Use LDAP to authentificate Apache 2 users against an Active Directory

6. Juni 2009

Tested with Ubuntu 8.04 and Windows 2003 SP2

You need a valid Active Directory User Account that can be used to authenticate against the AD. I.e. create a new user with minimal access rights and a strong password.

The name of the AD is ‘virtual.local‘, therefore you need to use DC=virtual,DC=local.

I use the user ldapcrawler . Please change these values according to your own setup.

Replace YOUR_IP with the IP of the AD-Server you want to authentificate against, and YOUR_PASSWORD with the password of the valid AD-Account described above.

To enable LDAP-Authentification in your apache2 server run the following as root:

a2enmod authnz_ldap

Use the following auth settings (e.g. in a .htaccess file or in the <directory> section)

AuthBasicAuthoritative on
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthType BasicAuthName "Ldap Test Area"
AuthType Basic
AuthLDAPURL "ldap://YOUR__IP/CN=Users,DC=virtual,DC=local?sAMAccountName??(objectclass=*)" NONE
AuthLDAPBindDN "CN=ldapcrawler,CN=Users,DC=virtual,DC=local"
AuthLDAPBindPassword "YOUR_PASSWORD"

If you use sAMAccountName as parameter the username of your users will be required to enter their legacy NT4-style username. I.e. if your username is quark@virtual.local or VIRTUAL\quark use quark. (See here for details.)

However you can specifiy every LDAP-attribute you want. For example if you use userPrincipalName the user will have to enter their 2000-style login name. I.e. if your username is quark@virtual.local use quark@virtual.local .(See here for details.)

For your require directive have a look here.

Some examples:

Allow any user that enters a correct password to login:

require ldap-attribute objectClass=user

Allow only members of a certain AD-Group to login:

require ldap-group cn=Your-Group-Name,cn=Users,DC=virtual,DC=local

If you want to use the require ldap-user directive be advised, that the username you have to specify is dependend on your ldap-query:

If you have specified sAMAccountName you must use:
```
require ldap-user quark
```

If you have specified userPrincipalName you must use:
```
require ldap-user quark@virtual.local
```

Entry Filed under: Software. Schlagworte: active directory, apache2, htaccess, ldap.

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post | Subscribe to the comments via RSS Feed

Twitter

OMG pädagogische Comics: http://www.andi.nrw.de/ 14 hours ago
Zensursula wird Arbeitsministerin. >_<" 17 hours ago
Zum Thema Mininova: Ich sehe die Zukunft ja sowieso in GeoCaching+USB-Sticks. XD 17 hours ago
Kulturstaatsminister stellt Privatkopie infrage - Golem.de http://www.golem.de/0911/71520.html 1 day ago
Tja, was haben die #FDPler und #Julis die Klappe aufgerissen, SIE wären die Bürgerrechtspartei... 1 day ago

Neueste Artikel

Top-Beiträge

Schlagworte

amazon anime comedy comic Datenschutz debian dexter Divx E61 Elster extensions Filesharing firefox gpl huawei Internet Kinder Kommentar linux microsoft mp3 Onlinedurchsuchung piraten piratenpartei Politik postfix review Schäuble scrubs sicherheit stage6 stargate atlantis synchronisation t-mobile truecrypt ubuntu Verschlüsselung Video vmware Vorratsdatenspeicherung Werbung youtube Zensur zensurula Überwachung

Juni 2009
M	D	M	D	F	S	S
« Mai		Jul »
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Spam Blocked

1.563 Spamkommentare

Blockiert von
Akismet

Quark-mit-Sauce