You are here: Home » HowTos » Free - Linux Docs » Linux Windows Integration HowTos » LDAP Authentication from Apache to Active Directory
Print this page

LDAP Authentication from Apache to Active Directory

 

Enable LDAP authentication and group lookup

from apache using Active Directory 2003

This was done on RHEL 3

Make sure mod_authz_ldap is installed. Configure
/etc/httpd/conf.d/authz_ldap.conf similar to the following
----------------------------------------------------------
#
# mod_authz_ldap can be used to implement access control and
# authenticate users against an LDAP database.
#

LoadModule authz_ldap_module modules/mod_authz_ldap.so

<IfModule mod_authz_ldap.c>

<Location /private>
AuthName "ldap@example.com"
AuthType basic

AuthzLDAPEngine on
AuthzLDAPBindDN "cn=linuxldap,ou=System Accounts,dc=example,dc=com"
AuthzLDAPBindPassword _password_
AuthzLDAPServer 192.168.1.1:3268
AuthzLDAPUserScope subtree
AuthzLDAPUserBase dc=example,dc=com
AuthzLDAPUserKey sAMAccountName
AuthzLDAPGroupBase "dc=example,dc=com"
AuthzLDAPGroupScope subtree
AuthzLDAPGroupKey name

# with the options set above, either a user can just be authenticated
# and then allowed to access /private, OR the user can be checked to
# see if he/she is a member of Enterprise Admins or other group. Only
# one option below should be present...the other should be commented out.

#require valid-user
require group "Enterprise Admins"
</Location>

</IfModule>
------------------------------------------------------------

Notes: The above config requires a user to authenticate himself and be a member
of the Active Directory group "Enterprise Admins" to access /private on the webserver.
Thus, if http://www.example.com/private is requested, a password dialog appears.

Important parts of the config are

1. AuthzLDAPBindDN and AuthzLDAPBindPassword - these are required; the binddn is the
full distinguished name (path) to the account used for binding to ldap.

2. AuthzLDAPServer - used 3268 for ldap port instead of 389 or 636. This apparently
is a workaround for a known issue when search the ldap tree recursively. This was found
in a Redhat mailing list.

3. AuthzLDAPUserKey - set to sAMAccountName

4. AuthzLDAPGroupKey - this is set to 'name' which correlates to the field in AD called
'name'. This field in AD contains the common name of the object i.e. "Enterprise Admins".
Then the last line 'require group' uses this value.


^ Top

Previous page: Export Users from Active Directory and Import into Linux
Next page: Squid as an Internet Access Control in a Windows Domain Environment