Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
Em 10-02-2010 00:43, Tom Bishop escreveu: I just need something for apache auth. I have winbind working just fine for the other stuff...Thanks One thing I use is ldaps auth, but it will always demand an auth dialog. Kerberos ticket support has the advantage than you may avoid that, but it has the difficulty that you can't have a different username that easily. Rui ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
I was able to get ldap auth working fairly easily, although getting SSL to work took a little bit more effort due to trying to get the ca.cert from the SBS server On Thu, Feb 11, 2010 at 2:34 AM, Rui Miguel Silva Seabra r...@1407.orgwrote: Em 10-02-2010 00:43, Tom Bishop escreveu: I just need something for apache auth. I have winbind working just fine for the other stuff...Thanks One thing I use is ldaps auth, but it will always demand an auth dialog. Kerberos ticket support has the advantage than you may avoid that, but it has the difficulty that you can't have a different username that easily. Rui ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
Am Mittwoch, den 10.02.2010, 01:10 +0100 schrieb Jay Leafey: If you are using AD for JUST authentication and not user information, you can use the PAM Kerberos stuff. We've been using it for a couple of years from both CentOS/RHEL 4 and 5 systems with good results. It was actually pretty easy to do (once we figured out which type of chicken bones to burn). If you have that working you can even go without pam as Dan mentioned you can use the apache kerberos module. A short howto is here: http://wiki.centos.org/HowTos/HttpKerberosAuth Chris financial.com AG Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of JohnS Sent: Wednesday, February 10, 2010 1:31 AM To: CentOS mailing list Subject: Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.? On Tue, 2010-02-09 at 14:21 -0700, Craig White wrote: On Tue, 2010-02-09 at 18:08 +, Joseph L. Casale wrote: This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks. I guess you think insecure would be better? If I understand your need, you want to make AD insecure, so please enable anonymous binds so you don't need a user/pass to make the query:) Or program your own auth backend that binds with the intended creds asking for auth:) Oh, and do this w/o tls/ssl because you want it insecure:) seems to me that permitting an anonymous bind to LDAP is inherently more secure than requiring a user/password combination so I don't think that your explanation is exactly true. In Microsoft's view, the only systems querying LDAP would be systems automatically passing the authentication. Craig Yes it is true, you have to have that for it to work correctly. John ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I apologize if this has been mentioned before but one option would be to use Apache's Kerberos module for authentication. See the modules sourceforge page here -- http://modauthkerb.sourceforge.net/configure.html Regards, Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
I looked over an most of which I have already done, the last piece that I am trying to address is how to do authentication with Apache against active directory, mod_auth_pam is one way but I have not had any luck getting it to compile with the latest ApacheThanks On Mon, Feb 8, 2010 at 6:49 PM, Arvind P R iin...@gmail.com wrote: I had written a blog quite some time back on this. There might be some glitches in it, but will give you some clue. The blog is blog.Palalinha.Com i am sitting at the airport with my mobile so cant find you the correct thread in the blog. Let me know if it helps. On 2/8/10, Tom Bishop bisho...@gmail.com wrote: Setting up a new backuppc for a small group of device and I am running centos 5.4 with winbind setup and working. Everything is working and I would like the users to authenicate using their AD creds and was wondering what folks are using to do that with apache 2.2 and centos 5.4. I know about mod_auth_pam but that seems pretty dead so I was just wondering what folks were using and whats the easiest to setup. Any pointers to any how to's would be appreciated...Thanks. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
