Requiring Active Directory Userid/Password for website access -v2

In my previous blog https://akhpark.wordpress.com/2013/01/24/requiring-active-directory-useridpassword-to-access-the-apache-website-on-ubuntu-server/ I had the apache server authenticate using the Active Directory server using the Mod_Auth_LDAP.

In this step, we are making couple changes to the way the authentication is done.

1. We changed the AuthLDAPURL section, so you do not have to specify one specific OU. It will get the authentication information from all the AD OU.

2. We used require valid-user, this time, so anyone who has a valid userid/password combo will be able to see the web.

1. First enable module mod_authnz_ldap. You can do it by typing

sudo a2enmod authnz_ldap

After the mod_authnz_ldap is successfully installed, you should see file authnz_ldap.load under /etc/apache2/mods-enabled folder. (CentOS has this built in, so you can skip this step)

2. On the active directory server, you need to create a user (does not need to be an administrator account, just domain user is ok). In the example below, the user is called AD_VIEWER with the password as password123.

3. Modify the file /etc/apache2/sites-enabled/000-default. I have included the sample file below.

<Directory “/var/www/secret”>
Order deny,allow
deny from all
AuthType Basic
AuthName “example.com”
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://server01.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN “AD_VIEWER@yourdomain.com”
AuthLDAPBindPassword password123
AuthLDAPGroupAttributeIsDN on
require valid-user
satisfy any
</Directory>

Couple things to note:

AuthzLDAPAuthoritative  needs to be off. You need to have this to on if you want to authenticate certain users as require ldap-user.
AuthLDAPURL needs to point to the GC (Global Catalog) Server. Also note the port is now changed to 3268 from 389.

Advertisements

One thought on “Requiring Active Directory Userid/Password for website access -v2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s