Authenticate Linux/Apache to Microsoft AD using mod_auth_ldap or mod_authz_ldap ------------------------------------------------------------------------------- 2006-09-26 This doesn't work for console logins... but this works for Apache! I can host Apache webserver on Linux and can authenticate to the website using mod_auth_ldap or mod_authz_ldap to my Microsoft Active Directory. You will want to create a user in Microsoft's AD Users and Computers that has minimum read rights to the AD structure and no rights to anything else. Your password *will* be in plain text in this file so you want there to be absolute minimum impact. Create a user in AD. Add the user to the "Domain Guests" group and reset its primary group to "Domain Guests". Remove the user from "Domain Users". This should give you a user with enough access to query AD but very little else (unless you've granted access rights to guest accounts, in which case, shame on you). 1. Configure basic Apache settings (in FCx/RHEL, /etc/httpd/conf/httpd.conf) 2. Make sure mod_auth_ldap is loading 3. Use this example for the Directory you want authentication applied to inside httpd.conf: OR (put these lines in a .htaccess file in the directory you want auth applied to) #Directory for testing LDAP auth AuthLDAPURL ldap://host.example.com:389/OU=MyCity,DC=example,DC=com?sAMAccountName?sub?(objectClass=user) AuthLDAPBindDN CN=myldapbinduser,CN=Users,DC=example,DC=com #OR AuthLDAPBindDN CN=myldapbinduser,OU=MyCity,DC=example,DC=com AuthLDAPBindPassword pAs$w0rd AuthType Basic AuthName "LDAP Test Area" require valid-user 4. save httpd.conf 5. service httpd restart 6. Goto the URL of the Directory you have setup and test! For mod_authz_ldap usage: 1. Configure basic Apache settings (/etc/httpd/conf/httpd.conf) 2. Make sure mod_authz_ldap is loading 3. Configure authz_ldap.conf (/etc/httpd/conf.d/authz_ldap.conf) Use this example for the Location you want authentication applied to: AuthzLDAPEngine on AuthzLDAPSetAuthorization off AuthzLDAPServer host.example.com:389 AuthzLDAPUserBase DC=example,DC=com AuthzLDAPUserKey sAMAccountName AuthzLDAPUserScope subtree AuthzLDAPBindDN username@example.com AuthzLDAPBindPassword Pas$w0rd AuthType basic AuthName "Authorized Access Only" require valid-user 4. save authz_ldap.conf 5. service httpd restart 6. Goto the URL of the Location you have setup and test! Note: You can also use require group instead of valid-user. require group CN=GroupName,CN=Users,DC=example,DC=com