Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Tue Mar 19, 2024 2:19 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 
Author Message
PostPosted: Wed Sep 12, 2007 9:42 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
How to set up connectivity for Active Directory or OpenLDAP in order to allow enumeration of user information and protection
of OpenAudit with ldap_login.php

This feature was added to the SVN version, and is functional as of version SVN 801 so you will need to update to at least that version. (12th Sept 2007 or later)

First check to make sure you have extension=php_ldap.dll uncommented in php.ini on your web server. Also be aware that some versions of PHP
have more than one copy of php.ini (particularly XAMPP which ships with two versions of PHP) so make sure you edit the correct one for your config.
Without this set nothing related to LDAP will work, and you may even break Open Audit. :(

Don't forget to restart Apache for the change to become active.

If you look in Admin >Config at the LDAP section, the warning message about LDAP not being configured should now have gone.

Next the following items need to be set in the include_config.php file.
These items can also be set from the Admin>Config page

[code]
$management_domain_suffix = 'mydonain.local';
[/code]

This is the Active Directory domain, typically if you have users of the form username@mydomain.local then this is the mydomain.local part
It is also used by the login page to allow login without having to enter the full username@mydomain.local since username will have this added to
the login info if there is no domain specified in the login box.

[code]
$use_ldap_integration= 'y';
[/code]

This tells OA to use LDAP for additional user and computer details

[code]
$ldap_base_dn= 'dc=mydonain,dc=local';
[/code]

This is the base DN for LDAP/AD seraches, typically this would be dc=mydomain,dc=local for the base of the above mydomain.local domain
but may be ou=myou,dc=mydomain,dc=local or similar for subdomains. (Google Active Directory base dn for more info)

[code]
$ldap_server = 'mydomaincontroller.mydomain.local';
[/code]


The FQDN of the active directory or openldap server

[code]
$ldap_user = 'anldapuser@mydomain.local';
[/code]

A user with the ability to enumerate the AD/LDAP

(beware of using a domain admin here, because the password is kept in plain text at the moment, you would be better creating a user specifically for this.)

[code]
$ldap_secret = 'somepassword';
[/code]

The above user's password

[code]
$full_details = 'n';
[/code]

If set to 'y' then all of the LDAP info for the user or computer will be shown. This is a little verbose, and slightly messy.
[code]
$use_ldap_login = 'y';
[/code]

This is used to enable the ldap_login page

It is recommended that you install a SSL certificate in order to protect your login credentials. Using http: rather than https: will mean that any login details are passed as clear text and could theoretically be "sniffed" from your network.
You can purchase a certificate from a commercial source or create your own "self-signed" certificate. Below are instruction for creating a "self-signed" certificate. When asked for the common name, be sure to put in the fully qualified domain name of your server.

If you use xampp:
At the command prompt:
cd c:\xampp\apache
makecert.bat
net stop apache2.2
net start apache2.2

If you have installed Apache from scratch you might want to google for this, or try http://www.rpatrick.com/tech/makecert/

If you use IIS:
Install SELFSSL from the IIS 6.0 Resource Kit. From the server with IIS installed run the command: "selfssl /V:7300 /N:CN=hostname.domainname.topleveldomain"

Once you have the SSL certificate installed go to Admin--> Config and Check "Use HTTPS://: and press the "Save" button.

Now you can see use https: urls to access Openaudit rather than plain http: so for example your index page becomes something like https://localhost/openaudit/index.php and your openaudit web traffic including the login page is encrypted to keep away any prying eyes. :D

User EF added a few extra bits of information which will help you to understand self sert on an IIS web server....

[quote="ef"]First of all, thanks to Andrew and Jpmorgan for your great work on LDAP user authentication and SSL.
For those who host multiple sites on IIS using host headers and use self-signed certificates, I think it could be useful to specify in FAQ the SelfSSL parameters a little more:
/N:CN=---->has to be the CNAME DNS record used as host header for the openaudit site (not the hostname, otherwise it will not be valid for that site, but only for that one listening on the hostname)
/S:---->has to be the site ID of the openaudit site (or the certificate will be issued to the Default web site instead, site ID 1)
Also, SSL Secure communications don't have to be mandatory in the Directory security properties for the openaudit site (otherwise remote audits couldn't be posted to the server).
Thank you.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group