Apache Active Directory Group Authentication

Apache Active Directory Group Authentication

Tags :

Category : How-to

Get Social!

apache-logoThe Apache HTTP server can be used with LDAP or Microsoft’s Active Directory to authenticate users before viewing a webpage or site.

Before getting started, you will need to have the required Apache mods installed. Run the following command to enable the required LDAP mods.

a2enmod ldap authnz_ldap

The LDAP configuration generally goes in the Location tags, as per the below example.

<Location />
        Order allow,deny
        Allow from all
	AuthzLDAPAuthoritative on
	AuthLDAPBindDN "CN=ldapservice,CN=Users,DC=jamescoyle,DC=net"
	AuthLDAPBindPassword "mypassword"
	AuthLDAPURL "ldap://jamescoyle.net/OU=Users,DC=jamescoyle,DC=net?sAMAccountName?sub?(objectClass=*)"
	AuthType Basic
	AuthName "JamesCoyle.net Authentication"
	AuthBasicProvider ldap
	AuthLDAPGroupAttributeIsDN on
	AuthLDAPGroupAttribute member
	Require ldap-group CN=mygroup,OU=Groups,DC=jamescoyle,DC=net
</Location>

Lets break down each attribute in the above config:

  • AuthzLDAPAuthoritative specifies to Apache that LDAP/ Active Directory authentication should override any other form of authentication.
  • AuthLDAPBindDN is the user DN which Apache will bind to when connecting to your LDAP/ Active Directory server.
  • AuthLDAPURL is the LDAP/ Active Directory URL which specifies your LDAP/ Active Directory server, the location where the users are stored within the directory and the attributes which will be used as a username when authenticating.
  • AuthType is the type of authentication which will be used. Basic gives us the dialogue box to enter our credentials.
  • AuthName is the text which will appear in the login dialogue box. This can differ depending on the web browser.
  • AuthBasicProvider specifies that we will use LDAP as the authentication mechanism.
  • AuthLDAPGroupAttributeIsDN when set to ON this option specifies to use the DN of the user when checking for group permissions in the LDAP/ Active Directory server. Otherwise the username will be used, in this example sAMAccountName.
  • AuthLDAPGroupAttribute is the attribute in the LDAP/ Active Directory server which is used to check for group membership.
  • Require when set to ldap-group indicates to Apache that the user must be in the specified group to allow access.

Visit our advertisers

Search

Quick Poll

How often do you change the password for the computer(s) you use?
Results

Recent Posts

Visit our advertisers

Site Links
Blog
Rated Sites

JamesCoyle.net Limited