|
Home > Archive > Netware Webserver > December 2007 > Secure loging using server/users in Apache2
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Secure loging using server/users in Apache2
|
|
| Kenneth Heinz 2007-10-08, 7:11 pm |
| How can I make a generic Apache2 Webserver that will ask for the employees
Novell login and password from the edirectory?
I need this to be done on port 80 for our remote Sophos updates.
Thanks,
Ken@rlmrlm.com
| |
| Richard Beels [SysOp] 2007-10-09, 1:12 am |
|
you need mod_edir - it's in the online docs. also, i would force the
connection to https (port 443) so you're not sending everyone's
password over the wire in the clear.
mod_rewrite is what you need to redirect http -> https.
--
Cheers!
Richard Beels
~ Network Consultant
~ Sysop, Novell Support Connection
~ MCNE, CNE*, CNA*, CNS*, N*LS
| |
| Guenter 2007-10-09, 7:12 am |
| Hi,
Richard Beels [SysOp] <beels@technologist.com> wrote in
news:VA.00002109.04d4bf2d@technologist.com:
> you need mod_edir - it's in the online docs. also, i would force the
> connection to https (port 443) so you're not sending everyone's
> password over the wire in the clear.
mod_edir is only recommended if the user really needs that file rights apply,
f.e. files with different access rights in same folder, or if remote server
access is required. For just authenticating a user against eDir its
sufficient to use mod_auth_ldap. Usage of mod_edir should be avoided whenever
possible since there are downsides as consuming connections and changing
identity which in turn causes problems with the Apache logfiles.
Günter.
| |
| Sebastian Cerazy 2007-10-09, 7:12 am |
| That will do for you:
<VirtualHost 10.0.0.5:443>
DocumentRoot "VOLUME:/home/staff"
ServerName xxxxx.domain.com
ServerAdmin webmaster@domain.com
<Directory "VOLUME:/home/staff">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Staff Intranet"
AuthNDSTree TREE
AuthNDSContext OU=xxxxxxxxxxx.O=xxxxx
AuthNDSRequireSSL On
require valid-user
</Directory>
"Kenneth Heinz" <ken@rlmrlm.com> wrote in message
news:yPwOi.10051$NG7.6001@kovat.provo.novell.com...
> How can I make a generic Apache2 Webserver that will ask for the employees
> Novell login and password from the edirectory?
>
> I need this to be done on port 80 for our remote Sophos updates.
>
> Thanks,
> Ken@rlmrlm.com
>
| |
| Sebastian Cerazy 2007-10-09, 7:12 am |
| Ignore my previous mail (that was NDS auth which is not what you want)
This one is a correct LDAP:
<Directory "VOLUME:/home/staff">
Allow from all
Order deny,allow
AllowOverride None
AuthType Basic
AuthName "Staff ONLY"
AuthLDAPAuthoritative On
AuthLDAPURL "ldap://ldap.domain.com:389/o=ORGANIZATION,c=UK?cn"
require group cn=SomeGroup,ou=Somecontext,o=ORGANIZATI
ON,c=UK
</Directory>
"Sebastian Cerazy" <sebastian.cerazy@(nospam)spgs.org> wrote in message
news:baIOi.10295$NG7.776@kovat.provo.novell.com...
> That will do for you:
>
>
>
> "Kenneth Heinz" <ken@rlmrlm.com> wrote in message
> news:yPwOi.10051$NG7.6001@kovat.provo.novell.com...
>
>
| |
| KeN Etter 2007-10-09, 1:12 pm |
| On Mon, 08 Oct 2007 20:55:58 GMT, ken@rlmrlm.com (Kenneth Heinz)
wrote:
>How can I make a generic Apache2 Webserver that will ask for the employees
>Novell login and password from the edirectory?
>
>I need this to be done on port 80 for our remote Sophos updates.
Ken,
Here's another way to look at it. I preconfigured Sophos with a
single username/password that it uses when it gets updates from my
website. The users aren't prompted and the password is not public
knowledge. I just use a password file and the auth_plain_module
modules/a_plain.nlm.
