Home / server / Questions / 312281
Accepted
Selivanov Pavel
Asked: 2011-09-17 09:28:05 +0800 CST

Apache authentication from multiple domains in AD with mod_authn_alias

  • 772

I'm running Apache 2 and I need to authentificate users from multiple AD domains in one <Location/>. I tried using mod_authn_alias

ОС: Debian GNU/Linux Squueze with lastest updates
Apache/2.2.16

Modules

/etc/apache2/apache.conf:

<AuthnProviderAlias ldap first-ldap>
    AuthLDAPURL "ldap://win2003server:389/DC=first,DC=domain?sAMAccountName?sub?(objectClass=*)" NONE
    AuthLDAPBindDN "cn=user1,cn=Users,dc=first,dc=domain"
    AuthLDAPBindPassword "user1"
</AuthnProviderAlias>

<AuthnProviderAlias ldap second-ldap>
    AuthLDAPURL "ldap://win2008server:3268/DC=second,DC=domain?sAMAccountName?sub?(objectClass=*)" NONE
    AuthLDAPBindDN "cn=user2,cn=Users,dc=second,dc=domain"
    AuthLDAPBindPassword "user2"
</AuthnProviderAlias>

/etc/apache2/sites-enabled/000default:

<Location /test>

    Order allow,deny
    Allow from all

    Authtype Basic
    AuthBasicProvider first-ldap second-ldap
    AuthName "TEST"
    AuthzLDAPAuthoritative off
    require valid-user

</Location>

With this configuration it authentificates users from first domain, and for users from second domain it igves an error:

 [Fri Sep 16 20:54:39 2011] [info] [client 10.0.0.62] [25672] auth_ldap authenticate: user2 user2 authentication failed; URI /test/ [ldap_simple_bind_s() to check user2 credentials failed][Invalid credentials]

When I leave only AuthBasicProvider second-ldap users from second domain can authntificate successfully, so second domain LDAP is OK.

Does any one know solution to force mod_authn_alias to work?

apache-2.2 mod-auth-ldap mod-authn-alias

2 Answers

  1. I don't know how to make Apache do what you want. However, you can set up OpenLDAP as a proxy in front of multiple AD instances using either the ldap or meta backends, and this will get you effectively the same behavior. You point Apache at your OpenLDAP proxy, and then OpenLDAP talks to your AD servers.

    Here is my write-up on using the meta backend. This is more of a starting point than an actual solution.

    I'm actually using OpenLDAP as a proxy right now to authenticate against three separate directories -- one AD domain, one remote LDAP server, and a local LDAP directory.

    • 1
  2. Best Answer

    I have found way to solution here: authenticating-apache-httpd-against-multiple-ldap-servers-with-expired-accounts

    I used for testing user account from second domain, that had namesake disabled account in first domain. Deletion of disabled account helped, but deleting accounts in AD domain is bad practice: you can receive objects with unknown security descriptors. I created LDAP filter for elimination of disabled users, and now everything works fine :)

    /etc/apache2/apache2.conf:

    <AuthnProviderAlias ldap first-ldap>
    AuthLDAPURL "ldap://win2003server:389/DC=first,DC=domain?sAMAccountName?sub?(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" NONE
    AuthLDAPBindDN "cn=user1,cn=Users,dc=first,dc=domain"
    AuthLDAPBindPassword "user1"
</AuthnProviderAlias>

<AuthnProviderAlias ldap second-ldap>
    AuthLDAPURL "ldap://win2008server:3268/DC=second,DC=domain?sAMAccountName?sub?(&(objectCategory=person)(objectClass=user))" NONE
    AuthLDAPBindDN "cn=user2,cn=Users,dc=second,dc=domain"
    AuthLDAPBindPassword "user2"
</AuthnProviderAlias>

    Note, that this filter works for AD domain with functional level "windows 2000 native", and doesn't work for AD domain with functional level "windows server 2003", I don't know why.

    • 0