Saturday, January 19, 2013

Active Directory Authentication for APACHE Web Server

For authenticating users against their Active Directory account in APACHE Web Server, you have to edit the /etc/apache2/httpd.conf .

Notes

  1. You should bind some other common AD account with LDAP
  2. Provide LDAP URL of you Domain Controller . Here I assume the Domain is DC.EXAMPLE.COM and IP of the Domain Controller is 192.168.40.1 .
  3. I am binding with another account guest@example.com . So give FQDN of this acount .
  4. You should enable the authnz_ldap module for apache.

Enabling Authnz_ldap Module in Apache

See all the enabled modules using the command
sudo ls /etc/apache2/mods-enabled
If authnz_ldap is there in this enabled list , No need of further enabling . If authnz_ldap is not there , See whether you have that module already installed using this command
sudo ls /etc/apache2/mods-available
If it is there , then just enable it using this command .
sudo a2enmod authnz_ldap
and then restart the apache server .
sudo service apache2 restart
If authnz_ldap module is not listed in mods-available, you have to reinstall apache with compiling this module also .

Edit httpd.conf

<Directory /var/www>
AuthBasicProvider ldap
AuthType Basic
AuthName "AD Authentication:"
AuthLDAPUrl "ldap://192.168.40.1:389/DC=TR1,DC=EXAMPLE,DC=COM?SAMAccountName?sub?(objectClass=user)" NONE
AuthLDAPBindDN "CN=Guest Acount,OU=Services OU,OU=USERS,OU=OU1,DC=DC,DC=EXAMPLE,DC=COM"
AuthLDAPBindPassword pass@123456
Require valid-user
</Directory>
After editing , Just restart the Apache server using
sudo service apache2 restart
. That's it . Now if you access your server or application hosted in this server using web browser, a pop will ask to authenticate against AD.

Troubleshooting