a2enmod ldap
a2enmod authnz_ldap
and restart your Apache:
/etc/init.d/apache2 restart
For the first Step (finding the user) we already need access to the Active Directory. As AD won't allow anonymous acces, you need a username and a password just to do the search. This is not
your administration account! Create a new account with minimal rights.
So what is the username? Depends on your AD Layout. This should give you a pretty good hint
CN=YOUR-NAME,OU=IT Department,OU=Germany,DC=example,DC=com
here is your sample .htaccess:
# Using this to bind
AuthLDAPBindDN "CN=YOUR-USER,OU=IT Department,DC=example,DC=com"
AuthLDAPBindPassword "XXX"
# search user
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
require valid-user
you always need to specify at least one organizational unit (ou).
PS.: If your users are split into multiple OU's, your are limiting the logons to OU's from one OU. This is the case im my environment where users are split into different regions. You should use another port (3268).
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthName "whateveryouwant"
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER:3268/dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
# Using this to bind
AuthLDAPBindDN "YOUR-USER@example.com"
AuthLDAPBindPassword "XXX"
require valid-user
2 comments:
Thanks for that great example!
It helped me a lot :)
great. Its working.
Thanks a lot for such post.
Post a Comment