Apache LDAP Authentication, Require ldap-group, OpenLDAP server, AND YOU!

Posted: March 20th, 2011 | Author: | Filed under: LDAP, Linux | Tags: , , , , , | 1 Comment »

OK peoples, this one frustrated me for a bit, but because I’m stubborn I figured it out.

I have a webservice that I want to protect by using LDAP authentication within Apache from our OpenLDAP server. However, you want to make sure that the user belongs to a specific LDAP group. If you’re like me your groups look something like this:

bart:~ jordan$ ldapsearch -h ldap.shop.lan -x -b "dc=shop,dc=lan" cn=fgstaff
# extended LDIF
# LDAPv3
# base with scope subtree
# filter: cn=fgstaff
# requesting: ALL

# fgstaff, Groups, shop.lan
dn: cn=fgstaff,ou=Groups,dc=shop,dc=lan
cn: fgstaff
gidNumber: 1022
description: Staff
objectClass: posixGroup

memberUid: jordan

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So to make it work you need a few things inside of your Directory tag for the virtual host config file. First, here’s mine:

Options FollowSymLinks
AllowOverride None
AuthName "FG Staff ONLY!"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://,dc=shop,dc=lan?uid"
require ldap-group cn=fgstaff,ou=Groups,dc=shop,dc=lan
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid

The trick for me was putting in the require ldap-group plus the whole path including container, org unit, and the dc’s. Then AuthLDAPGroupAttributeIsDN. This is big because if it is on then apache will check if “memberUid=uid=jordan ou=People” is part of the fgstaff group and not just “jordan”

Once I set this, it all worked. I’m hoping this will help any others out there.

How To RAID Mac Mini Server without Reinstalling

Posted: March 14th, 2011 | Author: | Filed under: Mac OS X Server | Tags: , , , | No Comments »

Replicate boot drive to spare drive.

While this post title specifically says Mac Mini Server, this procedure will work with any Macintosh that has more than one hard drive.

  1. Open Disk Utility
      One drive should be labelled “Server HD” and the other “Macintosh HD2” Remember which one is on top and which one is on bottom.
  2. Select the Hard Drive associated with Macintosh HD2, and then click Restore
  3. Drag Server HD in to the source and Macintosh HD2 into the destination
  4. Make it go

Build the spare drive into a RAID of one disk

  1. Open Disk Utility
  2. Select the Hard Drive associated with old “Macintosh HD2”, and then click RAID.
      If you unsure as to which is which you can select the drive and note the mount point at the bottom of the window. Choose the one that DOES NOT have the mount point of “/”
  3. Set the following options
      RAID Set Name: Server HD RAID
      Format: Mac OS Extended (Case-Sensitive, Journaled)
      RAID Type: Mirrored RAID Set
  4. Drag the spare Server HD from the list on the left into the box on the right.
  5. Select Options and enable “Automatically rebuild RAID mirror sets” Click OK then Enable
  6. Rename the newly built drive to Server RAID
  7. Go to System Preferences->Startup Disk and select the newly built RAID.
  8. Reboot

Integrate Other Drive into RAID

  1. Once the system is booted verify the RAID drive is the boot volume
      To do this open Disk Utility again and select the Server RAID volume, make sure the mount point states “/”
  2. While in Disk Utility select the RAID device, which is located above “Server RAID” and click on the RAID tab
  3. Drag “Server HD” into the white box on the right to add it to the RAID
  4. Click Rebuild, it will take some time. Once done perform one more reboot and you’re finished!