Category Archives: active-directory

SSO access to php server with AD authentification

On a RH 5.3, Apache/2.2.15, mod_auth_kerb is loaded, Active Directory 2008, we want to control access to an url with an authentified user of an AD group member without prompt user/password.

Actually, we can control the access but with prompt user/password - but we doesn't see what parameter must be changed to haven't got the prompt.

/etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.LOCAL

#default_tkt_enctypes = RC4-HMAC,DES-CBC-CRC,DES3-CBC-SHA1,DES-CBC-MD5
#default_tgs_enctypes = RC4-HMAC,DES-CBC-CRC,DES3-CBC-SHA1,DES-CBC-MD5
#dns_lookup_realm = false
#dns_lookup_kdc = false
#ticket_lifetime = 24h
#forwardable = true
#   default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
#   default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
#   permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5


[realms]
domain.local = {
  kdc = MyServer.domain.local
  admin_server = MyServer.domain.local
  default_domain = domain.local
}

[domain_realm]
 .domain.local = DOMAIN.LOCAL
 domain.local = DOMAIN.LOCAL

/etc/httpd/conf/httpd.conf

<Directory /var/www/html/test_CTI/>
    order deny,allow
    deny from all
    AuthType basic
    AuthBasicProvider ldap

    AuthzLDAPAuthoritative off
    AuthLDAPUrl "ldap://MyServer.domain.local:3268/OU=myOU,DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)"

    AuthLDAPBindDN "cn=KerbPHPEXP,OU=MyOU,DC=domain,DC=local"

    AuthLDAPBindPassword "PWD!"

    Require ldap-group cn=G151401-DSUP,OU=myOU,DC=domain,DC=local

    #  AuthType kerberos
    AuthName "Authentification DSUP test "
    Krb5Keytab /etc/httpd/conf/kerb5.ktab
    KrbAuthRealms DOMAIN.LOCAL
    KrbMethodNegotiate on
    KrbServiceName Any
    KrbMethodK5Passwd on
    satisfy any
</Directory>

Get windows username using php

I am trying to create intranet for my company. The intranet will be PHP - MSSQL driven (Apache 2.4, MySQL 5.5, PHP 5.4, CENTOS 7). Does anyone know how I can get the username they used to log on to windows (Network, Active directory) in my PHP scripts on the intranet? I'd like to get the windows username of the user who is opening the intranet page, just to load some information from the windows user profile (i.e. Name, Surname, Email, etc.) Thank you!

I'm sorry for RiggsFolly but this is not a duplicate question :-)

Could not access to ldap root by Apache Directory LDAP API

I use Apache Directory LDAP api(release 1.0.0-RC1) for managing ldap servers. when I set base DN to root of the server; I get following exception:

java.lang.RuntimeException: ERR_02002_FAILURE_ON_UNDERLYING_CURSOR Failure on underlying Cursor.
at org.apache.directory.api.ldap.model.cursor.CursorIterator.next(CursorIterator.java:86)
at org.apache.directory.ldap.client.template.LdapConnectionTemplate.search(LdapConnectionTemplate.java:662)
at org.apache.directory.ldap.client.template.LdapConnectionTemplate.search(LdapConnectionTemplate.java:615)

for example, I set base DN to dc=mycompany,dc=com, above exception will be occurred. but when I set base DN to cn=users,dc=mycompany,dc=com, it works correctly.

I has other question, How can I access to ldap server without any special base dn; another word, I want to get ldap server complete structure without specifying any base dn and fetch all object in any available DN on server only with server ip and port. this issue works in some LDAP browsers such as Apache Directory Server or JXplorer.

Apache2 + Ubuntu + Mono: Issue with System.Web.ActiveDirectoryProvider

Apache2 + Ubuntu + Mono: Issue with System.Web.ActiveDirectoryProvider

When my web application trys to use Active Directory Authentication I get the following: Web Page Error

When I look at the logs under /var/log/apache2/error.log I have this:

