Active Directory authentication in httpd.conf

From MyWiki
Revision as of 13:11, 21 March 2016 by George2 (Talk | contribs)

Jump to: navigation, search

Reference - http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication.html

httpd.conf
Let’s start with an example
 
<Location /protected>          ( I used Directory with full file system path ) 
# Using this to bind
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com"
AuthLDAPBindPassword "XXX"
# search user
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
 
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
require valid-user
</Location>
AuthLDAPBindDN and AuthLDAPBindPassword are uesd for the first step, Accessing the active directory.
 
Next we need to find the users, this is AuthLDAPURL. It looks like AD won’t allow to search the complete Tree (dc=example,dc=com). I always needed to specify at least one organizational unit (ou). We search the whole subtree (sub) not just one folder. When searching the tree we compare sAMAccountName with the username supplied to us. You could also the eMail Addresses.
 
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?Vmail?sub?(objectClass=*)"
AuthType, AuthName should be known.
 
Important is the AuthUserFile directive.
 
Specific Users, Groups
# specific user
#   Require ldap-user "john.doe"
# specific user by DN
#   Require ldap-dn CN=John Doe,OU=Finance,OU=Germany,DC=example,DC=com
# member of group
#   Require ldap-group CN=Finance Department,OU=Finance,OU=Germany,DC=example,DC=com
Retrieved from "https://wiki.twig.es/index.php?title=Active_Directory_authentication_in_httpd.conf&oldid=3093"