{"id":94,"date":"2006-09-26T00:00:00","date_gmt":"2006-09-26T00:00:00","guid":{"rendered":"http:\/\/netexpertise\/en\/?p=94"},"modified":"2021-10-21T21:11:17","modified_gmt":"2021-10-21T19:11:17","slug":"authentication-against-active-directory","status":"publish","type":"post","link":"http:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html","title":{"rendered":"Apache Authentication against Active Directory"},"content":{"rendered":"\n<p>A typical setup in a company is made of Windows clients authenticating on a central Active Directory. Many also have an <a href=\"\/en\/category\/misc\/apache\">Apache<\/a> server on which they could host their Intranet or other critical information. Talking about critical information, there are good chances access should be restricted to certain groups of people. I was asked to install a wiki for my team to build a knowledge base, likely to contain sensitive information about the company. I thought to authenticate Apache against Active Directory would be a good solution.<br><br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why Authenticate Apache against Windows AD?<\/h2>\n\n\n\n<ul><li>It is quick to implement<\/li><li>Nobody likes to have multiple accounts. It&#8217;s a human thing to forget usernames and passwords<\/li><li>There is no need to recreate each single account<\/li><li>Everything is centralised. Access to the web server is denied if the AD accounts is disabled<\/li><li>Give access to users who belongs to Active Directory groups<\/li><\/ul>\n\n\n\n<p>Even though, I&#8217;m not a pro-Microsoft, these are enough reasons to take the plunge!<br><br><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"\/uploads\/eye-iris-biometrics-face-detection-5814965.jpg\" alt=\"Authenticate Apache AD\"\/><figcaption><a href=\"https:\/\/pixabay.com\/users\/geralt\">geralt<\/a> \/ Pixabay<\/figcaption><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Bind to Active Directory<\/h3>\n\n\n\n<p>Active Directory is <a href=\"https:\/\/ldap.com\">LDAP<\/a> (Lightweight Directory Access Protocol) compliant, meaning you can run queries to retrieve information about users and computers on the domain. You can use the ldapsearch client to browse its structure. However, you need to create a special user who binds to the domain controller to get users details.<\/p>\n\n\n\n<ul><li>Connect to your domain controller and create a new user in &#8220;Active Directory Users and Computers&#8221;.<\/li><li>Untick &#8220;User must change password at next logon&#8221;.<\/li><li>Username and password will be needed to bind the Apache server to the domain controller.<\/li><\/ul>\n\n\n\n<p>Next step is to get your LDAP domain name. We&#8217;ll assume it is &#8216;location.company.com&#8217;. If you don&#8217;t know it, run through the following procedure to find out.<br>Run <i>ldp.exe<\/i> on the domain controller.<br>Click on &#8216;Connection&#8217; -> &#8216;Connect&#8217; from the top menu and leave &#8216;localhost&#8217; in the bottom field.<br>Click then &#8216;Connection&#8217; -> &#8216;Bind&#8217; from the top menu and enter details of the user you have created earlier.<br>Go now to &#8216;Browse&#8217; -> &#8216;Search&#8217; and press &#8216;enter&#8217;. This will return a list of all objects present in the directory. It is a bit austere but you can easily find lines of users on your system. An entry should be similar to this:<br>\u00a0<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"yaml\" class=\"language-yaml\">Dn: CN=John Doe,CN=Users,DC=location,DC=company,DC=com\nobjectClass: top; person; organizationalPerson; user;\ncn: John Doe;\ndescription: John Doe;<\/code><\/pre>\n\n\n\n<p>&nbsp;<br>We are now going to configure the Apache module.<br>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Apache Authentication<\/h3>\n\n\n\n<p>Check that mod_auth_ldap or mod_authz_ldap is activated in httpd.conf in the load modules section. The module configuration can be added in httpd.conf but it&#8217;s always a good idea to keep it in a separate file. Apache on Redhat stores module config files in \/etc\/httpd\/conf.d\/. I added the following lines into authz_ldap.conf:<br>&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"apacheconf\" class=\"language-apacheconf\">&lt;Location \/protected&gt;\nOrder deny,allow\nAllow from all\nAuthBasicProvider ldap\nAuthzLDAPAuthoritative Off\nAuthLDAPURL\nldap:\/\/your-domain-controller:389\/CN=Users,DC=location,DC=company,DC=com?sAMAccountName?sub?(objectClass=user)\n# Or eventually with a filter on a group\n# ldap:\/\/your-domain-controller:389\/CN=Users,DC=location,DC=company,DC=com?sAMAccountName?\n# sub?(memberOf=CN=MyGroup,CN=Users,DC=location,DC=company,DC=com)\nAuthLDAPBindDN cn=myusername,cn=Users,dc=location,dc=company,dc=com\nAuthLDAPBindPassword mypassword\nAuthType Basic\nAuthName \"Protected\"\nrequire valid-user\n&lt;\/Location&gt;<\/code><\/pre>\n\n\n\n<p>\u00a0<br><i>myusername<\/i> and <i>mypassword<\/i> must match user and pass you&#8217;ve created to bind to Active directory.<br>Finally, restart the Apache service, you&#8217;re done! A window asking for a username and password will pop up when accessing the directory &#8220;protected&#8221;.<br>\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Notes on Authentication<\/h3>\n\n\n\n<p>Do not enter the domain name before the username unlike Windows access (\\\\DOMAINNAME\\user). You would get a &#8220;wrong credential&#8221; message in Apache logs.<br>\u00a0<br>It is also possible to fall back to other authentication methods. Simply add the keyword <i>AuthLDAPAuthoritative<\/i> followed by <i>AuthUserFile \/var\/www\/html\/Protected\/htpasswd<\/i> for example, if your .htaccess file is located there. You can authenticate on Apache with a user that doesn&#8217;t exist in Active directory with this method.