I've had decent luck with LDAP authentication for Apache. AD does not support anonymous LDAP searches so you have to have a user account that has the ability to search AD. Here's a modified sample config (.htaccess or httpd.conf) that includes security group membership checks. This would require that a user login with their Windows domain username and password and that the user be a member of the AD security group 'managers': AuthType basic AuthName Windows Domain Credentials - Managers Only AuthzLDAPMethod ldap AuthzLDAPServer dc1.example.com AuthzLDAPBindDN CN=username,CN=Users,DC=example,DC=com AuthzLDAPBindPassword superSecretPassword AuthzLDAPUserBase CN=Users,DC=example,DC=com AuthzLDAPUserKey sAMAccountName AuthzLDAPUserScopesubtree AuthzLDAPGroupBaseCN=Users,DC=example,DC=com AuthzLDAPGroupKey cn AuthzLDAPGroupScope subtree AuthzLDAPMemberKeymember AuthzLDAPSetGroupAuth ldapdn require group managers On Tue, Feb 9, 2010 at 11:35 AM, Tom Bishop bisho...@gmail.com wrote: I looked over an most of which I have already done, the last piece that I am trying to address is how to do authentication with Apache against active directory, mod_auth_pam is one way but I have not had any luck getting it to compile with the latest ApacheThanks On Mon, Feb 8, 2010 at 6:49 PM, Arvind P R iin...@gmail.com wrote: I had written a blog quite some time back on this. There might be some glitches in it, but will give you some clue. The blog is blog.Palalinha.Com i am sitting at the airport with my mobile so cant find you the correct thread in the blog. Let me know if it helps. On 2/8/10, Tom Bishop bisho...@gmail.com wrote: Setting up a new backuppc for a small group of device and I am running centos 5.4 with winbind setup and working. Everything is working and I would like the users to authenicate using their AD creds and was wondering what folks are using to do that with apache 2.2 and centos 5.4. I know about mod_auth_pam but that seems pretty dead so I was just wondering what folks were using and whats the easiest to setup. Any pointers to any how to's would be appreciated...Thanks. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks. On Tue, Feb 9, 2010 at 10:57 AM, Pat and Lori Boyer pbo...@gmail.comwrote: I've had decent luck with LDAP authentication for Apache. AD does not support anonymous LDAP searches so you have to have a user account that has the ability to search AD. Here's a modified sample config (.htaccess or httpd.conf) that includes security group membership checks. This would require that a user login with their Windows domain username and password and that the user be a member of the AD security group 'managers': AuthType basic AuthName Windows Domain Credentials - Managers Only AuthzLDAPMethod ldap AuthzLDAPServer dc1.example.com AuthzLDAPBindDN CN=username,CN=Users,DC=example,DC=com AuthzLDAPBindPassword superSecretPassword AuthzLDAPUserBase CN=Users,DC=example,DC=com AuthzLDAPUserKey sAMAccountName AuthzLDAPUserScopesubtree AuthzLDAPGroupBaseCN=Users,DC=example,DC=com AuthzLDAPGroupKey cn AuthzLDAPGroupScope subtree AuthzLDAPMemberKeymember AuthzLDAPSetGroupAuth ldapdn require group managers On Tue, Feb 9, 2010 at 11:35 AM, Tom Bishop bisho...@gmail.com wrote: I looked over an most of which I have already done, the last piece that I am trying to address is how to do authentication with Apache against active directory, mod_auth_pam is one way but I have not had any luck getting it to compile with the latest ApacheThanks On Mon, Feb 8, 2010 at 6:49 PM, Arvind P R iin...@gmail.com wrote: I had written a blog quite some time back on this. There might be some glitches in it, but will give you some clue. The blog is blog.Palalinha.Com i am sitting at the airport with my mobile so cant find you the correct thread in the blog. Let me know if it helps. On 2/8/10, Tom Bishop bisho...@gmail.com wrote: Setting up a new backuppc for a small group of device and I am running centos 5.4 with winbind setup and working. Everything is working and I would like the users to authenicate using their AD creds and was wondering what folks are using to do that with apache 2.2 and centos 5.4. I know about mod_auth_pam but that seems pretty dead so I was just wondering what folks were using and whats the easiest to setup. Any pointers to any how to's would be appreciated...Thanks. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks. I guess you think insecure would be better? If I understand your need, you want to make AD insecure, so please enable anonymous binds so you don't need a user/pass to make the query:) Or program your own auth backend that binds with the intended creds asking for auth:) Oh, and do this w/o tls/ssl because you want it insecure:) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
