Welcome to WebmasterWorld Guest from 54.224.49.217

Forum Moderators: Ocean10000 & incrediBILL & phranque

apache and active directory question

how to allocate ad account o web server

     
3:49 pm on Aug 30, 2017 (gmt 0)

New User

joined:Aug 30, 2017
posts: 2
votes: 0


Hi,
I'm a total newbie so please forgive my ignorance in this question.
My company has a windows data server where each department has it's own private folder which cannot be accessed by other
departments.
We use 'Active Directory' and each user has their own AD account. We then set up 'security groups' and grant them access to the
specific folders.
We have now set up an apache web server to host an intranet system and I want to be able to create a new folder on the windows
data server which will hold employee photos and this will be maintained by one specific department.
I want the web server to be able to access that same folder to display the photos on the intranet, however, I don't want any
other departments to access the photos directly ( in case people decide to do some imaginative photo shopping on individual photos ) and I don't want to give the web server access to any other department folders.
I read that if I created a new Active Directory Account and somehow allocated it to the web server ( so that the web server is
treated as a person ) then I can arrange for a new 'security group' to be created containing this new AD account and all the
accounts of the users in the department that will maintain the photos. I can then grant access to the 'photo folder' to this new
security group.
If this is the case, could you let me know how I allocate the AD user name to the web server ? I've seen that the config file has
a section for user & group but I don't know if this is used for the purpose I'm hoping to use it for. If it is, then is it a case
of just exchanging the current values ( currently both user & group are set as 'daemon' ) to the new user AD account and security
group ? and do I need to include the AD account password ?
Or is there an easier or better way to obtain what I'm trying to achieve ?
3:00 am on Aug 31, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9630
votes: 479


Hello Nick Partridge and welcome to WebmasterWorld [webmasterworld.com]
4:13 am on Aug 31, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10977
votes: 84


welcome to WebmasterWorld, Nick Partridge!


the "user" running the apache process is a unix concept and cannot be tied to the AD user's account in any practical way.

you are really addressing two different problems here and each has their own issues:


1 - authenticating the users and authorizing them to access resources

it looks like there's a way to enable HTTP Basic Authentication with AD using mod_authns_ldap.
in general you would specify the authentication directives as required in directory context of the server config file or in the .htaccess file of the relevant directory.
in other words, you would need a set of configuration directives for each department/directory.

Using Active Directory:
https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#activedirectory


2 - access to those resources by the server

typically the file resources would be on a drive mounted to and accessible by the apache process/user.
if these resources are on another server you could use mod_proxy (or through mod_rewrite's proxy directives/flags) to serve those resources invisibly from the external server.
or you could internally rewrite those requests to a script running under the apache process to handle the file get and deliver the response.


note that the implementation of either side of this application could be daunting for an apache newbie...
6:58 am on Aug 31, 2017 (gmt 0)

New User

joined:Aug 30, 2017
posts: 2
votes: 0


Thanks for the quick reply, you've saved me so much time ( which by the look of things would have been wasted anyway, going down the route I was looking at ).