Difference between revisions of "Active Directory authentication in httpd.conf"

From MyWiki
Jump to: navigation, search
 
(4 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
<source lang="text">
 
<source lang="text">
  
httpd.conf
 
Let’s start with an example
 
  
<Location /protected>
+
<Location /protected>         ( I used Directory with full file system path )
 
# Using this to bind
 
# Using this to bind
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com"
+
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com" ( I used blah009@camping.com)
 
AuthLDAPBindPassword "XXX"
 
AuthLDAPBindPassword "XXX"
 
# search user
 
# search user
Line 17: Line 15:
 
AuthBasicProvider ldap
 
AuthBasicProvider ldap
 
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
 
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
+
AuthUserFile /dev/null         <------------ this is needed
 
require valid-user
 
require valid-user
 
</Location>
 
</Location>
AuthLDAPBindDN and AuthLDAPBindPassword are uesd for the first step, Accessing the active directory.
 
  
Next we need to find the users, this is AuthLDAPURL. It looks like AD won’t allow to search the complete Tree (dc=example,dc=com). I always needed to specify at least one organizational unit (ou). We search the whole subtree (sub) not just one folder. When searching the tree we compare sAMAccountName with the username supplied to us. You could also the eMail Addresses.
 
  
 
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?Vmail?sub?(objectClass=*)"
 
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?Vmail?sub?(objectClass=*)"
AuthType, AuthName should be known.
 
  
Important is the AuthUserFile directive.
+
 
 +
 
  
 
Specific Users, Groups
 
Specific Users, Groups
 
# specific user
 
# specific user
#  Require ldap-user "john.doe"
+
#  Require ldap-user "john.doe"             ( this worked for me )
 
# specific user by DN
 
# specific user by DN
#  Require ldap-dn CN=John Doe,OU=Finance,OU=Germany,DC=example,DC=com
+
#  Require ldap-dn CN=John Doe,OU=Finance,OU=Germany,DC=example,DC=com     ( this didnt work for me )
 
# member of group
 
# member of group
#  Require ldap-group CN=Finance Department,OU=Finance,OU=Germany,DC=example,DC=com
+
#  Require ldap-group CN=Finance Department,OU=Finance,OU=Germany,DC=example,DC=com     ( I didn't try this )
  
 
</source>
 
</source>

Latest revision as of 13:18, 21 March 2016

Reference - http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication.html

<Location /protected>          ( I used Directory with full file system path ) 
# Using this to bind
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com" ( I used blah009@camping.com) 
AuthLDAPBindPassword "XXX"
# search user
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
 
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null         <------------ this is needed
require valid-user
</Location>
 
 
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?Vmail?sub?(objectClass=*)"
 
 
 
 
Specific Users, Groups
# specific user
#   Require ldap-user "john.doe"             ( this worked for me ) 
# specific user by DN
#   Require ldap-dn CN=John Doe,OU=Finance,OU=Germany,DC=example,DC=com      ( this didnt work for me ) 
# member of group
#   Require ldap-group CN=Finance Department,OU=Finance,OU=Germany,DC=example,DC=com     ( I didn't try this )
Retrieved from "https://wiki.twig.es/index.php?title=Active_Directory_authentication_in_httpd.conf&oldid=3097"