Posted: December 1, 2011 | Author: Kyle Crawford | Filed under: Active Directory, LDAP, Security, Unix | Tags: auth, authentication, digest, gssapi, Kerberos, LDAP, ldapsearch, list, mechanisms, password, sasl, security |
You don’t have to use insecure clear text Simple BIND authentication for accessing your LDAP servers.
Get list of supported authentication mechanisms:
ldapsearch -h example.com -x -b "" -s base -LLL supportedSASLMechanisms
Kerberos GSSAPI Example:
kinit
ldapsearch -v -Y GSSAPI -h example.com -b "DC=example,DC=com" "(sAMAccountName=someusername)"
DIGEST-MD5 Example:
ldapsearch -v -Y DIGEST-MD5 -h example.com -U someusername -R example.com -b "DC=example,DC=com"\
"(sAMAccountName=someusername)"
Note: For Active Directory Digest Authentication to work, you may need to enable Reversible encryption on the account’s password and change the user’s password once.
Posted: December 1, 2011 | Author: Kyle Crawford | Filed under: Deployment, http, Unix | Tags: apache, cache, modjk, mod_jk, mod_proxy, proxy, stale, wrong page |
If your web app starts serving stale cached content when run behind mod_jk or mod_proxy with apache, it may be due to apache inserting a default expiration header.
You can confirm this by comparing the headers returned from apache and directly from your web app. curl -i will show response headers:
curl -i http://example.com | head -20
To disable apache’s content expirations, add the following to your virtual host:
ExpiresActive Off
Here is the official Apache Documentation.
