Home / server / Questions / 330420
Accepted
Eli Stevens
Asked: 2011-11-13 10:20:26 +0800 CST

Ubuntu software stack to mimic Active Directory auth

  • 772

I'm going to have an Ubuntu 11.10 box in a customer's data center running a custom webapp. The customer will not have ssh access to the box, but will need authentication and authorization to access the webapp. The customer needs to have the option of either pointing the webapp at something that we've installed locally on the machine, or to use an Active Directory server that they have. I plan on using a standard "users belong to groups; groups have sets of permissions; the webapp requires certain permissions to respond" auth setup.

What software stack can I install locally that will allow an easy switch to and from an Active Directory server, while keeping the configuration as simple as possible (both for me and the end customer)?

I would like to use as much off-the-shelf software for this as possible; I do not want to be in the business of keeping user passwords secure. I could see handling the user/group/permission relationships myself if there is not a good out-of-the-box solution (but that seems highly unlikely).

I will accept answers in the form of links to "here is what you need" pages, but not "here is what Kerberos does" unless that page also tells me if it's required for my use case (essentially, I know that AD can speak Kerberos, but I can't tell if I need it to, or if I can just use LDAP, or...).

ubuntu active-directory ldap python kerberos

3 Answers

  1. Best Answer

    LDAP all the way. Use an SSL/TLS simple bind to LDAP on the AD servers and you should be good to go. This works very well. If you need to replicate that functionality locally, OpenLDAP should serve you pretty well as well.

    • 2

  2. Its not clear at what level you are trying to authenticate your clients and assuming from the tags your "webapp" is written in python.

    OS Level

    If you need to authenticate at OS level then I would suggest likewiseopen client for Ubuntu. It's hassle free and will get you authenticating against AD in minutes.

    Web Server Level

    If you want to authenticate at web server level and using Apache, then enable ldap modules and add the following to your vhost config :

    <Location "/">
        AuthBasicProvider ldap
        AuthType Basic
        AuthzLDAPAuthoritative off
        AuthName "My server"
        AuthLDAPURL "ldap://directory.example.com:389/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
        AuthLDAPBindDN "CN=apache,CN=Users,DC=example,DC=com"
        AuthLDAPBindPassword hackme

        require valid-user
</Location>

    More details here

    This will prompt you to authenticate when you try to load a URL to your "webapp"

    Python

    If you want to authenticate inside your application then you would need to look for python modules that can do it for you. Here is one.

    • 1

  3. if you use php for the web app, you can use php ldap auth for AD: http://adldap.sourceforge.net/

    • 0