Monthly Archive for December, 2008

Active Directory Authentication on Apache with mod_authnz_ldap

Published on 2008-12-31 in Apache. 0 Comments 
<directory /path/to/top/secret/area>
    AuthName "Top Secret Area"
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative Off
    AuthLDAPURL "ldap://example.com:389/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
    AuthLDAPBindDN apacheldapauth@example.com
    AuthLDAPBindPassword mypassword
    Require valid-group cn=Admins,ou=Groups,DC=example.com,DC=com
</directory>

In this example, I am password-protecting /path/to/top/secret/area. The AuthLDAPURL directive contains the address of your active directory server (ldap://example.com:389), the base DN to search (DC=example,DC=com), and the LDAP attribute that contains the user’s username (sAMAccountName). In order to perform the search, Apache will bind to the Active Directory server using the credentials defined in AuthLDAPBindDN and AuthLDAPBindPassword. If a user is found and the password matches, one last search is done to make sure they belong to the appropriate group (cn=Admins,ou=Groups,DC=example.com,DC=com).

There’s nothing special about this example so far as it relates to Active Directory. The same config should work on any LDAP server. However, the real key to making this work with Active Directory is by adding the following to /etc/openldap/ldap.conf:

REFERRALS off

Note that since the bind password is stored in plain text, make sure your Apache config file file can only be read by authorized users.

Redirect to the SSL Version of a Page with mod_rewrite on Apache

Published on 2008-12-23 in Apache. 0 Comments

User: The web interface doesn’t work.
Mike: Type “https” instead of “http.”
User: Oh yeah, now it works.

A quick exchange like this is not a big deal on its own, but as every sysadmin knows, little things like this can add up and become annoying very quickly (for all parties involved). I find that if I can prevent these little distractions from happening in the first place, everyone is a little happier and more productive.

One way I accomplish this is by not expecting users to remember which sites need to be accessed via SSL and which do not. I just allow them to connect to everything on port 80, then I let mod_rewrite redirect them to the SSL version as needed:

<location "/">    
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</location>

Active Directory Authentication with Winbind on Red Hat Linux

Published on 2008-12-19 in Linux. 0 Comments

This example assumes that you have properly configured DNS servers, so that the Kerberos realm can be discovered via DNS. This should get taken care of for you automatically on Active Directory domains:

_kerberos             IN  TXT  EXAMPLE.COM
_kerberos._udp        IN  SRV  0 0 88 server.example.com.
_kerberos._tcp        IN  SRV  0 0 88 server.example.com.
_kpasswd._udp         IN  SRV  0 0 464 server.example.com.
_kpasswd._tcp         IN  SRV  0 0 464 server.example.com.
_ldap._tcp.dc._msdcs  IN  SRV  0 0 389 server.example.com.

On your Linux box, set the fully-qualified hostname in /etc/sysconfig/network and /etc/hosts. Note that the first part of your hostname must be no longer than 15 characters and unique in the domain:

# /etc/sysconfig/network
HOSTNAME=myhostname.example.com
# /etc/hosts
127.0.0.1  myhostname.example.com  myhostname  localhost.localdomain localhost

Make sure your Linux box has a properly configured DNS client (probably pointing at your domain controllers):

search example.com
nameserver 192.168.1.10

Since Kerberos is very sensitive to clock drift, it’s a good idea to configure your Linux box as an NTP client to your domain controllers. Edit /etc/ntp.conf like so:

server server.example.com

Install Winbind and configure the service to start automatically:

yum install samba-common
chkconfig winbind on

Use Red hat’s authconfig command to configure Winbind authentication:

authconfig \
  --disablecache \
  --enablewinbind \
  --enablewinbindauth \
  --smbsecurity=ads \
  --smbworkgroup=EXAMPLE \
  --smbrealm=EXAMPLE.COM \
  --enablewinbindusedefaultdomain \
  --winbindtemplatehomedir=/home/%U \
  --winbindtemplateshell=/bin/bash \
  --enablekrb5 \
  --krb5realm=EXAMPLE.COM \
  --enablekrb5kdcdns \
  --enablekrb5realmdns \
  --enablelocauthorize \
  --enablemkhomedir \
  --enablepamaccess \
  --updateall

Now you should be able to join your Linux box to the domain:

net ads join -U Administrator

Start (or restart) the Winbind service:

service restart winbind

At this point, your Linux box should be participating on the Windows domain. You can test this by issuing wbinfo -u (to list all users in the domain), wbinfo -g (to list all groups in the domain), and getent passwd administrator (to list account information for the domain administrator).

New Fandotech Blog

Published on 2008-12-18 in /etc and Programming. 0 Comments

My current employer has a new blog, and I’m on the blogging committee.  That means I get a cool cartoon-character avatar of my likeness, and I’ll be making regular posts there.  I encourage you to read (and comment) on my first post; In the World of IT, Laziness is a Virtue.