I'm running Apache 2 and I need to authentificate users from multiple AD domains in one <Location/>. I tried using mod_authn_alias
ОС: Debian GNU/Linux Squueze with lastest updates
Apache/2.2.16
Modules
/etc/apache2/apache.conf:
<AuthnProviderAlias ldap first-ldap>
AuthLDAPURL "ldap://win2003server:389/DC=first,DC=domain?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "cn=user1,cn=Users,dc=first,dc=domain"
AuthLDAPBindPassword "user1"
</AuthnProviderAlias>
<AuthnProviderAlias ldap second-ldap>
AuthLDAPURL "ldap://win2008server:3268/DC=second,DC=domain?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "cn=user2,cn=Users,dc=second,dc=domain"
AuthLDAPBindPassword "user2"
</AuthnProviderAlias>
/etc/apache2/sites-enabled/000default:
<Location /test>
Order allow,deny
Allow from all
Authtype Basic
AuthBasicProvider first-ldap second-ldap
AuthName "TEST"
AuthzLDAPAuthoritative off
require valid-user
</Location>
With this configuration it authentificates users from first domain, and for users from second domain it igves an error:
[Fri Sep 16 20:54:39 2011] [info] [client 10.0.0.62] [25672] auth_ldap authenticate: user2 user2 authentication failed; URI /test/ [ldap_simple_bind_s() to check user2 credentials failed][Invalid credentials]
When I leave only AuthBasicProvider second-ldap users from second domain can authntificate successfully, so second domain LDAP is OK.
Does any one know solution to force mod_authn_alias to work?
Best Answer
I don't know how to make Apache do what you want. However, you can set up OpenLDAP as a proxy in front of multiple AD instances using either the
ldapormetabackends, and this will get you effectively the same behavior. You point Apache at your OpenLDAP proxy, and then OpenLDAP talks to your AD servers.Here is my write-up on using the
metabackend. This is more of a starting point than an actual solution.I'm actually using OpenLDAP as a proxy right now to authenticate against three separate directories -- one AD domain, one remote LDAP server, and a local LDAP directory.