Apache LDAP/Active Directory Authentication
Imagine a typical Company Office. A Microsoft dominated Backoffice using Windows PCs, an Exchange Server and of course an Actice Directory.
Somewhere is an Apache running a smal set of custom Scripts. Now you need to limit the access to this bunch of quick and dirty Apps. Typical solution: put an htaccess file and some htpasswd manages passwords on it. This works but everyone needs to remember his windows login and his Application password. What happens if a user leaves the company? You disable the Windows account. But did you remember to remove him from all the htaccess files?
Goal is to have only one user/password. For everything in the Company and only one central usermanagement. This is your Active Directory. It has the users and LDAP is the interface to use it.
Make sure your apache supports mod_authnz_ldap. If it is compiled into the binary you can use httpd -L to list it. Otherwise it is in the modules directory as mod_authnz_ldap.so. Maybe you need to install it from your Distributions repository. If you compile from source, use these switches during configure
--enable-ldap \ --enable-authnz-ldap \ --with-included-apr \ --with-ldap
Prepare Active Directory
Authentication consists of
- Finding the user (getting the Distinguished Name DN) in the Active Directory using the supplied username
- Binding to the Active Directory using the now found DN and the supplied password
- Doing stuff to find group memberships
For the first Step (finding the user) we already need access to the Active Directory. As AD won't allow anonymous acces, you need a username and a password just to do the search. This is not
your administration account! Create a new account with minimal rights.
So what is the username? Depends on your AD Layout. This should give you a pretty good hint
CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com
Let's start with an example
<Location /protected> # Using this to bind AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com" AuthLDAPBindPassword "XXX" # search user AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)" AuthType Basic AuthName "USE YOUR WINDOWS ACCOUNT" AuthBasicProvider ldap # Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)" AuthUserFile /dev/null require valid-user </Location>
AuthLDAPBindDN and AuthLDAPBindPassword are uesd for the first step, Accessing the active directory.
Next we need to find the users, this is AuthLDAPURL. It looks like AD won't allow to search the complete Tree (dc=example,dc=com). I always needed to specify at least one organizational unit (ou). We search the whole subtree (sub) not just one folder. When searching the tree we compare sAMAccountName with the username supplied to us. You could also the eMail Addresses
AuthType, AuthName should be known.
Important is the AuthUserFile directive.
Specific Users, Groups
# specific user # Require ldap-user "john.doe" # specific user by DN # Require ldap-dn CN=John Doe,OU=Finance,OU=Germany,DC=example,DC=com # member of group # Require ldap-group CN=Finance Department,OU=Finance,OU=Germany,DC=example,DC=com