Apache Active Directory Group Authentication

Apache Active Directory Group Authentication

Get Social!

apache-logoThe Apache HTTP server can be used with LDAP or Microsoft’s Active Directory to authenticate users before viewing a webpage or site.

Before getting started, you will need to have the required Apache mods installed. Run the following command to enable the required LDAP mods.

a2enmod ldap authnz_ldap

The LDAP configuration generally goes in the Location tags, as per the below example.

<Location />
        Order allow,deny
        Allow from all
	AuthzLDAPAuthoritative on
	AuthLDAPBindDN "CN=ldapservice,CN=Users,DC=jamescoyle,DC=net"
	AuthLDAPBindPassword "mypassword"
	AuthLDAPURL "ldap://jamescoyle.net/OU=Users,DC=jamescoyle,DC=net?sAMAccountName?sub?(objectClass=*)"
	AuthType Basic
	AuthName "JamesCoyle.net Authentication"
	AuthBasicProvider ldap
	AuthLDAPGroupAttributeIsDN on
	AuthLDAPGroupAttribute member
	Require ldap-group CN=mygroup,OU=Groups,DC=jamescoyle,DC=net
</Location>

Lets break down each attribute in the above config:

  • AuthzLDAPAuthoritative specifies to Apache that LDAP/ Active Directory authentication should override any other form of authentication.
  • AuthLDAPBindDN is the user DN which Apache will bind to when connecting to your LDAP/ Active Directory server.
  • AuthLDAPURL is the LDAP/ Active Directory URL which specifies your LDAP/ Active Directory server, the location where the users are stored within the directory and the attributes which will be used as a username when authenticating.
  • AuthType is the type of authentication which will be used. Basic gives us the dialogue box to enter our credentials.
  • AuthName is the text which will appear in the login dialogue box. This can differ depending on the web browser.
  • AuthBasicProvider specifies that we will use LDAP as the authentication mechanism.
  • AuthLDAPGroupAttributeIsDN when set to ON this option specifies to use the DN of the user when checking for group permissions in the LDAP/ Active Directory server. Otherwise the username will be used, in this example sAMAccountName.
  • AuthLDAPGroupAttribute is the attribute in the LDAP/ Active Directory server which is used to check for group membership.
  • Require when set to ldap-group indicates to Apache that the user must be in the specified group to allow access.

Visit our advertisers

Quick Poll

Do you use ZFS on Linux?

Visit our advertisers