2012年2月1日水曜日

ApacheからNTML認証でADユーザを利用する


Apacheにmod_auth_ntlm_winbindを組み込み、NTML認証を使ってActiveDirectoryのユーザを利用する方法です。 Basic認証より安全かも。AD一元管理されたユーザ/パスワードを利用できるので運用がラク。
・ActiveDirectoryサーバOS: Windows Server 2008 R2
 → FQDNは win2k8r2-ad01.kuitan.net

・LinuxサーバOS: CentOS6.2 (64-bit)
 →Apacheバージョン: 2.2.15
 →Sambaバージョン: 3.5.10
 ※その他、samba-winbind、httpd-develが必要です。事前準備ヨロ。


■mod_auth_ntlm_winbindの取得
[root@centos62 ダウンロード]# svn co svn://svnanon.samba.org/lorikeet/trunk/mod_auth_ntlm_winbind mod_auth_ntlm_winbind
A    mod_auth_ntlm_winbind/contrib
A    mod_auth_ntlm_winbind/contrib/mod_auth_ntlm_winbind-20060510-connect_http10.patch
A    mod_auth_ntlm_winbind/Makefile.in
A    mod_auth_ntlm_winbind/debian
A    mod_auth_ntlm_winbind/debian/control
A    mod_auth_ntlm_winbind/debian/auth_ntlm_winbind.load
A    mod_auth_ntlm_winbind/debian/compat
A    mod_auth_ntlm_winbind/debian/changelog
A    mod_auth_ntlm_winbind/debian/copyright
A    mod_auth_ntlm_winbind/debian/rules
A    mod_auth_ntlm_winbind/500mod_auth_ntlm_winbind.info
A    mod_auth_ntlm_winbind/AUTHORS
A    mod_auth_ntlm_winbind/VERSION
A    mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.c
A    mod_auth_ntlm_winbind/configure.in
A    mod_auth_ntlm_winbind/README
 U   mod_auth_ntlm_winbind
リビジョン 801 をチェックアウトしました。
[root@centos62 ダウンロード]#


■mod_auth_ntlm_winbindのインストール(1分以内で完了)
[root@centos62 ダウンロード]# cd mod_auth_ntlm_winbind/
[root@centos62 mod_auth_ntlm_winbind]# autoconf
[root@centos62 mod_auth_ntlm_winbind]# ./configure --with-apxs=/usr/sbin/apxs --with-apache=/usr/sbin/httpd
checking for gcc... gcc
checking for C compiler default output file name... a.out
(後略)

[root@centos62 mod_auth_ntlm_winbind]# make
/usr/sbin/apxs -DAPACHE2 -Wc,-Wall -c mod_auth_ntlm_winbind.c
/usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wformat-security -fno-strict-aliasing  -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/httpd  -I/usr/include/apr-1   -I/usr/include/apr-1  -Wall -DAPACHE2  -c -o mod_auth_ntlm_winbind.lo mod_auth_ntlm_winbind.c && touch mod_auth_ntlm_winbind.slo
/usr/lib64/apr-1/build/libtool --silent --mode=link gcc -o mod_auth_ntlm_winbind.la  -rpath /usr/lib64/httpd/modules -module -avoid-version    mod_auth_ntlm_winbind.lo
[root@centos62 mod_auth_ntlm_winbind]#

[root@centos62 mod_auth_ntlm_winbind]# make install
/usr/sbin/apxs -DAPACHE2 -S LIBEXECDIR=//usr/lib64/httpd/modules -n auth_ntlm_winbind -i .libs/mod_auth_ntlm_winbind.so
/usr/lib64/httpd/build/instdso.sh SH_LIBTOOL='/usr/lib64/apr-1/build/libtool' .libs/mod_auth_ntlm_winbind.so //usr/lib64/httpd/modules
/usr/lib64/apr-1/build/libtool --mode=install cp .libs/mod_auth_ntlm_winbind.so //usr/lib64/httpd/modules/
libtool: install: cp .libs/mod_auth_ntlm_winbind.so //usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so
Warning!  dlname not found in //usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so.
Assuming installing a .so rather than a libtool archive.
chmod 755 //usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so
[root@centos62 mod_auth_ntlm_winbind]#
■表示確認用コンテンツ準備
[root@centos62 ~]# mkdir /var/www/html/ntlm
[root@centos62 ~]# vi /var/www/html/ntlm/index.html
[root@centos62 ~]# cat /var/www/html/ntlm/index.html
<html lang="ja">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#99ffdd">
NTLM認証に成功しました。<br />
</body>
</html>
[root@centos62 ~]#


■httpd.confの設定
[root@centos62 ~]# cd /etc/httpd/conf/
[root@centos62 conf]# cp -p httpd.conf httpd.conf.20100528
[root@centos62 ~]# vi /etc/httpd/conf/httpd.conf
------------------------------------------------
76行目あたり(Off→On)
KeepAlive On

202行目あたり(追記)
LoadModule auth_ntlm_winbind_module modules/mod_auth_ntlm_winbind.so

最下行に追記
# for NTLM settings
Alias /ntlm/ "/var/www/html/ntlm/"
<Directory "/var/www/html/ntlm/">
  NTLMAuth on
  AuthType NTLM
  AuthName "NTLM Authentication"
  NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
  NTLMBasicAuthoritative on
  require valid-user
</Directory>
------------------------------------------------


■winbindd_privilegedディレクトリにApache(mod_auth_ntlm_winbind)のプロセスのユーザへのアクセス権を設定
[root@centos62 ~]# chgrp apache /var/lib/samba/winbindd_privileged


■Apacheを起動
[root@centos62 ~]# /etc/init.d/httpd start
httpd を起動中:                                            [  OK  ]


■ブラウザからアクセス
http://192.168.xxx.143/ntlm/
NTLM認証に成功しました。の画面が表示されれば成功!!

※ちなみに、smb.conf等の設定が間違っていたりするとあっさり401がお目見えします。

Authorization Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.


Apache/2.2.15 (CentOS) Server at 192.168.xxx.143 Port 80

0 件のコメント:

コメントを投稿