[Fedora-directory-users] FDS and Apache

Richard Megginson rmeggins at redhat.com
Wed Jan 25 18:26:33 UTC 2006 

Kevin Kovach wrote:

> Yeah, this was the kind of info I was looking for.
>
> I just downloaded the newest Apache 2.2 server and was going to give 
> it a go at implementing the included mod_authnz_ldap with FDS.  I was 
> planning on compiling everything from scratch, and wasn't sure if I 
> could compile everything against the FDS/NS ldap libraries or if I 
> needed to compile some or all of it against the OpenLDAP client 
> libraries.
>
> From Richard's comments it sounds like I should just concentrate on 
> compiling everything against the OpenLDAP libs.  However, you mention 
> using NSS for encryption.  I'm unsure if using the OpenLDAP libs will 
> limit me in some way?

No, not really.  OpenLDAP uses OpenSSL for crypto.  You can convert your 
certs from that format to the NSS format and vice versa if needed.  If 
you were running in a paranoid secure environment, you probably wouldn't 
be asking me these questions :-)

>
> If we have control over the Apache compilation is there an 
> advantage/disadvantage to compiling against the FDS/NS libs rather 
> than OpenLDAP?  I apologize if that's too vague a question. :-)  Thanks.

I think it's probably simpler and easier to use the OpenLDAP ones.  Then 
you can just use the standard Apache binaries that come with most OS 
distros.

>
> - Kevin
>
> On 1/25/06, *Richard Megginson* <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     Robert Ludvik wrote:
>
>     >Kevin Kovach pravi:
>     >
>     >
>     >>The HowTo for integration with Apache
>     >>(http://directory.fedora.redhat.com/wiki/Howto:Apache
>     <http://directory.fedora.redhat.com/wiki/Howto:Apache>) is currently
>     >>blank.  Can somebody advise on another source for information on
>     getting
>     >>some type of mod_authnz_ldap working between FDS and
>     Apache?  Thanks.
>     >>
>     >>- Kevin
>     >>
>     >>
>     >
>     >I made it this way (see attachment). Hope it helps.
>     >Bye
>     >Robert Ludvik
>     >
>     >
>     >------------------------------------------------------------------------
>     >
>     >Information source:
>     >http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html#conf
>     >
>     >Download modauthldap_apache2.tar.gz and unpack it in /usr/local/src
>     >In /usr/local/src/modauthldap_apache2 run:
>     >
>     >./configure --with-ldap-dir=/opt/fedora-ds/shared
>     --with-apxs=/usr/sbin/apxs
>     >make
>     >make install
>     >
>     >Check httpd.conf:
>     >LoadModule ldap_module modules/mod_ldap.so
>     >LoadModule auth_ldap_module   /usr/lib/httpd/modules/mod_auth_ldap.so
>     >
>     >I had to copy manualy these files:
>     >cp /opt/fedora-ds/shared/lib/libprldap50.so /lib/
>     >cp /opt/fedora-ds/shared/lib/libldap50.so /lib/
>     >cp /opt/fedora-ds/shared/lib/libssldap50.so /lib/
>     >
>     >
>     What version of Apache is this?  Note that some versions of Apache are
>     linked directly against /usr/lib/libldap*.so which is the OpenLDAP
>     API
>     library.  You may run into strange problems if you have both the
>     Mozilla
>     (Fedora DS) and OpenLDAP libs linked into Apache - the APIs, while
>     similar, are not compatible and you will run into strange
>     errors.  It is
>     for this reason that I recommend just using the default OpenLDAP
>     libraries with mod_ldap and mod_auth_ldap.  (Fedora DS Admin
>     Server does
>     use the Mozilla LDAP libs despite the fact that Apache is linked with
>     the OpenLDAP ones - we have to jump through hoops like using
>     LD_PRELOAD
>     - but we do not use any other LDAP modules at all, and we have to use
>     the Mozilla ones because we must use NSS for crypto).
>
>     >In httpd.conf add folder for which you want to have LDAP
>     authentication:
>     >
>     ><Directory "/var/www/html/a">
>     >Options Indexes FollowSymLinks
>     >AllowOverride None
>     >order allow,deny
>     >allow from all
>     >#    Q: I get a error message like reason: unknown require directive:
>     >#    "xxxxxxx". What's the problem?
>     >#    A: Use the directive AuthAuthoritative Off
>     >AuthAuthoritative Off
>     >AuthName "Only for nice people ;-)"
>     >AuthType Basic
>     >#AuthOnBind Off
>     >#Sub_DNou=CIS,ou=People
>     >#LDAP_Persistent On
>     >#Bind_Tries 5
>     >#LDAP_Debug On
>     >#LDAP_Protocol_Version 3
>     >#LDAP_Deref NEVER
>     >#LDAP_StartTLS On
>     >LDAP_Server dserver.domain.com <http://dserver.domain.com>
>     >#LDAP_Server 192.168.1.1 <http://192.168.1.1>
>     >LDAP_Port 389
>     ># Connect timeout in seconds #LDAP_Connect_Timeout 3
>     ># If SSL is on, must specify the LDAP SSL port, usually 636
>     >#LDAP_Port 636
>     >#LDAP_CertDbDir /usr/foo/ssl
>     >Base_DN "dc=domain,dc=com"
>     ># If your configuration allows annonymous access you don't have
>     to set
>     ># Bind_DN
>     >#Bind_DN "uid=admin,o=Fox Chase Cancer Center,c=US"
>     >#Bind_Pass "secret"
>     >UID_Attr uid
>     >#UID_Attr_Alt "mail"
>     >#Group_Attr uniqueMember
>     >#SupportNestedGroupsOff
>     ># You also need one of require statements:
>     ># any valid user:
>     >#require valid-user
>     ># OR these users:
>     >#require user muquit foo bar "john doe"
>     ># OR users that metch some condition:
>     >#require roomnumber "123 Center Building"
>     ># OR filter:
>     >#require filter "(&(telephonenumber=1234)(roomnumber=123))"
>     ># for a group of users (NOTE, without dc=domain,dc=com)
>     >require group cn=my_group,ou=Groups
>     ></Directory>
>     >
>     >Restart Apache:
>     >apachectl restart
>     >
>     >
>     >
>     >------------------------------------------------------------------------
>
>     >
>     >--
>     >Fedora-directory-users mailing list
>     >Fedora-directory-users at redhat.com
>     <mailto:Fedora-directory-users at redhat.com>
>     > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>     >
>     >
>
>
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users at redhat.com
>     <mailto:Fedora-directory-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>
>
>
> -- 
> Take back the web, http://www.switch2firefox.com/
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060125/e902a165/attachment.bin>

More information about the Fedora-directory-users mailing list