Category : How-to
The Apache HTTP server can be used with LDAP or Microsoft’s Active Directory to authenticate users before viewing a webpage or site.
Before getting started, you will need to have the required Apache mods installed. Run the following command to enable the required LDAP mods.
a2enmod ldap authnz_ldap
The LDAP configuration generally goes in the Location tags, as per the below example.
<Location /> Order allow,deny Allow from all AuthzLDAPAuthoritative on AuthLDAPBindDN "CN=ldapservice,CN=Users,DC=jamescoyle,DC=net" AuthLDAPBindPassword "mypassword" AuthLDAPURL "ldap://jamescoyle.net/OU=Users,DC=jamescoyle,DC=net?sAMAccountName?sub?(objectClass=*)" AuthType Basic AuthName "JamesCoyle.net Authentication" AuthBasicProvider ldap AuthLDAPGroupAttributeIsDN on AuthLDAPGroupAttribute member Require ldap-group CN=mygroup,OU=Groups,DC=jamescoyle,DC=net </Location>
Lets break down each attribute in the above config:
- AuthzLDAPAuthoritative specifies to Apache that LDAP/ Active Directory authentication should override any other form of authentication.
- AuthLDAPBindDN is the user DN which Apache will bind to when connecting to your LDAP/ Active Directory server.
- AuthLDAPURL is the LDAP/ Active Directory URL which specifies your LDAP/ Active Directory server, the location where the users are stored within the directory and the attributes which will be used as a username when authenticating.
- AuthType is the type of authentication which will be used. Basic gives us the dialogue box to enter our credentials.
- AuthName is the text which will appear in the login dialogue box. This can differ depending on the web browser.
- AuthBasicProvider specifies that we will use LDAP as the authentication mechanism.
- AuthLDAPGroupAttributeIsDN when set to ON this option specifies to use the DN of the user when checking for group permissions in the LDAP/ Active Directory server. Otherwise the username will be used, in this example sAMAccountName.
- AuthLDAPGroupAttribute is the attribute in the LDAP/ Active Directory server which is used to check for group membership.
- Require when set to ldap-group indicates to Apache that the user must be in the specified group to allow access.