In my previous blog https://akhpark.wordpress.com/2013/01/24/requiring-active-directory-useridpassword-to-access-the-apache-website-on-ubuntu-server/ I had the apache server authenticate using the Active Directory server using the Mod_Auth_LDAP.
In this step, we are making couple changes to the way the authentication is done.
1. We changed the AuthLDAPURL section, so you do not have to specify one specific OU. It will get the authentication information from all the AD OU.
2. We used require valid-user, this time, so anyone who has a valid userid/password combo will be able to see the web.
1. First enable module mod_authnz_ldap. You can do it by typing
sudo a2enmod authnz_ldap
After the mod_authnz_ldap is successfully installed, you should see file authnz_ldap.load under /etc/apache2/mods-enabled folder. (CentOS has this built in, so you can skip this step)
2. On the active directory server, you need to create a user (does not need to be an administrator account, just domain user is ok). In the example below, the user is called AD_VIEWER with the password as password123.
3. Modify the file /etc/apache2/sites-enabled/000-default. I have included the sample file below.
<Directory “/var/www/secret”> Order deny,allow deny from all AuthType Basic AuthName “example.com” AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL "ldap://server01.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN “AD_VIEWER@yourdomain.com” AuthLDAPBindPassword password123 AuthLDAPGroupAttributeIsDN on require valid-user satisfy any </Directory>
Couple things to note:
AuthzLDAPAuthoritative needs to be off. You need to have this to on if you want to authenticate certain users as require ldap-user.
AuthLDAPURL needs to point to the GC (Global Catalog) Server. Also note the port is now changed to 3268 from 389.