You are here: Home / Software / Apache LDAP/Active Directory Authentication

Apache LDAP/Active Directory Authentication

Use a Windows Active Directory (or another LDAP Server) to manage your Apache Basic Authentication Imagine a typical Company Office. A Microsoft dominated Backoffice using Windows PCs, an Exchange Server and of course an Actice Directory.

Somewhere is an Apache running a smal set of custom Scripts. Now you need to limit the access to this bunch of quick and dirty Apps. Typical solution: put an htaccess file and some htpasswd manages passwords on it. This works but everyone needs to remember his windows login and his Application password. What happens if a user leaves the company? You disable the Windows account. But did you remember to remove him from all the htaccess files?

Goal is to have only one user/password. For everything in the Company and only one central usermanagement. This is your Active Directory. It has the users and LDAP is the interface to use it.

mod_authnz_ldap

Make sure your apache supports mod_authnz_ldap. If it is compiled into the binary you can use httpd -L to list it. Otherwise it is in the modules directory as mod_authnz_ldap.so. Maybe you need to install it from your Distributions repository. If you compile from source, use these switches during configure:

--enable-ldap \
--enable-authnz-ldap \
--with-included-apr \
--with-ldap

Prepare Active Directory

Authentication consists of

  1. Finding the user (getting the Distinguished Name DN) in the Active Directory using the supplied username

  2. Binding to the Active Directory using the now found DN and the supplied password

  3. Doing stuff to find group memberships

For the first Step (finding the user) we already need access to the Active Directory. As AD won’t allow anonymous acces, you need a username and a password just to do the search. This is not your administration account! Create a new account with minimal rights.

So what is the username? Depends on your AD Layout. This should give you a pretty good hint:

CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com

httpd.conf

Let’s start with an example

<Location /protected>
# Using this to bind
AuthLDAPBindDN "cn=John Doe,ou=IT Department,ou=Germany,dc=example,dc=com"
AuthLDAPBindPassword "XXX"
# search user
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"

AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
Require valid-user
</Location>

AuthLDAPBindDN and AuthLDAPBindPassword are uesd for the first step, Accessing the active directory.

Next we need to find the users, this is AuthLDAPURL. It looks like AD won’t allow to search the complete Tree (dc=example,dc=com). I always needed to specify at least one organizational unit (ou). We search the whole subtree (sub) not just one folder. When searching the tree we compare sAMAccountName with the username supplied to us. You could also the eMail Addresses.

AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?Vmail?sub?(objectClass=*)"

AuthType, AuthName should be known.

Important is the AuthUserFile directive.

Specific Users, Groups

# specific user
#   Require ldap-user "john.doe"
# specific user by dn
#   Require ldap-dn cn=John Doe,ou=Finance,ou=Germany,dc=example,dc=com
# member of group
#   Require ldap-group cn=Finance Department,ou=Finance,ou=Germany,dc=example,dc=com