Configure Apache 2.0.* to authenticate against OpenLDAP or Active Directory

From Notes

Jump to: navigation, search

Requirements

In order to authenticate LDAP from Apache, you need the following:

  • Apache must be compiled with ldap support.
  • You need to know the OU that the accounts are in.
  • If using Microsoft Active Directory, you may need to have a service account with read access to the account information.


Configuration

The following snippet is a sample of what you would place in your http.conf: 

<Directory "/var/www/localhost/htdocs">
  SSLRequireSSL
  Options None
  AllowOverride None
  Order allow,deny
  Allow from all
  AuthName  "Authorized Users Only"
  AuthType  Basic
  AuthLDAPURL ldap://ldap-server.example.org:389/ou=People,dc=example,dc=com?uid?sub?(objectClass=*)
  require valid-user
</Directory>

The following example authenticates to an Active Directory system with LDAPS: 

LDAPTrustedCA /etc/httpd/conf/ms_ca_cert.pem
LDAPTrustedCAType BASE64_FILE

<Location "/location">
  order allow,deny
  allow from all
  AuthName "Apache AD Access"
  AuthType Basic
  AuthLDAPEnabled On
  AuthLDAPURL "ldaps://example.com:636/ou=People,dc=example,dc=come?sAMAccountName?sub?(&(objectClass=user)(!(objectClass=computer)))"
  AuthLDAPAuthoritative On
  AuthLDAPBindDN "CN=ServiceAccount,OU=Users,OU=Local,DC=example,DC=com"
  AuthLDAPBindPassword "password"
  require valid-user
</Location>

Note that you need to specify at least the top level OU where the accounts will reside.

You should now be able to restart Apache and test your authentication method.

Retrieved from "http://www.itsecureadmin.com/wiki/index.php/Configure_Apache_2.0.*_to_authenticate_against_OpenLDAP_or_Active_Directory"
Personal tools