Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Authenticate Apache 2 using Mac OS X Open Directory OS X Server
I have succesfully made Apache 2.2 use the accounts in our Mac OS X Open Directory, instead of a flat text file. I found that the DN (distinguished name) needed an extra element on the front, uid=. But all the examples I had been finding on the web used a DN of this form:
cn=user1,dn=example,dn=com
Once I added uid=USERNAME on the front, and omitted the cn= part, it worked fine:
uid=user1,dn=example,dn=com
I found this out by using the command-line tool ldapsearch:
ldapsearch -h server1.geo.vuw.ac.nz -x -b \
'dc=geo,dc=vuw,dc=ac,dc=nz' '(uid=testaccount1)'
The output line starting with dn: told me all I needed to know:
dn: uid=testaccount1,cn=users,dc=geo,dc=vuw,dc=ac,dc=nz


Here are the directives from my httpd.conf:
AuthType Basic
AuthName "Testing of LDAP auth"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on 
AuthLDAPBindDN uid=testaccount1,cn=users,dc=geo,dc=vuw,dc=ac,dc=nz 
AuthLDAPBindPassword [plaintext password for user 'testaccount1']
AuthLDAPURL ldap://server1.geo.vuw.ac.nz/dc=geo,dc=vuw,dc=ac,dc=nz
require valid-user
And here are some of the other relevant details:
  • Server platform: Mac Mini, Mac OS X 10.4.0 (not Server version)
  • Webserver: Apache 2.2.6, built from source.
  • Browser client used for testing: Safari 2.0.4, Mac OS X 10.4.10, Intei iMac
  • Apache build configured like so:

    ./configure --enable-dav
    --enable-authnz-ldap
    --enable-ldap
    --enable-so
    --enable-vhost-alias
    --with-ldap
    --enable-ssl
    --enable-rewrite
    --enable-expires
Now I just want to find out how to avoid having to use a plaintext password in httpd.conf. Hope this helps!
    •    
  • Currently 2.30 / 5
  You rated: 2 / 5 (10 votes cast)
 
[18,138 views]  

Authenticate Apache 2 using Mac OS X Open Directory | 1 comments | Create New Account
Click here to return to the 'Authenticate Apache 2 using Mac OS X Open Directory' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Authenticate Apache 2 using Mac OS X Open Directory
Authored by: tfe on Jan 17, '10 03:28:58AM
This method no longer works with Snow Leopard Server's OpenDirectory. To make it work use the following setup:
AuthType Basic
AuthName "test"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off		# Allows fall back to other authentication methods
AuthLDAPGroupAttributeIsDN off		# To match OpenDirectory's schema
AuthLDAPURL ldap://<server>/dc=search,dc=base
AuthLDAPGroupAttribute memberUid	# Magic happens here - defines how members are stored in a group
Require ldap-group cn=group,cn=groups,dc=search,dc=base
Note: This setup will use an anonymous bind to the directory, you don't have to store a clear text password in the config. (OpenDirectory must be configured to allow anonymous binds) Replace dc=search,dc=base with your search base and replace <server> with your actual server's IP.

[ Reply to This | # ]