Point taken and I do understand, in reality I would rather have nothing to do with MS which is insecure from the start, ever try to firewall an SBS 2003 install, good luck, they recommend turning it off, go figurelol On Tue, Feb 9, 2010 at 12:08 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks. I guess you think insecure would be better? If I understand your need, you want to make AD insecure, so please enable anonymous binds so you don't need a user/pass to make the query:) Or program your own auth backend that binds with the intended creds asking for auth:) Oh, and do this w/o tls/ssl because you want it insecure:) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
On Tue, 2010-02-09 at 18:08 +, Joseph L. Casale wrote: This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks. I guess you think insecure would be better? If I understand your need, you want to make AD insecure, so please enable anonymous binds so you don't need a user/pass to make the query:) Or program your own auth backend that binds with the intended creds asking for auth:) Oh, and do this w/o tls/ssl because you want it insecure:) seems to me that permitting an anonymous bind to LDAP is inherently more secure than requiring a user/password combination so I don't think that your explanation is exactly true. In Microsoft's view, the only systems querying LDAP would be systems automatically passing the authentication. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
seems to me that permitting an anonymous bind to LDAP is inherently more secure than requiring a user/password combination so I don't think that your explanation is exactly true. There are ways to create accounts just for this with reduced privileges. Research technet... In Microsoft's view, the only systems querying LDAP would be systems automatically passing the authentication. Wow, someone actually hacking on MS for expecting us to do things secure? What will they expect next:) If they didn't and by default allowed anon binds, someone would surely say Microsoft sucks, they don't expect us to do this securely, blah blah. The topic is mute, lets save the list the despair of rehashing the severely hashed. From the point of view of some, MS will always suck. Changing the minds of that type of person isn't my interest, I was merely pointing out some facts surrounding the implementation of the topic at hand. Sorry for disagreeing with you:) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
If you are using AD for JUST authentication and not user information,
you can use the PAM Kerberos stuff. We've been using it for a couple of
years from both CentOS/RHEL 4 and 5 systems with good results. It was
actually pretty easy to do (once we figured out which type of chicken
bones to burn).
You can use authconfig to turn it all on:
authconfig --enablekrb5 --krb5realm {AD domain name} \
--enbablekrb5kdcdns --enablekrb5realmdns --update
This will use DNS to locate the domain controller and KDC for the domain
given the AD domain name. You can manually specify the KDC and admin
servers too, see the authconfig man page for specific details.
If you want something perhaps more polished, you could look into the
Likewise products, which handle the whole shooting match pretty well
(http://www.likewise.com/products/likewise_open/). I've played with the
Open (free) version and it worked just fine, the Enterprise has more
features but I haven't played with it.
As always, YMMV.
--
Jay Leafey - Memphis, TN
jay.lea...@mindless.com
smime.p7s
Description: S/MIME Cryptographic Signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
I just need something for apache auth. I have winbind working just
fine for the other stuff...Thanks
On 2/9/10, Jay Leafey jay.lea...@mindless.com wrote:
If you are using AD for JUST authentication and not user information,
you can use the PAM Kerberos stuff. We've been using it for a couple of
years from both CentOS/RHEL 4 and 5 systems with good results. It was
actually pretty easy to do (once we figured out which type of chicken
bones to burn).
You can use authconfig to turn it all on:
authconfig --enablekrb5 --krb5realm {AD domain name} \
--enbablekrb5kdcdns --enablekrb5realmdns --update
This will use DNS to locate the domain controller and KDC for the domain
given the AD domain name. You can manually specify the KDC and admin
servers too, see the authconfig man page for specific details.
If you want something perhaps more polished, you could look into the
Likewise products, which handle the whole shooting match pretty well
(http://www.likewise.com/products/likewise_open/). I've played with the
Open (free) version and it worked just fine, the Enterprise has more
features but I haven't played with it.
As always, YMMV.
