Authenticate Linux/Apache to Microsoft AD using mod_auth_ldap or mod_authz_ldap
-------------------------------------------------------------------------------
2006-09-26
This doesn't work for console logins... but this works for Apache! I can host
Apache webserver on Linux and can authenticate to the website using
mod_auth_ldap or mod_authz_ldap to my Microsoft Active Directory.
You will want to create a user in Microsoft's AD Users and Computers that has
minimum read rights to the AD structure and no rights to anything else. Your
password *will* be in plain text in this file so you want there to be absolute
minimum impact. Create a user in AD. Add the user to the "Domain Guests"
group and reset its primary group to "Domain Guests". Remove the user from
"Domain Users". This should give you a user with enough access to query AD but
very little else (unless you've granted access rights to guest accounts, in
which case, shame on you).
1. Configure basic Apache settings (in FCx/RHEL, /etc/httpd/conf/httpd.conf)
2. Make sure mod_auth_ldap is loading
3. Use this example for the Directory you want authentication applied to inside httpd.conf:
OR (put these lines in a .htaccess file in the directory you want auth applied to)
#Directory for testing LDAP auth
AuthLDAPURL ldap://host.example.com:389/OU=MyCity,DC=example,DC=com?sAMAccountName?sub?(objectClass=user)
AuthLDAPBindDN CN=myldapbinduser,CN=Users,DC=example,DC=com
#OR AuthLDAPBindDN CN=myldapbinduser,OU=MyCity,DC=example,DC=com
AuthLDAPBindPassword pAs$w0rd
AuthType Basic
AuthName "LDAP Test Area"
require valid-user
4. save httpd.conf
5. service httpd restart
6. Goto the URL of the Directory you have setup and test!
For mod_authz_ldap usage:
1. Configure basic Apache settings (/etc/httpd/conf/httpd.conf)
2. Make sure mod_authz_ldap is loading
3. Configure authz_ldap.conf (/etc/httpd/conf.d/authz_ldap.conf)
Use this example for the Location you want authentication applied to:
AuthzLDAPEngine on
AuthzLDAPSetAuthorization off
AuthzLDAPServer host.example.com:389
AuthzLDAPUserBase DC=example,DC=com
AuthzLDAPUserKey sAMAccountName
AuthzLDAPUserScope subtree
AuthzLDAPBindDN username@example.com
AuthzLDAPBindPassword Pas$w0rd
AuthType basic
AuthName "Authorized Access Only"
require valid-user
4. save authz_ldap.conf
5. service httpd restart
6. Goto the URL of the Location you have setup and test!
Note: You can also use require group instead of valid-user.
require group CN=GroupName,CN=Users,DC=example,DC=com