Wednesday, June 17, 2009

LDAP/Active Directory Authentication with Apache

Alright, it took a few hours to get all the parameters correct, but we finally achieve centralized authentication by linking apache authentication to our ActiveDirectory. The critical concept to keep in mind when doing it is that there are two things you need to specify. First, you need to specify the user that apache will connect as, known as the "BindDN". Second, you need to specify the query string that allows apache to locate a user in the directory. This is the LDAP url.

In the end, this is the element we needed to add to our apache config. On ubuntu, we dropped this into the site-specific configuration file in /etc/apache2/sites-available.


<Location />
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Portal"
AuthLDAPURL "ldap://actrivedirectorymachine/DC=foo,DC=com?sAMAccountName?sub?"
AuthLDAPBindDN "CN=apache,CN=Users,DC=foo,DC=com"
AuthLDAPBindPassword "PASSWORD"
require valid-user
</Location>


In the above example, I created a user specifically for apache, with password PASSWORD. I highly recommend using JXplorer to verify your bind credentials.

When configuring JXplorer, if you are using ActiveDirectory, most likely you'll need a Base DN as well. This was "DC=foo,DC=com". The user name is the exact string from above, same with password.

The AuthLDAPURL is a query that will be used to grab the entry associated with the username that the user types in when prompted by the browser. In the example above, it will search within DC=foo,DC=com against the attribute "sAMAccountName".

I hope this helps people out.

No comments: