User Tools

Site Tools


ldap_integration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Last revisionBoth sides next revision
ldap_integration [2009/10/21 06:59] 172.26.0.166ldap_integration [2010/10/05 19:26] aorth
Line 2: Line 2:
  
 ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Active Directory is Microsoft's proprietary version of LDAP with a little extra special sauce.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication. ILRI uses an Active Directory server for user authentication, which is primarily used for Exchange e-mail services.  Active Directory is Microsoft's proprietary version of LDAP with a little extra special sauce.  Currently users have an Active Directory username and password for their Windows-centric single sign on and e-mail, and then they have a separate account for use with the HPC.  There exists functionality in Linux to look at Active Directory for user authentication.
 +
 +===== Implementation =====
 +
 +Active Directory integration will work if we use Likewise-Open.  It has been tested in a virtual server environment, but requires a few network changes to work on the HPC:
 +  * HPC must have the correct time (AD authenticates via Kerberos, which is heavily sensitive to time)
 +  * HPC must be able to access AD on several TCP ports (kerberos, LDAP, etc)
  
 ===== Notes ===== ===== Notes =====
 +===== Apache Authentication =====
 +It's possible to use Basic authentication via Active Directory in web applications.
 +
 +Make sure Apache has ''mod_perl'' installed and working first:
 +<code># apt-get install libapache2-mod-perl2 libapache2-mod-perl2-dev
 +# a2enmod perl
 +# apache2ctl graceful</code>
 +
 +Install the required perl dependencies for Apache and LDAP:
 +<code># apt-get install libauthen-simple-ldap-perl</code>
 +
 +Install the required AD Auth package and any dependencies it has using CPAN:
 +<code>$ sudo cpan
 +> install Apache2::AuthenMSAD</code>
 +
 +Then add a stanza such as this to your Apache config:
 +<file>
 +   AuthName "Microsoft Active Directory Authentication"
 +   AuthType Basic
 +
 +   PerlAuthenHandler Apache2::AuthenMSAD
 +   PerlSetVar MSADDomain ilri.cgiarad.org
 +   PerlSetVar MSADServer 172.26.0.218
 +
 +   #require valid-user
 +   require user aorth akihara jmagochi</file>
 +
 +That stanza can go in a VirtualHost, a Directory, a Location, etc... restart Apache and you're golden. 
  
 ==== Likewise-Open ==== ==== Likewise-Open ====
 +Open source standalone implementation of Samba, OpenLDAP, Kerberos, etc for Active Directory integration: http://www.likewise.com/
  
   * open ports in Firewall (Active Directory, NTP, Kerberos)   * open ports in Firewall (Active Directory, NTP, Kerberos)
ldap_integration.txt · Last modified: 2012/02/06 08:43 by aorth