Regards,
Ken Etter
Novell....it does a server good!
| |
| Kenneth Heinz 2007-10-09, 1:12 pm |
| Sebastian Cerazy wrote:
> This one is a correct LDAP:
> <Directory "VOLUME:/home/staff">
> Allow from all
> Order deny,allow
> AllowOverride None
> AuthType Basic
> AuthName "Staff ONLY"
> AuthLDAPAuthoritative On
> AuthLDAPURL "ldap://ldap.domain.com:389/o=ORGANIZATION,c=UK?cn"
> require group cn=SomeGroup,ou=Somecontext,o=ORGANIZATI
ON,c=UK
> </Directory>
OK I copied this to the bottom of my Sophos.conf file and modified it but
it does not prompt for a user name or password. I need to have secure
port 80 for sophos to work. Right now it goes right into the directories
without asking for user name and password. Obviously I must have
something wrong.
Any ideas?
Ken@rlmrlm.com
| |
| Kenneth Heinz 2007-10-09, 1:12 pm |
| KeN Etter wrote:
> Ken,
> Here's another way to look at it. I preconfigured Sophos with a
> single username/password that it uses when it gets updates from my
> website. The users aren't prompted and the password is not public
> knowledge. I just use a password file and the auth_plain_module
> modules/a_plain.nlm.
> Regards,
> Ken Etter
How do you deal with people when they leave the company or are all your
remote computers from work? We have several home computers using the
sophos software.
Just wondering,
Ken@rlmrlm.com
| |
| Guenter 2007-10-09, 1:12 pm |
| Hi Ken,
ken@rlmrlm.com (Kenneth Heinz) wrote in news:oIMOi.10401$NG7.1423
@kovat.provo.novell.com:
> Sebastian Cerazy wrote:
>
>
>
> OK I copied this to the bottom of my Sophos.conf file and modified it but
> it does not prompt for a user name or password. I need to have secure
> port 80 for sophos to work. Right now it goes right into the directories
> without asking for user name and password. Obviously I must have
> something wrong.
did you also stop / start your Apache2 ?
have you checked the Apache2 log files ?
I hope you did modify the above block for your paths and ldap, and not just
copy?
probably you have your old config still active, and defined before this
block?
Günter.
| |
| KeN Etter 2007-10-09, 1:12 pm |
| On Tue, 09 Oct 2007 15:03:44 GMT, ken@rlmrlm.com (Kenneth Heinz)
wrote:
>How do you deal with people when they leave the company or are all your
>remote computers from work? We have several home computers using the
>sophos software.
Low turnover and only a few people using it on home computers. So it
hasn't been an issue. If I ever have to change the password, I would
just create a new install and tell current users to download and
install it if they want to continue to use Sophos. That would put the
old password out of commission.
Novell....it does a server good!
| |
| Richard Beels [SysOp] 2007-10-09, 7:12 pm |
|
ah, good to know, thanks.
--
Cheers!
Richard Beels
~ Network Consultant
~ Sysop, Novell Support Connection
~ MCNE, CNE*, CNA*, CNS*, N*LS
| |
| KeN Etter 2007-10-11, 1:12 pm |
| On Mon, 08 Oct 2007 20:55:58 GMT, ken@rlmrlm.com (Kenneth Heinz)
wrote:
>How can I make a generic Apache2 Webserver that will ask for the employees
>Novell login and password from the edirectory?
>
>I need this to be done on port 80 for our remote Sophos updates.
>
>Thanks,
>Ken@rlmrlm.com
Ken,
Did you get this figured out? I've been working on another website of
mine that needs to get usernames and passwords from eDirectory and I
have it working now. Let me know if you still need assistance.
Regards,
Ken Etter
Novell....it does a server good!
| |
| Kenneth Heinz 2007-11-19, 1:12 pm |
| KeN Etter wrote:
> Ken,
> Did you get this figured out? I've been working on another website of
> mine that needs to get usernames and passwords from eDirectory and I
> have it working now. Let me know if you still need assistance.
> Regards,
> Ken Etter
> Novell....it does a server good!
Sorry for taking so long to reply, but my servers all turned against me
there for a while. I had received word from someone else that I am to use
the mod_edir and they also provided some other good information but I
still dont fully understand how to set it up. Due to on going server
problems I haven't had a chance to really sit down and mess with it.
Was it simple to do? I have a tendancy to make things harder than they
should be?