[Fri Jan 27 10:14:31.160499 2017] [mpm_event:notice] [pid 17187:tid 140082060339072] AH00491: caught SIGTERM, shutting down
mod-mono-server received a shutdown message
Invalid type System.Net.Http.Formatting.MediaTypeFormatter for instance field System.Net.Http.Formatting.MediaTypeFormatterMatch:<Formatter>k__BackingField
Invalid type System.Web.Http.Controllers.HttpActionContext for instance field System.Web.Http.Filters.HttpActionExecutedContext:_actionContext
Invalid type System.Web.Http.Controllers.HttpActionDescriptor for instance field System.Web.Http.Controllers.HttpParameterDescriptor:_actionDescriptor
Invalid type System.Web.Http.Controllers.HttpActionContext for instance field System.Web.Http.Validation.ModelValidatedEventArgs:<ActionContext>k__BackingField
Invalid type System.Web.Http.Controllers.HttpActionContext for instance field System.Web.Http.Validation.ModelValidatingEventArgs:<ActionContext>k__BackingField
[Fri Jan 27 10:14:33.263821 2017] [so:warn] [pid 17361] AH01574: module mono_module is already loaded, skipping
[Fri Jan 27 10:14:33.268918 2017] [:error] [pid 17366:tid 140510323828608] Failed running '/usr/bin/mod-mono-server2 --filename /tmp/mod_mono_server_global --nonstop --master (null) (null) (null) (null) (null) (null) (null) (null)'. Reason: No such file or directory
[Fri Jan 27 10:14:33.272467 2017] [:error] [pid 17370:tid 140510323828608] Failed running '/usr/bin/mod-mono-server2 --filename /tmp/mod_mono_server_global --nonstop --master (null) (null) (null) (null) (null) (null) (null) (null)'. Reason: No such file or directory
[Fri Jan 27 10:14:33.273501 2017] [:error] [pid 17362:tid 140510323828608] Not running mod-mono-server.exe because no MonoApplications, MonoApplicationsConfigFile or MonoApplicationConfigDir specified.
[Fri Jan 27 10:14:33.274003 2017] [mpm_event:notice] [pid 17362:tid 140510323828608] AH00489: Apache/2.4.18 (Ubuntu) mod_mono/3.12 configured -- resuming normal operations
[Fri Jan 27 10:14:33.274016 2017] [core:notice] [pid 17362:tid 140510323828608] AH00094: Command line: '/usr/sbin/apache2'
Listening on: /tmp/mod_mono_server_beta.medialabstage.com
Root directory: /var/www/beta.medialabstage.com/
[email protected]:/home/mladmin#

Any idea what is going on? I have used different DLLs for system.web.dll from .NET package and the windows Mono package.

SLES 12: Pass Windows User Auth to website on Apache 2.4 (SSO)

I have configured a Windows Server 2012 R2 as domain controller and joined a Windows 7 as well as Windows 10 client to the domain.

Now, I have a website, which requires a basic authentication (username and password). I want to pass and use the same credentials as the authenticated and logged in Windows user, which is a domain user.

The website is using the Drupal CMS and running on a SLES 12 x64 server with Apache 2.4. SSO is provided by a Kerberos server.

Well... How can I use the Windows authenticated domain user on my Drupal website?

I only want to login on the Windows computer using my domain user and by visiting the website, I want to get automatically logged in - without entering username and password or pressing any button.

Mutiple OU’s in SVN LDAP Authentication

Basically I'm atempting to authenticate SVN via LDAP and have done successfully with my example below:

AuthLDAPUrl "ldap://IP/OU=USERS,DC=domain,DC=domian,DC=domain?sub?objectClass=organizationalPerson" "NONE"

however including the folder USERS in AD I also need to use the folder "ServiceAccounts" so I am wondering if something like the following would work:

AuthLDAPUrl "ldap://IP/OU=USERS,OU=ServiceAccounts,DC=domain,DC=domian,DC=domain?sub?objectClass=organizationalPerson" "NONE"

Thanks in advance

Andrew

How to enforce Azure AD login through externally hosted site?

Been googling this for hours, and can't find a clear tutorial or anything..

I have an Azure account with active directories already enabled. I also have an InMotion hosting account that hosts numerous domains (each having their own respective cpanels).

How would I go about integrating Azure AD authentication on a domain that's being hosted by InMotion that only affects that domain and none of the others on that hosting account?

So in theory, you would visit the domain, get hit with the Windows login Auth. page, and if login is successful, you are directed to the home page and can view the content.

Is this do-able through the .htaccess file? Or would I have to alter the actual Apache files? If so, how do I only make it applicable to only one domain?

Apply single sign-on for computers not join domain

I have one Windows AD server, and one Linux server which runs Apache and Subversion, also have one Windows server runs .net web application which use Windows Authentication.

I already configured out how apply Kerberos or GSSAPI to auth subversion users with AD credentials, and the users use computers which joined domain won't prompt a window ask for user and password when access .net web app and svn.

But these users who are not join domain always prompt a window ask for user and password both of web app and svn twice, I want to share login credential for the two applications, how can I apply?

Thanks.