Show pageOld revisionsBacklinksAdd to bookExport to MarkdownBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Apache setup for Simple Sign On ====== If you have different AD domains will be merged into on domain. All users, projects and customers are merged from cloud.example.com Active Directory. ===== Envirnment ===== The merged organization units are located in ''%%ou=Cloud,dc=example,dc=com%%'' DN (Distinguished Name). But the Intranet users are in ''%%ou=Users,ou=Accounts,dc=example,dc=com%%'' DN located. To prevent the apache ldap module searching the whole AD, two LDAP URL's must be defined. The configuration is shown in next picture: {{:images:two-ldapurl-config.png?direct&600|LDAP urls}} The trick is to configure two ''%%AuthnProviderAlias%%'' directives. Each one is configured two authenticate to a defined Distinguished Name (DN). see above picture. ===== Apache 2.4 setup ===== File, ''%%/etc/apache2/custom.d/authint_ap.conf%%'': <code> AuthType Basic AuthName "Subversion" AuthLDAPRemoteUserIsDN off AuthLDAPGroupAttributeIsDN on AuthLDAPDereferenceAliases always AuthBasicProvider ad-accounts ad-cloud Require valid-user </code> File, ''%%/etc/apache2/conf.d/authn_aliases.conf%%'': <code> <AuthnProviderAlias ldap ad-accounts> AuthLDAPUrl "ldaps://vdcs002.example.com:636/ou=Accounts,dc=example,dc=com?name?sub?(objectclass=*)" AuthLDAPBindDN "cn=SVC_SVN,ou=AdmServiceAccounts,ou=Admins,dc=example,dc=com" AuthLDAPBindPassword "password" </AuthnProviderAlias> <AuthnProviderAlias ldap ad-cloud> AuthLDAPURL "ldaps://vdcs002.example.com:636/OU=Cloud,DC=example,DC=com?name?sub?(objectclass=*)" AuthLDAPBindDN "cn=SVC_SVN,ou=AdmServiceAccounts,ou=Admins,dc=example,dc=com" AuthLDAPBindPassword "password" </AuthnProviderAlias> </code> ===== Apache 2.2 setup ===== The only difference to apache 2.4 setup is, SSL is not working because of the modified LDAP module (for OTP authentication in Trivadis). Everythin else is equal! File, ''%%/etc/apache2/custom.d/authint_ap.conf%%'': <code> AuthType Basic AuthName "Subversion" AuthLDAPRemoteUserIsDN off AuthLDAPGroupAttributeIsDN on AuthLDAPDereferenceAliases always AuthBasicProvider ad-accounts ad-cloud Require valid-user </code> File, ''%%/etc/apache2/conf.d/authn_aliases.conf%%'' <code> <AuthnProviderAlias ldap ad-accounts> AuthLDAPUrl "ldap://vdcs002.example.com:636/ou=Accounts,dc=example,dc=com?name?sub?(objectclass=*)" AuthLDAPBindDN "cn=SVC_SVN,ou=AdmServiceAccounts,ou=Admins,dc=example,dc=com" AuthLDAPBindPassword "password" </AuthnProviderAlias> <AuthnProviderAlias ldap ad-cloud> AuthLDAPURL "ldap://vdcs002.example.com:636/OU=Cloud,DC=example,DC=com?name?sub?(objectclass=*)" AuthLDAPBindDN "cn=SVC_SVN,ou=AdmServiceAccounts,ou=Admins,dc=example,dc=com" AuthLDAPBindPassword "password" </AuthnProviderAlias> </code> apache_ldap_multidomain.txt Last modified: 2024/11/30 09:49by 127.0.0.1