Difference between revisions of "Active Directory authentication in httpd.conf"

From MyWiki
Jump to: navigation, search
Line 8: Line 8:
 
<Location /protected>          ( I used Directory with full file system path )  
 
<Location /protected>          ( I used Directory with full file system path )  
 
# Using this to bind
 
# Using this to bind
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com"
+
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com" ( I used blah009@camping.com)
 
AuthLDAPBindPassword "XXX"
 
AuthLDAPBindPassword "XXX"
 
# search user
 
# search user
Line 17: Line 17:
 
AuthBasicProvider ldap
 
AuthBasicProvider ldap
 
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
 
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
+
AuthUserFile /dev/null         <------------ this is needed
 
require valid-user
 
require valid-user
 
</Location>
 
</Location>
AuthLDAPBindDN and AuthLDAPBindPassword are uesd for the first step, Accessing the active directory.
 
  
Next we need to find the users, this is AuthLDAPURL. It looks like AD won’t allow to search the complete Tree (dc=example,dc=com). I always needed to specify at least one organizational unit (ou). We search the whole subtree (sub) not just one folder. When searching the tree we compare sAMAccountName with the username supplied to us. You could also the eMail Addresses.
 
  
 
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?Vmail?sub?(objectClass=*)"
 
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?Vmail?sub?(objectClass=*)"
 
AuthType, AuthName should be known.
 
AuthType, AuthName should be known.
  
Important is the AuthUserFile directive.
+
 
  
 
Specific Users, Groups
 
Specific Users, Groups

Revision as of 13:15, 21 March 2016

Reference - http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication.html

httpd.conf
Let’s start with an example
 
<Location /protected>          ( I used Directory with full file system path ) 
# Using this to bind
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com" ( I used blah009@camping.com) 
AuthLDAPBindPassword "XXX"
# search user
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
 
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null         <------------ this is needed
require valid-user
</Location>
 
 
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?Vmail?sub?(objectClass=*)"
AuthType, AuthName should be known.
 
 
 
Specific Users, Groups
# specific user
#   Require ldap-user "john.doe"
# specific user by DN
#   Require ldap-dn CN=John Doe,OU=Finance,OU=Germany,DC=example,DC=com
# member of group
#   Require ldap-group CN=Finance Department,OU=Finance,OU=Germany,DC=example,DC=com
Retrieved from "https://wiki.twig.es/index.php?title=Active_Directory_authentication_in_httpd.conf&oldid=3094"