Configuring Apache to Authenticate Against Active Directory

CONFIGURING APACHE TO AUTHENTICATE AGAINST ACTIVE DIRECTORY

 

The purpose of doing this could be .htaccess authentication or any website application that requires advanced authentication, such as Subversion.

In my example I am using CentOS as the Linux Operating System which hosts Apache, but apart from the initial module configuration, the .htaccess file commands should work on most *nix’s.

 

Prerequisites

The first requirement which nowadays should already be installed is the LDAP authentication modules in Apache.
Just edit /etc/httpd/conf/httpd.conf and uncomment the following lines:

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

In other flavours of Linux the modules may be listed elsewhere.

Next, create a user which will bind to Active Directory to get the user information from the domain. This should NOT be an administrator or have any more than the minimal security rights as the password has to be put in plain text in the conf or .htaccess file.

For security purposes then, it is highly recommended that the website be SSL enabled so the password is effectively encrypted on it’s way to the Windows Domain Controller.
In order to find out the exact path of the user details, you will require either adsiedit.msc or JXplorer and Domain Administrator rights.
In my case I created a user called adsync in the default user location. This is cn=adsync,cn=users,dc=example,dc=com – assuming your domain is called example.com of course.

You can easily adapt the above example to your configuration.
Once you have logged into JXplorer, you can navigate to the OU you set up containing the users and groups in Active Directory you want to authenticate against.
Highlight the Group or User Organisational Unit you wish to include and select Table editor. Next to the distinguishedName attribute type is the information you need, in our case:

OU=Example Container,DC=example,DC=com

This needs to contain all the users and / or groups that will be authenticating against Active Directory. Users not in this file path will not be able to authenticate.
For some reason it won’t allow you to specify DC=example,DC=com only – you need at least one OU.

.htaccess or conf file configuration

OK, below is the .htaccess file corresponding to the example data above and each command explained.

AuthLDAPBindDN “CN=adsync,CN=Users,DC=example,DC=com”
AuthLDAPBindPassword “password”
# search user
AuthLDAPURL “ldap://dc01.example.com:389/OU=Example Container,DC=example,DC=com?sAMAccountName?sub?(objectClass=)”*
AuthType Basic
AuthName “USE YOUR WINDOWS ACCOUNT”
AuthBasicProvider ldap
# Important, otherwise “(9)Bad file descriptor: Could not open password file: (null)”
AuthUserFile /dev/null
Require ldap-group CN=Example Group,OU=Example Container,DC=example,DC=com
require valid-user

AuthLDAPBindDN “CN=adsync,CN=Users,DC=example,DC=com”

This is the username you setup specifically to bind to the domain. It should be exactly like this – ie. ” at the beginning and end” and Capital CN / DC etc, not lower case

AuthLDAPBindPassword “password”

This is the password which should have the actual user password (don’t make it password!), again with quotation marks around it.

AuthLDAPURL “ldap://dc01.example.com:389/OU=Example Container,DC=example,DC=com?sAMAccountName?sub?(objectClass=)”*

This is the search path where the users and groups must live. They can be containers within this OU or at the top level of the OU, both works. Should be sufficient to copy and paste.

AuthType Basic
AuthName “USE YOUR WINDOWS ACCOUNT”
AuthBasicProvider ldap

This specifies it is unencrypted authentication, hence the SSL suggestion.
The Comments on the username / password box that will come up when you try and access the website resource
Obvious really – that we are using LDAP as the authentication type.

AuthUserFile /dev/null

Not sure about this one, you just need it OK!?!?

Require ldap-group CN=Example Group,OU=Example Container,DC=example,DC=com

Require valid-user

Specify that only users in the Example Group who are within the OU specified in AuthLDAPURL are allowed access.

Require ldap-group is not required but added security functionality, or you can specify

Require ldap-user Example.User

or

Require ldap-dn CN=Example User,CN=Example Group,OU=Example Container,DC=example,DC=com

or whatever you like to your particular requirements.

 

Related Articles

Fixing Windows 2012 R2 Server Time after Reboot

Read More