Just wondering,
Ken@rlmrlm.com
| |
| KeN Etter 2007-11-19, 1:12 pm |
| On Mon, 19 Nov 2007 17:42:41 GMT, ken@rlmrlm.com (Kenneth Heinz)
wrote:
>Sorry for taking so long to reply, but my servers all turned against me
>there for a while. I had received word from someone else that I am to use
>the mod_edir and they also provided some other good information but I
>still dont fully understand how to set it up. Due to on going server
>problems I haven't had a chance to really sit down and mess with it.
>
>Was it simple to do? I have a tendancy to make things harder than they
>should be?
Ken,
I suppose it depends on what you are trying to achieve. All I wanted
to do was to provide a login screen that validates against eDirectory.
So I am using mod_auth_ldap. I had some help getting it setup, but it
wasn't too bad. And I understand it enough that I could provide some
help if you decide to go that route. You don't need to use mod_edir
if all you need to do is check username and password.
Regards,
Ken Etter
Novell....it does a server good!
| |
| Kenneth Heinz 2007-11-19, 1:12 pm |
| KeN Etter wrote:
> Ken,
> I suppose it depends on what you are trying to achieve. All I wanted
> to do was to provide a login screen that validates against eDirectory.
> So I am using mod_auth_ldap. I had some help getting it setup, but it
> wasn't too bad. And I understand it enough that I could provide some
> help if you decide to go that route. You don't need to use mod_edir
> if all you need to do is check username and password.
> Regards,
> Ken Etter
> Novell....it does a server good!
Yeah I only want it to check the username and then the password. Once
those have been verified to all allow access to the directory that the
conf file points to. I dont know if it makes a difference but my users are
under one context and my apache server is under another context in the
same tree.
Ken@rlmrlm.com
| |
| KeN Etter 2007-11-20, 1:11 pm |
| On Mon, 19 Nov 2007 18:52:31 GMT, ken@rlmrlm.com (Kenneth Heinz)
wrote:
>Yeah I only want it to check the username and then the password. Once
>those have been verified to all allow access to the directory that the
>conf file points to. I dont know if it makes a difference but my users are
>under one context and my apache server is under another context in the
>same tree.
Just use ldap then. I used this Apache build:
http://www.gknw.net/development/apa...2.6+mods-nw.zip
You'll need to uncomment this line in the conf file: Include
conf/extra/httpd-authnzldap.conf
And then edit conf/extra/httpd-authnzldap.conf to the desired
settings.
You can specify the users' context in the AuthLDAPURL setting.
Give it a shot and if you have questions, let me know.
Ken
Novell....it does a server good!
| |
| Kenneth Heinz 2007-11-20, 1:11 pm |
| Thanks for the information; I will give it a shot. We have a consultant
coming in today to hopefully clear up some more issues with my servers. I
will let you know if I can get it to work.
Thanks,
Kenneth Heinz
| |
| Kenneth Heinz 2007-11-24, 7:11 pm |
| KeN Etter wrote:
> Just use ldap then. I used this Apache build:
>
http://www.gknw.net/development/apa...2.6+mods-nw.zip
> You'll need to uncomment this line in the conf file: Include
> conf/extra/httpd-authnzldap.conf
> And then edit conf/extra/httpd-authnzldap.conf to the desired
> settings.
> You can specify the users' context in the AuthLDAPURL setting.
> Give it a shot and if you have questions, let me know.
> Ken
Ok I am not running the Apache 2.2 I am running the Apache 2.0 does that
matter?
Anyway, I copied the modules from the ZIP file to the modules directory
and copied the httpd-authnzldap.conf to the extra directory I made and
placed the include line into my http.conf file.
I modified the httpd-authnzldap.conf, but now how to I configure my
virtual host section? I know it is loading the other conf file because I
placed my virtual host section in it tring to get a protected page.
Depending on how I try to configure the virtual host I either get the
unprotected web page or I get Novell open office page on my server.
