Using AD to test for group membership

[KevinL]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We'd like to use the fact that all of our users have an AD account to
simplify authentication and authorization for our users of windows, mac and
linux. More specifically, for example, we have an intranet and we'd like to
use mod_authz_ldap with apache to check active directory for a valid user
name and pw. We have that part working now but it uses first and last name
as the base DN and we'd rather use the user name. Then, we'd like to set an
apache directive to check for group membership to manage rights on the
intranet. I realize I am fairly new to this and could be missing something
major but any ideas would be appreciated. Below is some detail. We have
tried to sniff the traffic and we see the query but can't read any output
from the DC and seem to have either a permissions prob or an improper query.

#
# mod_authz_ldap can be used to implement access control and
# authenticate users against an LDAP database.
#

LoadModule authz_ldap_module modules/mod_authz_ldap.so

<IfModule mod_authz_ldap.c>

<Directory /var/www/html/martin>
AuthzLDAPMethod ldapmapped
AuthzLDAPServer swansboro.lib.unc.edu
AuthzLDAPUserBase cn=users,dc=lib,dc=unc,dc=edu
AuthzLDAPUserKey cn
AuthzLDAPUserScope base
AuthzLDAPGroupBase cn=users,dc=lib,dc=unc,dc=edu
AuthzLDAPGroupKey cn
AuthzLDAPSetGroupAuth ldapdn
AuthzLDAPGroupScope base
#
AuthType basic
AuthName "ldap@swansboro.lib.unc.edu"
require group Systems

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Kevin,

I'm not sure I follow the questions, but let me take a swing at it. If I'm
answering the wrong question, please come back with some details and more
specific questions.

> We have that part working now but it uses first and last name
> as the base DN and we'd rather use the user name

I assume the question here is, can you change your users such that the DN of
the user objects includes the username rather than the first and last name?
If so, absolutely. In AD you can change the RDN of those objects to be
anything you wish. There are no "rules" per se.

Further, you could locate objects in the directory through searches (say to
find users by username, the filter would be "(samaccountname=myUserName)")
rather than just by looking for the DN path of the object.

> Then, we'd like to set an apache directive to check for group membership
> to manage rights on the intranet.

Sorry, you lost me some here. I _think_ you're asking about reading group
membership out of the directory. Is that right? Let me know and I can field
this.

~Eric

--
Eric Fleischman [MSFT]
These postings are provided "AS IS" with no warranties, and confers no
rights.



"kevinL" <kevinL@discussions.microsoft.com> wrote in message
news0E9E902-7830-4562-9BB1-8C76E989C2B4@microsoft.com...
> We'd like to use the fact that all of our users have an AD account to
> simplify authentication and authorization for our users of windows, mac
> and
> linux. More specifically, for example, we have an intranet and we'd like
> to
> use mod_authz_ldap with apache to check active directory for a valid user
> name and pw. We have that part working now but it uses first and last
> name
> as the base DN and we'd rather use the user name. Then, we'd like to set
> an
> apache directive to check for group membership to manage rights on the
> intranet. I realize I am fairly new to this and could be missing
> something
> major but any ideas would be appreciated. Below is some detail. We have
> tried to sniff the traffic and we see the query but can't read any output
> from the DC and seem to have either a permissions prob or an improper
> query.
>
> #
> # mod_authz_ldap can be used to implement access control and
> # authenticate users against an LDAP database.
> #
>
> LoadModule authz_ldap_module modules/mod_authz_ldap.so
>
> <IfModule mod_authz_ldap.c>
>
> <Directory /var/www/html/martin>
> AuthzLDAPMethod ldapmapped
> AuthzLDAPServer swansboro.lib.unc.edu
> AuthzLDAPUserBase cn=users,dc=lib,dc=unc,dc=edu
> AuthzLDAPUserKey cn
> AuthzLDAPUserScope base
> AuthzLDAPGroupBase cn=users,dc=lib,dc=unc,dc=edu
> AuthzLDAPGroupKey cn
> AuthzLDAPSetGroupAuth ldapdn
> AuthzLDAPGroupScope base
> #
> AuthType basic
> AuthName "ldap@swansboro.lib.unc.edu"
> require group Systems
>