--
Jay Leafey - Memphis, TN
jay.lea...@mindless.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
On Tue, 2010-02-09 at 21:29 +, Joseph L. Casale wrote: seems to me that permitting an anonymous bind to LDAP is inherently more secure than requiring a user/password combination so I don't think that your explanation is exactly true. There are ways to create accounts just for this with reduced privileges. Research technet... In Microsoft's view, the only systems querying LDAP would be systems automatically passing the authentication. Wow, someone actually hacking on MS for expecting us to do things secure? What will they expect next:) If they didn't and by default allowed anon binds, someone would surely say Microsoft sucks, they don't expect us to do this securely, blah blah. The topic is mute, lets save the list the despair of rehashing the severely hashed. From the point of view of some, MS will always suck. Changing the minds of that type of person isn't my interest, I was merely pointing out some facts surrounding the implementation of the topic at hand. Sorry for disagreeing with you:) I just disagree with your parsing and conclusions. I did not hack on MS for expecting us to do things securely nor did I say that preventing anonymous binds made it more secure. I think I actually said the opposite. anonymous binds are just that - anonymous binds and there could easily be ACL's that govern what you can access without a user/password but I think Microsoft is after overall simplicity. The topic would necessarily be 'moot' and not 'mute' and I was uncomfortable with the notion that you were chiding the OP for thinking that an anonymous bind was less secure - in most instances, it is a more secure option... especially for his usage. If he could bind anonymously, he could bind, let the user supply the account/password, authenticate and thus no account information would be necessary in the config files so it speaks directly to the OP's desires. Better security. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
On Mon, Feb 8, 2010 at 8:18 AM, Tom Bishop bisho...@gmail.com wrote: Setting up a new backuppc for a small group of device and I am running centos 5.4 with winbind setup and working. Everything is working and I would like the users to authenicate using their AD creds and was wondering what folks are using to do that with apache 2.2 and centos 5.4. I know about mod_auth_pam but that seems pretty dead so I was just wondering what folks were using and whats the easiest to setup. Any pointers to any how to's would be appreciated...Thanks. This works for me PerlModule Authen::Simple::Apache PerlModule Authen::Simple::ActiveDirectory PerlSetVar AuthenSimpleActiveDirectory_host mydc.inside.net PerlSetVar AuthenSimpleActiveDirectory_principal mydomain Directory /var/www/whatever PerlAuthenHandler Authen::Simple::ActiveDirectory AuthType Basic AuthName Sekret Playce require valid-user /Directory -- Stephen Carville ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
On Tue, 2010-02-09 at 14:21 -0700, Craig White wrote: On Tue, 2010-02-09 at 18:08 +, Joseph L. Casale wrote: This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks. I guess you think insecure would be better? If I understand your need, you want to make AD insecure, so please enable anonymous binds so you don't need a user/pass to make the query:) Or program your own auth backend that binds with the intended creds asking for auth:) Oh, and do this w/o tls/ssl because you want it insecure:) seems to me that permitting an anonymous bind to LDAP is inherently more secure than requiring a user/password combination so I don't think that your explanation is exactly true. In Microsoft's view, the only systems querying LDAP would be systems automatically passing the authentication. Craig Yes it is true, you have to have that for it to work correctly. John ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
Setting up a new backuppc for a small group of device and I am running centos 5.4 with winbind setup and working. Everything is working and I would like the users to authenicate using their AD creds and was wondering what folks are using to do that with apache 2.2 and centos 5.4. I know about mod_auth_pam but that seems pretty dead so I was just wondering what folks were using and whats the easiest to setup. Any pointers to any how to's would be appreciated...Thanks. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
I had written a blog quite some time back on this. There might be some glitches in it, but will give you some clue. The blog is blog.Palalinha.Com i am sitting at the airport with my mobile so cant find you the correct thread in the blog. Let me know if it helps. On 2/8/10, Tom Bishop bisho...@gmail.com wrote: Setting up a new backuppc for a small group of device and I am running centos 5.4 with winbind setup and working. Everything is working and I would like the users to authenicate using their AD creds and was wondering what folks are using to do that with apache 2.2 and centos 5.4. I know about mod_auth_pam but that seems pretty dead so I was just wondering what folks were using and whats the easiest to setup. Any pointers to any how to's would be appreciated...Thanks. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
