Setting Up LDAP With Active Directory On Apache

21st January 2008

Using a simple .htpasswd to password protect a directory or website is fine if you only have a few users, and they don't change very much. However, this quickly becomes impossible to maintain if you have lots of users. For example, if you wanted to secure access to the company Intranet you might spend quite some time trying to update your .htpasswd file. The best way to do this is to transfer all of the user administration over to an LDAP server and then get Apache to communicate with this directly. The Active Directory (AD) system that Microsoft uses allows LDAP communications, and as this is in use across many company networks it is an ideal candidate to use.

You first need to set of the LDAP modules on your Apache server. Uncomment or add the following lines in your http.conf file. You will need to make sure that the files actually exist as well.

  1. LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
  2. LoadModule ldap_module modules/mod_ldap.so

Also make sure that the are put before the following line.

LoadModule auth_basic_module modules/mod_auth_basic.so

Restart Apache to load the modules into the system.

What you need to do now is figure out how to get to your user information within AD. If you are using Windows XP you can download the Windows support tools from the Microsoft website for free. This contains a program called ldp.exe. You can use this program to figure out the object hierarchy leading to your user's information. So if your company Intranet is called company.local then you might see the correct information at company.local->MyBusiness->Users.

The next step is to set up a user so that Apache can access the AD. Just create a default user with virtually no access, it just needs to be able to access the user system.

Next you need to open your httpd.conf and put in the following lines right after the module declarations.

  1. # LDAP authentication...
  2. AuthType Basic
  3. AuthName "#! code Secure"
  4. AuthBasicProvider ldap
  5. AuthzLDAPAuthoritative On
  6.  
  7. AuthLDAPBindDN CN=localuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=hashbangcode,DC=local
  8. AuthLDAPBindPassword localuserpassword
  9.  
  10. AuthLDAPURL ldap://server.hashbangcode.local:389/OU=Users,OU=MyBusiness,DC=hashbangcode,DC=local?sAMAccountName?sub?(objectClass=*)
  11.  
  12. Require valid-user
  13.  

Restart your server and try to access it; you should be presented with a login screen.

If you can't access Apache then open up the file error.log and take a look at the last line. It will give you a good idea of what is going wrong.

If the username you entered is correct but your password is wrong then you will see the following line:

  1. [Tue Dec 18 08:58:00 2007] [warn] [client 10.0.0.1] [1] auth_ldap authenticate: user theusername authentication failed; URI / [ldap_simple_bind_s() to check user credentials failed][Invalid Credentials]
  2. [Tue Dec 18 08:58:00 2007] [error] [client 10.0.0.1] user theusername: authentication failure for "/": Password Mismatch

If your username is incorrect then you will see the following line.

  1. [Tue Dec 18 09:06:13 2007] [warn] [client 10.0.0.1] [1] auth_ldap authenticate: user a_non_valid_username authentication failed; URI / [User not found][No Such Object]
  2. [Tue Dec 18 09:05:02 2007] [error] [client 10.0.0.1] user a_non_valid_username not found: /

I have found that when you can't get this module to work it is usually because you can't access the LDAP server. If you are getting login prompts but can't get it to understand the correct user information then try having a look at the LDAP server firewall.

Comments

Permalink
I found that with: AuthzLDAPAuthoritative On the configuration did not work and the browser would continually prompt for the username and password, even though a valid username and password were entered. With AuthzLDAPAuthoritative Off the browser would continue on as expected and display the requested page.

Lyle Sidor (Thu, 03/13/2008 - 22:52)

Add new comment

The content of this field is kept private and will not be shown publicly.