in Security, Web

Enable Active Directory / LDAP authentication in Apache

If you already have a central directory of users installed (AD or LDAP) you can configure most applications to use that directory instead of a local database for each application and make the user management much easier. Apache supports that so here are instructions on how to password protect a site or location using LDAP directory.

In squeeze, the Apache LDAP module is already installed with the Apache common package. You just need to enable the module and configure.

1. Enable the LDAP module

a2enmod authnz_ldap

2. Add Auth config variables to the site or directory that should be password protected (ex. pico /etc/apache2/sites-enabled/000-default). In this example, the “/protected” relative location will be password protected. You can protect any Location or Directory using the same method.

<Location /protected>
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthName "Password protected. Enter your AD username and password."
AuthLDAPURL "ldap://{host_or_ip}/CN=Users,DC=example,DC=org?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "{username}"
AuthLDAPBindPassword {password}
Require valid-user

Replace {host_or_ip} with the AD/LDAP server hostname or IP address. Change to your domain. Enter username and password for a user that has access to the domain.

The last line, “Require valid-user” will allow any user in the directory to login. To allow only certain users, change that line to:

Require ldap-user user1 user2

To allow only users from a specific group, change “Require valid-user” to:

Require ldap-group CN={group},CN=Users,dc=example,dc=org

Replace {group} to the name of a group and type correct domain name instead of

3. Restart Apache

/etc/init.d/apache2 restart

Write a Comment


  1. Great tutorial. Had everything I needed and nothing I didn’t, except that I needed to add


    to /etc/ldap/ldap.conf to make it work.