Friday, January 20, 2012

Apache and Active Directory Authentication on Debian

Make sure your apache supports mod_authnz_ldap, then enable it:

a2enmod ldap
a2enmod authnz_ldap

and restart your Apache:

/etc/init.d/apache2 restart

For the first Step (finding the user) we already need access to the Active Directory. As AD won't allow anonymous acces, you need a username and a password just to do the search. This is not

your administration account! Create a new account with minimal rights.


So what is the username? Depends on your AD Layout. This should give you a pretty good hint

CN=YOUR-NAME,OU=IT Department,OU=Germany,DC=example,DC=com

here is your sample .htaccess:


# Using this to bind
AuthLDAPBindDN "CN=
YOUR-USER,OU=IT Department,DC=example,DC=com"
AuthLDAPBindPassword "
XXX"

# search user
AuthLDAPURL "ldap://
IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap

# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
require valid-user

you always need to specify at least one organizational unit (ou).

PS.: If your users are split into multiple OU's, your are limiting the logons to OU's from one OU. This is the case im my environment where users are split into different regions. You should use another port (3268).

AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthName "whateveryouwant"
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER:3268/dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"

# Using this to bind
AuthLDAPBindDN "YOUR-USER@example.com"
AuthLDAPBindPassword "XXX"
require valid-user

2 comments:

Anonymous said...

Thanks for that great example!

It helped me a lot :)

krishan said...

great. Its working.

Thanks a lot for such post.