Thursday, May 12, 2011

Apache httpd + ActiveDirectory Authentication

Autenticar um Apache contra um (ou mais dominios ActiveDirectory (ldap plain):

  1. Mod-Auth External (modulo para usar autenticadores custom no apache): http://code.google.com/p/mod-auth-external/

  2. Configurar o módulo:

    # External LDAP Auth
    LoadModule authnz_external_module modules/mod_authnz_external.so    
    DefineExternalAuth ldapAuth environment /usr/local/bin/ldapAuthenticator
    <Location ...>
         AuthType Basic
         AuthName "Special Realm"
         AuthBasicProvider external
         AuthExternal ldapAuth
         Require valid-user
    <Location ...>


  3. Criar um script sobre ldapsearch + dig para validar a autenticação
#!/bin/sh
LDAPSEARCHCMD=/usr/bin/ldapsearch
DIGCMD=/usr/bin/dig
DOMAINS="domain1.parentdomain.com domain2"

TEMPFILE="/tmp/.data.$$"
if [ -z $USER ] || [ -z $PASS ]; then
 exit 1;
fi

USERNAME=${USER}

for DOMAIN in $DOMAINS; do
SERVERS=`$DIGCMD -t srv "_ldap._tcp.dc._msdcs.$DOMAIN." +short  | cut -f 4 -d " "`

[[ $DOMAIN =~ "^([^.]*)" ]]
DOMAIN=${BASH_REMATCH[1]}
 for SERVER in $SERVERS; do
  echo -n $PASS > $TEMPFILE
  chmod 0700 $TEMPFILE
  # echo $LDAPSEARCHCMD -x -LLL -h $SERVER -D "$DOMAIN\\$USERNAME" -y $TEMPFILE -s sub "(sAMAccountName=$USERNAME)" sAMAccountName >> /tmp/.authlog
  $LDAPSEARCHCMD -x -LLL -h $SERVER -D "$DOMAIN\\$USERNAME" -y $TEMPFILE -s sub "(sAMAccountName=$USERNAME)" sAMAccountName
  RES=$?
  [[ -f $TEMPFILE ]] && rm $TEMPFILE
  [[ $RES -eq  0 ]] &&  exit 0;
  [[ $RES -eq 10 ]] && exit 0; 
 done
done 
exit 1


Posted by at No comments:
Subscribe to: Posts (Atom)