Hi All
Does anyone have any working mod_ldap configuration for Centos 7 with apache 2.4.6 with iPad to share?
Regards Per
Hi Per, could you define “working configuration” requirements and what’s iPad specific? Anyway, below is my setup with Centos Apache to authenticate against IPA via LDAP using either username (uid) or e-mail. No Kerberos or GSSAPI used, just “pure” LDAP. Please note, IPA group “shareusers” membership is required. IPA host is im.example.com With kind regards, Ivars
File /etc/httpd/access/ldap.conf
AuthName "File service login" # AuthBasicProviders are defined in ../conf.d/00-ldap.conf AuthBasicProvider ldap-uid ldap-mail AuthType Basic
# Even if AuthLDAPURL is defined in AuthnProviderAlias in ../conf.d/00-ldap.conf and processed earlier # these directives are mandatory to authorize after authentication AuthLDAPURL ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?mail?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com) AuthLDAPInitialBindAsUser On AuthLDAPSearchAsUser On AuthLDAPCompareAsUser On
File /etc/httpd/conf.d/00-ldap.conf
LDAPTrustedGlobalCert CA_BASE64 /etc/ipa/ca.crt
# AuthnProviderAlias must be defined here, it cannot be in VirtualHost # because ../access/ldap.conf is VirtualHost level
# ldap-mail is tried last (after ldap-uid) <AuthnProviderAlias ldap ldap-mail> AuthLDAPURL ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?mail?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com) # this one (last) must be authoritative # AuthLDAPBindAuthoritative off AuthLDAPInitialBindAsUser On AuthLDAPSearchAsUser On AuthLDAPCompareAsUser On AuthLDAPInitialBindPattern (.+)@(.+) uid=$1,cn=users,cn=accounts,dc=example,dc=com </AuthnProviderAlias>
# ldap-uid is tried first <AuthnProviderAlias ldap ldap-uid> AuthLDAPURL ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?uid?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com) # first one is NOT authoritative AuthLDAPBindAuthoritative off AuthLDAPInitialBindAsUser On AuthLDAPSearchAsUser On AuthLDAPCompareAsUser On AuthLDAPInitialBindPattern (.+) uid=$1,cn=users,cn=accounts,dc=example,dc=com </AuthnProviderAlias>
On 2017. gada 8. aug., at 15:11, Per Qvindesland via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi All
Does anyone have any working mod_ldap configuration for Centos 7 with apache 2.4.6 with iPad to share?
Regards Per
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi ivars
Many thanks that's just what I was looking for.
Sorry about the iPad it should be ipa but it seems I am a victim of autocorrect 🤣
Regards Per
Sent from my Commodore 64
On 8 Aug 2017, at 18:07, Ivars Strazdiņš via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi Per, could you define “working configuration” requirements and what’s iPad specific? Anyway, below is my setup with Centos Apache to authenticate against IPA via LDAP using either username (uid) or e-mail. No Kerberos or GSSAPI used, just “pure” LDAP. Please note, IPA group “shareusers” membership is required. IPA host is im.example.com With kind regards, Ivars
File /etc/httpd/access/ldap.conf
AuthName "File service login" # AuthBasicProviders are defined in ../conf.d/00-ldap.conf AuthBasicProvider ldap-uid ldap-mail AuthType Basic
# Even if AuthLDAPURL is defined in AuthnProviderAlias in ../conf.d/00-ldap.conf and processed earlier # these directives are mandatory to authorize after authentication AuthLDAPURL ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?mail?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com) AuthLDAPInitialBindAsUser On AuthLDAPSearchAsUser On AuthLDAPCompareAsUser On
File /etc/httpd/conf.d/00-ldap.conf
LDAPTrustedGlobalCert CA_BASE64 /etc/ipa/ca.crt
# AuthnProviderAlias must be defined here, it cannot be in VirtualHost # because ../access/ldap.conf is VirtualHost level
# ldap-mail is tried last (after ldap-uid)
<AuthnProviderAlias ldap ldap-mail> AuthLDAPURL ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?mail?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com) # this one (last) must be authoritative # AuthLDAPBindAuthoritative off AuthLDAPInitialBindAsUser On AuthLDAPSearchAsUser On AuthLDAPCompareAsUser On AuthLDAPInitialBindPattern (.+)\@(.+) uid=$1,cn=users,cn=accounts,dc=example,dc=com </AuthnProviderAlias>
# ldap-uid is tried first
<AuthnProviderAlias ldap ldap-uid> AuthLDAPURL ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?uid?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com) # first one is NOT authoritative AuthLDAPBindAuthoritative off AuthLDAPInitialBindAsUser On AuthLDAPSearchAsUser On AuthLDAPCompareAsUser On AuthLDAPInitialBindPattern (.+) uid=$1,cn=users,cn=accounts,dc=example,dc=com </AuthnProviderAlias>
On 2017. gada 8. aug., at 15:11, Per Qvindesland via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi All
Does anyone have any working mod_ldap configuration for Centos 7 with apache 2.4.6 with iPad to share?
Regards Per
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Ivars Strazdiņš -
Per Qvindesland