Hello, This is a real newbie question ::) I have configured apache httpd to use LDAP for basic authentication (userid and password). I am not sure what the directory DN should look like when using "uid" rather than "cn"?
In my LDAP directory I have:
dn: cn=Christine Smith,ou=ELOGAccounts,ou=RavenApps,dc=my-domain,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: uidObject cn: Christine Smith sn: Smith uid: christine userPassword:: Y2hyaXN0aW5l
Where do I put the "uid" so that when the httpd sends over the uid the ldap server will search on it?
Thank you,Mary
Hi Mary,
If this is similar to ssh auth against LDAP using uid, the dn would look like the following dn: uid=christine,ou=ELOGAccounts,ou=RavenApps,dc=my-domain,dc=com
Now I am not sure how Apache does the lookup, but if I am wrong, maybe someone else can reply.
Regards /Cole
On 22 March 2016 at 21:33, Mary Kao wmcic@yahoo.com wrote:
Hello,
This is a real newbie question ::)
I have configured apache httpd to use LDAP for basic authentication (userid and password). I am not sure what the directory DN should look like when using "uid" rather than "cn"?
In my LDAP directory I have:
dn: cn=Christine Smith,ou=ELOGAccounts,ou=RavenApps,dc=my-domain,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: uidObject cn: Christine Smith sn: Smith uid: christine userPassword:: Y2hyaXN0aW5l
Where do I put the "uid" so that when the httpd sends over the uid the ldap server will search on it?
Thank you, Mary
Hi,
Maybe this will help you. I am using this for testing purpose and I am sure that there are some more scure examples but ... This is a test user, test group and test apache2 config part:
User:
dn: uid=ptest,ou=CS,ou=Policy,ou=SDM,dc=lab,dc=os objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount gidNumber: 27782 givenName: Proba sn: Test displayName: Proba Test uid: ptest homeDirectory: /home/ptest gecos: This is a test user loginShell: /bin/bash shadowFlag: 0 shadowMin: 0 shadowMax: 99999 shadowWarning: 0 shadowInactive: 99999 shadowLastChange: 12011 shadowExpire: 99999 cn: Proba Test uidNumber: 51893 userPassword: {SSHA}sdssdske38734mjfFGGHJJ23434dsdsfs= mail: testproba@gmail.com
Group:
dn: cn=proba,ou=Posix,ou=Groups,ou=SDM,dc=lab,dc=os objectClass: posixGroup objectClass: top cn: proba memberUid: ptest memberUid: labadmin gidNumber: 28370
Apache config:
<Directory /var/www> #Options Indexes FollowSymLinks MultiViews AllowOverride AuthConfig Order allow,deny allow from all </Directory>
<Location /> AuthType Basic AuthName "Software" AuthBasicProvider ldap AuthLDAPURL "ldap://192.168.15.140:389/ou=SDM,dc=lab,dc=os?uid" AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid Require ldap-group cn=proba,ou=Posix,ou=Groups,ou=SDM,dc=lab,dc=os </Location>
On 22 March 2016 at 22:22, Cole cole@opteqint.net wrote:
Hi Mary,
If this is similar to ssh auth against LDAP using uid, the dn would look like the following dn: uid=christine,ou=ELOGAccounts,ou=RavenApps,dc=my-domain,dc=com
Now I am not sure how Apache does the lookup, but if I am wrong, maybe someone else can reply.
Regards /Cole
On 22 March 2016 at 21:33, Mary Kao wmcic@yahoo.com wrote:
Hello,
This is a real newbie question ::)
I have configured apache httpd to use LDAP for basic authentication
(userid
and password). I am not sure what the directory DN should look like when using "uid"
rather
than "cn"?
In my LDAP directory I have:
dn: cn=Christine Smith,ou=ELOGAccounts,ou=RavenApps,dc=my-domain,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: uidObject cn: Christine Smith sn: Smith uid: christine userPassword:: Y2hyaXN0aW5l
Where do I put the "uid" so that when the httpd sends over the uid the
ldap
server will search on it?
Thank you, Mary
Thank you very much. I think I would like to avoid the use of posixAccount and shadowAccount. Does anyone have a simpler LDIF containing uid and password?
Also, how does Apache httpd pick up the value for "uid"?
