Monday, December 7, 2009

Setting up Apache LDAP authentification with Windows Active Directory

Given configuration:
  • Apache 2 (2.2.9) on Windows;
  • MS Windows 2003 Server as Domain Controller;
  • Active Directory.
How to make Apache authentificate users using their AD credentials?

I have succeeded with the next steps.
1. Create new active directory user in your domain with no specific rights (but not guest). For example, you give him name "ldap_query" and password "ldap_pass".
2. Edit your httpd.conf:
a) enable mod_authnz_ldap and mod_ldap
b) make your Directory section look like this (read the comments inside for explanation):

<Directory "D:/Your/Restricted/Web/Directory">
Options ExecCGI FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

# now specify authentication type. We will use LDAP
AuthType Basic
AuthBasicProvider ldap
AuthName "Hello, use your Windows username and password"

# the next two lines describe how Apache should connect to LDAP.
# Active Directory doesn't allow anonymous access. This is where
# our ldap_query user plays.
AuthLDAPBindDN "ldap_query@your-domain-name"
AuthLDAPBindPassword "ldap_pass"

# now tell Apache where LDAP server is. It's probably the most difficult config line.
# note that we are connecting to 3268 port, though standard LDAP port is 389.
# Maybe it will work for you on port 389 too (in this case you can omit the port number).
# Well, assume your domain is your.domain.com, then
AuthLDAPURL "ldap://your-domain-controller-IP-address:3268/dc=your, dc=domain, dc=com?sAMAccountName?sub?(objectClass=*)"

AuthzLDAPAuthoritative Off

# Any user with valid credentials will be allowed.
Require valid-user
</Directory>

3. Restart Apache. It should be working now.

See Apache/logs/errors.log if something goes wrong.

Hope this helps.

No comments:

Post a Comment