Sep 26 2006

Apache Authentication against Active Directory

Published by at 12:00 am under Apache,Ldap




A typical setup in a company consists of Windows clients authenticating on a 2000 or 2003 server running Active Directory. Many also have an Apache server on which they could host their Intranet or other critical information. Talking about critical information, there are good chances access should be restricted to certain groups of people in that same company. I was asked to install a wiki for my team to build a knowledge base, likely to contain sensitive information about the company. I thought authenticating against Active Directory was the best solution

  • It’s quick to implement
  • Nobody likes to have different accounts. It’s a human thing to forget usernames and passwords
  • There is no need to recreate each single account
  • Everything is centralised. If an account is disabled on the domain, access to the web server will be disabled as well
  • Groups in Active Directory can be used

Even though, I’m not a pro-Microsoft, these are enough reasons to do the step! Some might want to use Radius protocol for authentication in Apache. Check this out: http://www.freeradius.org/mod_auth_radius/
 

Binding to Active Directory

Active Directory is LDAP (Lightweight Directory Access Protocol) compliant, meaning you can run queries to retrieve information about users and computers on the domain. You can use the client ldapsearch to browse its structure. However, you need to create a special user who binds to the domain controller to be able to get users details.

  • Connect to your domain controller and create a new user in “Active Directory Users and Computers”.
  • Untick “User must change password at next logon” and do not create an Exchange mailbox.
  • Username and password will be needed to bind the Apache server to the domain controller.

Next step is to get your LDAP domain name. We’ll assume it is ‘location.company.com’. If you don’t know it, either ask your system administrator or run through the following procedure to find out.
Run ldp.exe on the domain controller. Click on ‘Connection’ -> ‘Connect’ from the top menu and leave ‘localhost’ in the bottom field. Click then ‘Connection’ -> ‘Bind’ from the top menu and enter details of the user you have created earlier. Go now to ‘Browse’ -> ‘Search’ and press ‘enter’. This will return a list of all objects present in the directory. It is a bit austere but you can easily find lines of users on your system. An entry should be similar to this:
 

Dn: CN=John Doe,CN=Users,DC=location,DC=company,DC=com
objectClass: top; person; organizationalPerson; user;
cn: John Doe;
description: John Doe;

 
We have found our previous information location.company.com. We are going to use it to configure the Apache module.
 

Configuring Apache

I’m using Apache 2.2.2 but the procedure is similar with other versions. Check that module has mod_auth_ldap or mod_authz_ldap activated in httpd.conf – in the load modules section. The module configuration can be added in httpd.conf but it’s always a good idea to keep it separate in an external file. Apache on Redhat stores module config files in /etc/httpd/conf.d/. I added the following lines into authz_ldap.conf:
 

<Location /protected>
Order deny,allow
Allow from all
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL
ldap://your-domain-controller:389/CN=Users,DC=location,DC=company,DC=com?sAMAccountName?sub?(objectClass=user)
AuthLDAPBindDN cn=myusername,cn=Users,dc=location,dc=company,dc=com
AuthLDAPBindPassword mypassword
AuthType Basic
AuthName "Protected"
require valid-user
</Location>

 
myusername and mypassword are the user and pass you’ve created to bind to Active directory.
Restart Apache, you’re done! A window asking for a username and password will pop up when accessing the directory “protected”.
 

Notes

You should not enter the domain name before the username as for Windows (\\DOMAINNAME\user), this will give a “wrong credential” message in Apache logs meaning either username or password is wrong.
 
It is possible to fall back to other authentication methods. Simply add the keyword AuthLDAPAuthoritative followed by AuthUserFile /var/www/html/Protected/htpasswd for instance if your .htaccess file is located there. You can create an extra user that doesn’t exist in Active directory by this mean.
The <Location /protected> directive is recursive meaning that all pages in subdirectories are protected. If you want to give public access to subdirectory /pub, you can use the following set of instructions:

<Location "/pub">
    Order allow,deny
    Allow from any
    Satisfy any
</LocationMatch>

 

Related

I would like to thank my great work colleague Phil for helping me out on this. Visit his webpage at www.brassy.net.


9 responses so far

9 Responses to “Apache Authentication against Active Directory”

  1. Alexon 18 Aug 2008 at 5:07 am

    Your blog is interesting!

    Keep up the good work!

  2. Jason H.on 22 Jan 2009 at 6:12 pm

    This is a very nice article. Couple questions.

    I am trying to establish a AD/Apache connection for my office under a WAMP server. I wanted to keep everything in my httpd.conf file. I noticed that I could not put the text specified above in the httpd.conf file with out specifying a specifiction. Which module should I name here? My second question is, once you get this set up, how do you test to see if it is working? Thanks.

  3. Smackon 01 Oct 2010 at 5:48 pm

    It helps to if you have some article spinning tools I have been using Spinner Chief, and why not its free and it has great little options on it like auto identify synonms and it replaces them for you on the fly. Bad a$$! Article Rewrite Software

  4. Robon 01 Dec 2010 at 1:06 pm

    Why do I have to specify the user’s password in the Apache Directive <location… example you give if the ActiveDirectory server already contains a list of valid users and their passwords?

    Surely the point of using ActiveDirectory is to provide a centralised way to maintain user accounts, so that the Windows logon user/password can also be used to gain access to restricted areas on intranet servers, a single sign on, so that many different account systems don't need to be maintained.

    By also having such data in Apache directive means that the data now has to be maintained in 2 places.

  5. daveon 01 Dec 2010 at 1:37 pm

    This is what’s so called the “bind user”. You can get information from active directory once you’re authenticated: this is by design.
    Many use Administrator as a bind user but a dedicated user with restricted rights is much better security wise

  6. Felixon 24 Jan 2012 at 11:07 pm

    how I get the authentication work on Ubuntu 10.04 and AD? After enter the info above in /etc/httpd.conf and restart apache2 nothing happen on the server

  7. daveon 15 Feb 2012 at 9:57 am

    “Nothing happens” doesn’t mean much…
    Your Linux distro has nothing to do with it, all is between AD and Apache

  8. willon 15 Feb 2015 at 5:09 am

    Tried this on my CentOS 6.6 box by creating a ‘protected’ directory and following what you had above in my httpd.conf file but it actually give me a 500: internal server error after the web server is restarted and that configuration.

    I have tried ldapsearch from the command line and I can bind to AD with the credentials I’m using and get the information but doesn’t seem to work with Apache. Do some of the entries need to be in quotes or something?

  9. daveon 17 Feb 2015 at 2:51 pm

    You should be looking at your Apache error log
    Internal server error is a generic error returned by your web page

Comments RSS

Leave a Reply