Bind_DN
>#Bind_DN "uid=admin,o=Fox Chase Cancer Center,c=US"
>#Bind_Pass "secret"
>UID_Attr uid
>#UID_Attr_Alt "mail"
>#Group_Attr uniqueMember
>#SupportNestedGroupsOff
># You also need one of require statements:
># any valid user:
>#require valid-user
># OR these users:
>#require user muquit foo bar "john doe"
># OR users that metch some condition:
>#require roomnumber "123 Center Building"
># OR filter:
>#require filter "(&(telephonenumber=1234)(roomnumber=123))"
># for a group of users (NOTE, without dc=domain,dc=com)
>require group cn=my_group,ou=Groups
></Directory>
>
>Restart Apache:
>apachectl restart
>
>
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
<mailto:Fedora-directory-users@redhat.com>
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
<mailto:Fedora-directory-users@redhat.com>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Take back the web,
http://www.switch2firefox.com/
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users