Sep 26 2006
Apache Authentication against Active Directory
A typical setup in a company is made of Windows clients authenticating on a central Active Directory. Many also have an Apache server on which they could host their Intranet or other critical information. Talking about critical information, there are good chances access should be restricted to certain groups of people. I was asked to install a wiki for my team to build a knowledge base, likely to contain sensitive information about the company. I thought to authenticate Apache against Active Directory would be a good solution.
Why Authenticate Apache against Windows AD?
- It is quick to implement
- Nobody likes to have multiple accounts. It’s a human thing to forget usernames and passwords
- There is no need to recreate each single account
- Everything is centralised. Access to the web server is denied if the AD accounts is disabled
- Give access to users who belongs to Active Directory groups
Even though, I’m not a pro-Microsoft, these are enough reasons to take the plunge!
Bind to Active Directory
Active Directory is LDAP (Lightweight Directory Access Protocol) compliant, meaning you can run queries to retrieve information about users and computers on the domain. You can use the ldapsearch client to browse its structure. However, you need to create a special user who binds to the domain controller to get users details.
- Connect to your domain controller and create a new user in “Active Directory Users and Computers”.
- Untick “User must change password at next logon”.
- Username and password will be needed to bind the Apache server to the domain controller.
Next step is to get your LDAP domain name. We’ll assume it is ‘location.company.com’. If you don’t know it, run through the following procedure to find out.
Run ldp.exe on the domain controller.
Click on ‘Connection’ -> ‘Connect’ from the top menu and leave ‘localhost’ in the bottom field.
Click then ‘Connection’ -> ‘Bind’ from the top menu and enter details of the user you have created earlier.
Go now to ‘Browse’ -> ‘Search’ and press ‘enter’. This will return a list of all objects present in the directory. It is a bit austere but you can easily find lines of users on your system. An entry should be similar to this:
Dn: CN=John Doe,CN=Users,DC=location,DC=company,DC=com
objectClass: top; person; organizationalPerson; user;
cn: John Doe;
description: John Doe;
We are now going to configure the Apache module.
Configure Apache Authentication
Check that mod_auth_ldap or mod_authz_ldap is activated in httpd.conf in the load modules section. The module configuration can be added in httpd.conf but it’s always a good idea to keep it in a separate file. Apache on Redhat stores module config files in /etc/httpd/conf.d/. I added the following lines into authz_ldap.conf:
<Location /protected>
Order deny,allow
Allow from all
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL
ldap://your-domain-controller:389/CN=Users,DC=location,DC=company,DC=com?sAMAccountName?sub?(objectClass=user)
# Or eventually with a filter on a group
# ldap://your-domain-controller:389/CN=Users,DC=location,DC=company,DC=com?sAMAccountName?
# sub?(memberOf=CN=MyGroup,CN=Users,DC=location,DC=company,DC=com)
AuthLDAPBindDN cn=myusername,cn=Users,dc=location,dc=company,dc=com
AuthLDAPBindPassword mypassword
AuthType Basic
AuthName "Protected"
require valid-user
</Location>
myusername and mypassword must match user and pass you’ve created to bind to Active directory.
Finally, restart the Apache service, you’re done! A window asking for a username and password will pop up when accessing the directory “protected”.
Notes on Authentication
Do not enter the domain name before the username unlike Windows access (\\DOMAINNAME\user). You would get a “wrong credential” message in Apache logs.
It is also possible to fall back to other authentication methods. Simply add the keyword AuthLDAPAuthoritative followed by AuthUserFile /var/www/html/Protected/htpasswd for example, if your .htaccess file is located there. You can authenticate on Apache with a user that doesn’t exist in Active directory with this method.
The <Location /protected> directive is recursive meaning that all pages in subdirectories are protected as well. If you want to give public access to subdirectory /pub, you can use the following set of instructions:
<Location "/pub">
Order allow,deny
Allow from any
Satisfy any
</LocationMatch>
Related
I would like to thank my great workmate Phil for helping me out with this. Visit his webpage at www.brassy.net.
Your blog is interesting!
Keep up the good work!
This is a very nice article. Couple questions.
I am trying to establish a AD/Apache connection for my office under a WAMP server. I wanted to keep everything in my httpd.conf file. I noticed that I could not put the text specified above in the httpd.conf file with out specifying a specifiction. Which module should I name here? My second question is, once you get this set up, how do you test to see if it is working? Thanks.
It helps to if you have some article spinning tools I have been using Spinner Chief, and why not its free and it has great little options on it like auto identify synonms and it replaces them for you on the fly. Bad a$$! Article Rewrite Software
Why do I have to specify the user’s password in the Apache Directive <location… example you give if the ActiveDirectory server already contains a list of valid users and their passwords?
Surely the point of using ActiveDirectory is to provide a centralised way to maintain user accounts, so that the Windows logon user/password can also be used to gain access to restricted areas on intranet servers, a single sign on, so that many different account systems don't need to be maintained.
By also having such data in Apache directive means that the data now has to be maintained in 2 places.
This is what’s so called the “bind user”. You can get information from active directory once you’re authenticated: this is by design.
Many use Administrator as a bind user but a dedicated user with restricted rights is much better security wise
how I get the authentication work on Ubuntu 10.04 and AD? After enter the info above in /etc/httpd.conf and restart apache2 nothing happen on the server
“Nothing happens” doesn’t mean much…
Your Linux distro has nothing to do with it, all is between AD and Apache
Tried this on my CentOS 6.6 box by creating a ‘protected’ directory and following what you had above in my httpd.conf file but it actually give me a 500: internal server error after the web server is restarted and that configuration.
I have tried ldapsearch from the command line and I can bind to AD with the credentials I’m using and get the information but doesn’t seem to work with Apache. Do some of the entries need to be in quotes or something?
You should be looking at your Apache error log
Internal server error is a generic error returned by your web page