So confused,
Ken@rlmrlm.com
| |
| Guenter 2007-11-25, 1:12 am |
| Hi Ken,
Ken@rlmrlm.com (Kenneth Heinz) wrote in
news:8s%1j.719$k06.240@kovat.provo.novell.com:
> Ok I am not running the Apache 2.2 I am running the Apache 2.0 does that
> matter?
yes:
http://www.gknw.net/phpbb/viewtopic.php?t=87
> Anyway, I copied the modules from the ZIP file to the modules directory
> and copied the httpd-authnzldap.conf to the extra directory I made and
> placed the include line into my http.conf file.
delete them. Either take complete Apache 2.2.x as other Ken did (and keep
it separate from your existing 2.0 installation = run parallel), or use
your existing 2.0.x, but there the ldap auth is a bit different;
since downloads are not an issue these days I suggest you fetch my
2.0.x+mods archive which also contains such a conf file for authldap; take
a look here:
http://www.gknw.net/phpbb/viewforum.php?f=2
> I modified the httpd-authnzldap.conf, but now how to I configure my
> virtual host section? I know it is loading the other conf file because
> I placed my virtual host section in it tring to get a protected page.
>
> Depending on how I try to configure the virtual host I either get the
> unprotected web page or I get Novell open office page on my server.
remove this all, and start over again with the proper conf for 2.0.x unless
you take the whole Apache 2.2.x and use that for what you need.
> So confused,
I'd suggest that you do things one by one;
means first check that the authentication works for a testdir, then apply
to a vh section; anyway do you really need a vh?
Günter.
| |
| Kenneth Heinz 2007-12-04, 1:11 pm |
| Guenter wrote:
> Hi Ken,
> Ken@rlmrlm.com (Kenneth Heinz) wrote in
> news:8s%1j.719$k06.240@kovat.provo.novell.com:
> yes:
> http://www.gknw.net/phpbb/viewtopic.php?t=87
> delete them. Either take complete Apache 2.2.x as other Ken did (and keep
> it separate from your existing 2.0 installation = run parallel), or use
> your existing 2.0.x, but there the ldap auth is a bit different;
> since downloads are not an issue these days I suggest you fetch my
> 2.0.x+mods archive which also contains such a conf file for authldap; take
> a look here:
> http://www.gknw.net/phpbb/viewforum.php?f=2
> remove this all, and start over again with the proper conf for 2.0.x unless
> you take the whole Apache 2.2.x and use that for what you need.
> I'd suggest that you do things one by one;
> means first check that the authentication works for a testdir, then apply
> to a vh section; anyway do you really need a vh?
> Günter.
Not that I have gotten it going or anything, but I just wanted to make
sure that this will allow for a secure login through port 80.
I didn't want to pull all my hair out and find out it was looking on HTTPS
or something like that.
Just wondering,
Ken@rlmrlm.com
| |
| Guenter 2007-12-04, 1:11 pm |
| Hi Ken,
ken@rlmrlm.com (Kenneth Heinz) wrote in
news:BLd5j.4626$k06.1100@kovat.provo.novell.com:
> Not that I have gotten it going or anything, but I just wanted to make
> sure that this will allow for a secure login through port 80.
well, since the thread is now some older, and I'm just too lazy to re-read it
all - can you please exactly explian what you want to get?
Do you want to secure the whole webserver at port 80 with the NDS password?
> I didn't want to pull all my hair out and find out it was looking on
> HTTPS or something like that.
It is absolutely recommended to use https; otherwise if you protect your site
at port 80 with the NDS password this password will go in clear text over the
wire, and everybody who's able to start f.e. wireshark / ethereal can capture
/ view the passwords. This is a HUGE security hole!
greets, Günter.
| |
| Kenneth Heinz 2007-12-04, 7:11 pm |
| Guenter wrote:
> Do you want to secure the whole webserver at port 80 with the NDS password?
> It is absolutely recommended to use https; otherwise if you protect your
site at port 80 with the NDS password this password will go in clear text over
the wire, and everybody who's able to start f.e. wireshark / ethereal can
capture
> / view the passwords. This is a HUGE security hole!
> greets, Günter.
No actually it was only the one virtual site, but now that you mentioned
that it could be a huge security risk, I am going to rethink this. I am
going to check with Sophos Anti-virus and see if HTTPS is still a problem
for remote updating. I have enough problems little lone handing out user
names and passwords to people who have nothing better to do than hack
servers. If anything I am going to set up a generic web login and change
it if someone quits or is terminated.
Thanks,
Ken@rlmrlm.com
|
|
|
|
|