<br>The &lt;Location \/protected> directive is recursive meaning that all pages in subdirectories are protected as well. If you want to give public access to subdirectory \/pub, you can use the following set of instructions:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"apacheconf\" class=\"language-apacheconf\">&lt;Location \"\/pub\"&gt;\n    Order allow,deny\n    Allow from any\n    Satisfy any\n&lt;\/LocationMatch&gt;<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><br>Related<\/h3>\n\n\n\n<p>I would like to thank my great workmate Phil for helping me out with this. Visit his webpage at <a href=\"http:\/\/www.brassy.net\/\">www.brassy.net<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Steps to authenticate Apache against Windows Active Directory with LDAP module.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[65,72],"tags":[390,66,392,386,391],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.8.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Netexpertise - Apache Authentication against Active Directory<\/title>\n<meta name=\"description\" content=\"Authenticate Apache web pages against Windows Active Directory. Authorise AD group members to access resources\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Netexpertise - Apache Authentication against Active Directory\" \/>\n<meta property=\"og:description\" content=\"Authenticate Apache web pages against Windows Active Directory. Authorise AD group members to access resources\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html\" \/>\n<meta property=\"og:site_name\" content=\"Netexpertise\" \/>\n<meta property=\"article:published_time\" content=\"2006-09-26T00:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-10-21T19:11:17+00:00\" \/>\n<meta name=\"author\" content=\"dave\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@netexpertise\" \/>\n<meta name=\"twitter:site\" content=\"@netexpertise\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html\",\"url\":\"https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html\",\"name\":\"Netexpertise - Apache Authentication against Active Directory\",\"isPartOf\":{\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#website\"},\"datePublished\":\"2006-09-26T00:00:00+00:00\",\"dateModified\":\"2021-10-21T19:11:17+00:00\",\"author\":{\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa\"},\"description\":\"Authenticate Apache web pages against Windows Active Directory. Authorise AD group members to access resources\",\"breadcrumb\":{\"@id\":\"https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.netexpertise.eu\/en\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Apache Authentication against Active Directory\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#website\",\"url\":\"https:\/\/www.netexpertise.eu\/en\/\",\"name\":\"Netexpertise\",\"description\":\"Systems \/ Networks \/ DevOps\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.netexpertise.eu\/en\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa\",\"name\":\"dave\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/image\/\",\"url\":\"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g\",\"contentUrl\":\"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g\",\"caption\":\"dave\"},\"sameAs\":[\"http:\/\/www.netexpertise.eu\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Netexpertise - Apache Authentication against Active Directory","description":"Authenticate Apache web pages against Windows Active Directory. Authorise AD group members to access resources","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html","og_locale":"en_US","og_type":"article","og_title":"Netexpertise - Apache Authentication against Active Directory","og_description":"Authenticate Apache web pages against Windows Active Directory. Authorise AD group members to access resources","og_url":"https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html","og_site_name":"Netexpertise","article_published_time":"2006-09-26T00:00:00+00:00","article_modified_time":"2021-10-21T19:11:17+00:00","author":"dave","twitter_card":"summary_large_image","twitter_creator":"@netexpertise","twitter_site":"@netexpertise","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html","url":"https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html","name":"Netexpertise - Apache Authentication against Active Directory","isPartOf":{"@id":"https:\/\/www.netexpertise.eu\/en\/#website"},"datePublished":"2006-09-26T00:00:00+00:00","dateModified":"2021-10-21T19:11:17+00:00","author":{"@id":"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa"},"description":"Authenticate Apache web pages against Windows Active Directory. Authorise AD group members to access resources","breadcrumb":{"@id":"https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.netexpertise.eu\/en\/misc\/apache\/authentication-against-active-directory.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.netexpertise.eu\/en"},{"@type":"ListItem","position":2,"name":"Apache Authentication against Active Directory"}]},{"@type":"WebSite","@id":"https:\/\/www.netexpertise.eu\/en\/#website","url":"https:\/\/www.netexpertise.eu\/en\/","name":"Netexpertise","description":"Systems \/ Networks \/ DevOps","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.netexpertise.eu\/en\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa","name":"dave","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/image\/","url":"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g","contentUrl":"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g","caption":"dave"},"sameAs":["http:\/\/www.netexpertise.eu"]}]}},"_links":{"self":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts\/94"}],"collection":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/comments?post=94"}],"version-history":[{"count":0,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts\/94\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/media?parent=94"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/categories?post=94"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/tags?post=94"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}