Thank you,Mary
On Wednesday, March 23, 2016 4:42 AM, Saša-Stjepan Bakša ssbaksa@gmail.com wrote:
Hi,
Maybe this will help you. I am using this for testing purpose and I am sure that there are some more scure examples but ... This is a test user, test group and test apache2 config part:
User:
dn: uid=ptest,ou=CS,ou=Policy,ou=SDM,dc=lab,dc=os objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount gidNumber: 27782 givenName: Proba sn: Test displayName: Proba Test uid: ptest homeDirectory: /home/ptest gecos: This is a test user loginShell: /bin/bash shadowFlag: 0 shadowMin: 0 shadowMax: 99999 shadowWarning: 0 shadowInactive: 99999 shadowLastChange: 12011 shadowExpire: 99999 cn: Proba Test uidNumber: 51893 userPassword: {SSHA}sdssdske38734mjfFGGHJJ23434dsdsfs= mail: testproba@gmail.com
Group:
dn: cn=proba,ou=Posix,ou=Groups,ou=SDM,dc=lab,dc=os objectClass: posixGroup objectClass: top cn: proba memberUid: ptest memberUid: labadmin gidNumber: 28370
Apache config:
<Directory /var/www> #Options Indexes FollowSymLinks MultiViews AllowOverride AuthConfig Order allow,deny allow from all </Directory>
<Location /> AuthType Basic AuthName "Software" AuthBasicProvider ldap AuthLDAPURL "ldap://192.168.15.140:389/ou=SDM,dc=lab,dc=os?uid" AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid Require ldap-group cn=proba,ou=Posix,ou=Groups,ou=SDM,dc=lab,dc=os </Location>
On 22 March 2016 at 22:22, Cole cole@opteqint.net wrote:
Hi Mary,
If this is similar to ssh auth against LDAP using uid, the dn would look like the following dn: uid=christine,ou=ELOGAccounts,ou=RavenApps,dc=my-domain,dc=com
Now I am not sure how Apache does the lookup, but if I am wrong, maybe someone else can reply.
Regards /Cole
On 22 March 2016 at 21:33, Mary Kao wmcic@yahoo.com wrote:
Hello,
This is a real newbie question ::)
I have configured apache httpd to use LDAP for basic authentication (userid and password). I am not sure what the directory DN should look like when using "uid" rather than "cn"?
In my LDAP directory I have:
dn: cn=Christine Smith,ou=ELOGAccounts,ou=RavenApps,dc=my-domain,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: uidObject cn: Christine Smith sn: Smith uid: christine userPassword:: Y2hyaXN0aW5l
Where do I put the "uid" so that when the httpd sends over the uid the ldap server will search on it?
Thank you, Mary
Am Wed, 23 Mar 2016 14:40:41 +0000 (UTC) schrieb Mary Kao wmcic@yahoo.com:
Thank you very much. I think I would like to avoid the use of posixAccount and shadowAccount. Does anyone have a simpler LDIF containing uid and password?
As your object provides an attribute 'uid:christine', you don't have to rewrite the DN, man slapd.conf(5) provides some hints how to solve your problem. In particular read on authid-rewrite and authz-regexp
Also, how does Apache httpd pick up the value for "uid"?
This depends on the apache module configured, but you may read on apache mod_authnz_ldap, as mod_auth_ldap is not supported any more. http://httpd.apache.org/docs/current/howto/auth.html
-Dieter
Thank you,Mary
On Wednesday, March 23, 2016 4:42 AM, Saša-Stjepan Bakšassbaksa@gmail.com wrote:
Hi,
Maybe this will help you. I am using this for testing purpose and I am sure that there are some more scure examples but ... This is a test user, test group and test apache2 config part:
User:
dn: uid=ptest,ou=CS,ou=Policy,ou=SDM,dc=lab,dc=os objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount gidNumber: 27782 givenName: Proba sn: Test displayName: Proba Test uid: ptest homeDirectory: /home/ptest gecos: This is a test user loginShell: /bin/bash shadowFlag: 0 shadowMin: 0 shadowMax: 99999 shadowWarning: 0 shadowInactive: 99999 shadowLastChange: 12011 shadowExpire: 99999 cn: Proba Test uidNumber: 51893 userPassword: {SSHA}sdssdske38734mjfFGGHJJ23434dsdsfs= mail: testproba@gmail.com
Group:
dn: cn=proba,ou=Posix,ou=Groups,ou=SDM,dc=lab,dc=os objectClass: posixGroup objectClass: top cn: proba memberUid: ptest memberUid: labadmin gidNumber: 28370
Apache config:
<Directory /var/www> #Options Indexes FollowSymLinks MultiViews AllowOverride AuthConfig Order allow,deny allow from all </Directory>
<Location /> AuthType Basic AuthName "Software" AuthBasicProvider ldap AuthLDAPURL "ldap://192.168.15.140:389/ou=SDM,dc=lab,dc=os?uid" AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid Require ldap-group cn=proba,ou=Posix,ou=Groups,ou=SDM,dc=lab,dc=os </Location>
On 22 March 2016 at 22:22, Cole cole@opteqint.net wrote:
Hi Mary,
If this is similar to ssh auth against LDAP using uid, the dn would look like the following dn: uid=christine,ou=ELOGAccounts,ou=RavenApps,dc=my-domain,dc=com
Now I am not sure how Apache does the lookup, but if I am wrong, maybe someone else can reply.
Regards /Cole
On 22 March 2016 at 21:33, Mary Kao wmcic@yahoo.com wrote:
Hello,
This is a real newbie question ::)
I have configured apache httpd to use LDAP for basic authentication (userid and password). I am not sure what the directory DN should look like when using "uid" rather than "cn"?
In my LDAP directory I have:
dn: cn=Christine Smith,ou=ELOGAccounts,ou=RavenApps,dc=my-domain,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: uidObject cn: Christine Smith sn: Smith uid: christine userPassword:: Y2hyaXN0aW5l
Where do I put the "uid" so that when the httpd sends over the uid the ldap server will search on it?
Thank you, Mary
openldap-technical@openldap.org
-
Cole -
Dieter Klünter -
Mary Kao -
Saša-Stjepan Bakša