Apache is the world's most wanted and #1 web server on internet. Almost 50 percent of total web servers in internet running on Apache in various flavors of Operating systems.
For protecting the contents, apache support various types of authentication, which includes basic htpasswd, MySql, NTLM, LDAP, AD etc. Here I am mentioning how we can use Active Directory as a user/password database for Apache server.
Assuming we have an existing Active Directory Domain which holds the company's user informations. As part of Single Sign on, we want to use AD as the source of User credentials for accessing corporate wiki running on Apache server. Also assumes the Wiki and apache server running on GNU/Linux for documentation purpose.
For protecting the contents, apache support various types of authentication, which includes basic htpasswd, MySql, NTLM, LDAP, AD etc. Here I am mentioning how we can use Active Directory as a user/password database for Apache server.
Assuming we have an existing Active Directory Domain which holds the company's user informations. As part of Single Sign on, we want to use AD as the source of User credentials for accessing corporate wiki running on Apache server. Also assumes the Wiki and apache server running on GNU/Linux for documentation purpose.
The following are the steps needed to complete the integration of Apache with AD.
- Create one user in AD which we can use as the LDAP bind user for accessing the AD database as read only. Go to Active Directory Users and Computers in the DC and create a domain user say "apache" with a strong password "xxxxxxxxx".
- If we want to use ldaps (ldap+ssl) we need to export the certificate from AD and import it in to the web server machine. This export and import can be done in a single step using the openssl command as follows from webserver.
Save the certificate as "domain.cer" in web server machine in /etc/httpd/conf.d directory.
- Go to the Linux Server and create a file namely "authz_ldap.conf" under the directory /etc/httpd/conf.d with the following parameters.
LDAPTrustedMode SSL
<"Location "/" ">
order deny,allow
Allow from all
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldaps://dc.mydomain.com:636/DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN apache@mydomain.com
AuthLDAPBindPassword xxxxxxxx
AuthType Basic
AuthName "Only for trusted users"
require valid-user
<"/Location">
Here all the AD users will get access to the website as we using the option as "require valid-user". If you want to give access to only a specific group of users, you need to use the following option instead of "valid-user".
require ldap-group CN=mygroup,OU=groups,DC=mydomain,DC=com
Note: Ignore the quotes used within Angle brackets <> for specifying "Location" and "/Location".
- Also make sure the following modules are loaded in the apache's configuration file httpd.conf
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_host_module modules/mod_authz_host.so
- Add the following line in /etc/openldap/ldap.conf, this is very important for the working configuration.
REFERRALS off
- Finally restart apache server by issueing the following command.
Check the result by accessing the Wiki by pointing to the correct URL and enjoy !!!!!!
