10.8: Doing web-site authentication against Active Directory and Open Directory

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

10.8: Doing web-site authentication against Active Directory and Open Directory

Slavin, Simon
Dear list,

I have a 10.8 server which runs various web sites.  This server is used only as FileSharing, Web and Wiki server, and all other services are turned off.

Our setup previously was that we were using only Open Directory (hosted on another 10.8 server) for authentication.  My web server had a setting for access which, if I recall correctly, said "Authenticated Users" and if I used that for a site, web pages on that site put up the expected banner and accepted anyone with a account in the Open Directory server.

We have now added Active Directory to the list, and the Directory Utility and binding of the web server computer have had an Active Directory host added to the Search Policy.  Network Account Server now shows up as 'Multiple'.  Server.app shows accounts from both servers.  Accounts from the AD server show up as expected in the directory editor.  I have ordered the servers with the AD server at the top, so it should be trying the AD server first, and only if it fails looking at the Open Directory server.

However, the Active Directory accounts do not seem to be accessed by whatever is checking for users who can access my web site.  It still seems to be checking only for accounts on the Open Directory server.  Even if I set 'Who Can Access' explicitly to just a group of users on the AD server (ignoring the OD server entirely) it still does not authenticate correctly for AD users, claiming

mod_digest_apple: Unable to authenticate for URI "/[whatever]" from user "[an AD account]" for realm "[private realm folder]"
mod_digest_apple: Authentication failed (details unavailable)

Does anyone have any idea what's wrong ?  Are the details available in some other log ?

I note that the log entry came from mod_digest_apple.  Should this still correctly handle AD accounts ?  I can't see anywhere to change what types of password it allows.

Access using accounts on the OD server does continue to work when I set the access group to a group on the OD server.

Any help would be greatly appreciated.

Simon

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 10.8: Doing web-site authentication against Active Directory and Open Directory

The Mac OS X Server Mailing List mailing list
Hi Simon.

Have you tried: http://support.apple.com/kb/HT200248

Surprised Apple's letting this list linger on after declaring it dead, and that people still come here.
Well, here I am, never unsubscribed.

On Jul 16, 2014, at 10:52 AM, "Slavin, Simon" <[hidden email]> wrote:

> Dear list,
>
> I have a 10.8 server which runs various web sites.  This server is used only as FileSharing, Web and Wiki server, and all other services are turned off.
>
> Our setup previously was that we were using only Open Directory (hosted on another 10.8 server) for authentication.  My web server had a setting for access which, if I recall correctly, said "Authenticated Users" and if I used that for a site, web pages on that site put up the expected banner and accepted anyone with a account in the Open Directory server.
>
> We have now added Active Directory to the list, and the Directory Utility and binding of the web server computer have had an Active Directory host added to the Search Policy.  Network Account Server now shows up as 'Multiple'.  Server.app shows accounts from both servers.  Accounts from the AD server show up as expected in the directory editor.  I have ordered the servers with the AD server at the top, so it should be trying the AD server first, and only if it fails looking at the Open Directory server.
>
> However, the Active Directory accounts do not seem to be accessed by whatever is checking for users who can access my web site.  It still seems to be checking only for accounts on the Open Directory server.  Even if I set 'Who Can Access' explicitly to just a group of users on the AD server (ignoring the OD server entirely) it still does not authenticate correctly for AD users, claiming
>
> mod_digest_apple: Unable to authenticate for URI "/[whatever]" from user "[an AD account]" for realm "[private realm folder]"
> mod_digest_apple: Authentication failed (details unavailable)
>
> Does anyone have any idea what's wrong ?  Are the details available in some other log ?
>
> I note that the log entry came from mod_digest_apple.  Should this still correctly handle AD accounts ?  I can't see anywhere to change what types of password it allows.
>
> Access using accounts on the OD server does continue to work when I set the access group to a group on the OD server.
>
> Any help would be greatly appreciated.
>
> Simon
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macos-x-server mailing list      ([hidden email])
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/macos-x-server/macosxforme%40gmail.com
>
> This email sent to [hidden email]



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 10.8: Doing web-site authentication against Active Directory and Open Directory

The Mac OS X Server Mailing List mailing list
I'm glad they let it run on, a sense of the old crew still battling against the Establishment in these very different days from last century.


Mike Matthews, Managing Director, Lineal Software Solutions Ltd

Apple Reseller, Microsoft Partner, SQLWorks Business Partner
phone: 01271 375999 | web: lineal.co.uk | email: [hidden email]



On 3 Oct 2014, at 19:06, OS X Server Mail List <[hidden email]> wrote:

> Hi Simon.
>
> Have you tried: http://support.apple.com/kb/HT200248
>
> Surprised Apple's letting this list linger on after declaring it dead, and that people still come here.
> Well, here I am, never unsubscribed.
>
> On Jul 16, 2014, at 10:52 AM, "Slavin, Simon" <[hidden email]> wrote:
>
>> Dear list,
>>
>> I have a 10.8 server which runs various web sites.  This server is used only as FileSharing, Web and Wiki server, and all other services are turned off.
>>
>> Our setup previously was that we were using only Open Directory (hosted on another 10.8 server) for authentication.  My web server had a setting for access which, if I recall correctly, said "Authenticated Users" and if I used that for a site, web pages on that site put up the expected banner and accepted anyone with a account in the Open Directory server.
>>
>> We have now added Active Directory to the list, and the Directory Utility and binding of the web server computer have had an Active Directory host added to the Search Policy.  Network Account Server now shows up as 'Multiple'.  Server.app shows accounts from both servers.  Accounts from the AD server show up as expected in the directory editor.  I have ordered the servers with the AD server at the top, so it should be trying the AD server first, and only if it fails looking at the Open Directory server.
>>
>> However, the Active Directory accounts do not seem to be accessed by whatever is checking for users who can access my web site.  It still seems to be checking only for accounts on the Open Directory server.  Even if I set 'Who Can Access' explicitly to just a group of users on the AD server (ignoring the OD server entirely) it still does not authenticate correctly for AD users, claiming
>>
>> mod_digest_apple: Unable to authenticate for URI "/[whatever]" from user "[an AD account]" for realm "[private realm folder]"
>> mod_digest_apple: Authentication failed (details unavailable)
>>
>> Does anyone have any idea what's wrong ?  Are the details available in some other log ?
>>
>> I note that the log entry came from mod_digest_apple.  Should this still correctly handle AD accounts ?  I can't see anywhere to change what types of password it allows.
>>
>> Access using accounts on the OD server does continue to work when I set the access group to a group on the OD server.
>>
>> Any help would be greatly appreciated.
>>
>> Simon
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Macos-x-server mailing list      ([hidden email])
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/macos-x-server/macosxforme%40gmail.com
>>
>> This email sent to [hidden email]
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macos-x-server mailing list      ([hidden email])
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/macos-x-server/mike.matthews%40lineal.co.uk
>
> This email sent to [hidden email]




 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 10.8: Doing web-site authentication against Active Directory and Open Directory

The Mac OS X Server Mailing List mailing list
In reply to this post by Slavin, Simon

On 3 Oct 2014, at 7:06pm, David Haines <[hidden email]> wrote:

> Have you tried: http://support.apple.com/kb/HT200248

Thank you for spotting and posting this, David.  I haven't had a chance to try it but I'm sure this is what my problem was.

Simon

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Loading...