Difference between revisions of "Active Directory authentication in httpd.conf"

httpd.conf
Let’s start with an example
 
<Location /protected>          ( I used Directory with full file system path ) 
# Using this to bind
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com"
AuthLDAPBindPassword "XXX"
# search user
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
 
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
require valid-user
</Location>
AuthLDAPBindDN and AuthLDAPBindPassword are uesd for the first step, Accessing the active directory.
 
Next we need to find the users, this is AuthLDAPURL. It looks like AD won’t allow to search the complete Tree (dc=example,dc=com). I always needed to specify at least one organizational unit (ou). We search the whole subtree (sub) not just one folder. When searching the tree we compare sAMAccountName with the username supplied to us. You could also the eMail Addresses.
 
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?Vmail?sub?(objectClass=*)"
AuthType, AuthName should be known.
 
Important is the AuthUserFile directive.
 
Specific Users, Groups
# specific user
#   Require ldap-user "john.doe"
# specific user by DN
#   Require ldap-dn CN=John Doe,OU=Finance,OU=Germany,DC=example,DC=com
# member of group
#   Require ldap-group CN=Finance Department,OU=Finance,OU=Germany,DC=example,DC=com