Debian Tutorials

Debian Tutorials


Step by step tutorials showing you how to install and configure various applications and services on Debian based Linux distros.

December 2018
M T W T F S S
« Apr    
 12
3456789
10111213141516
17181920212223
24252627282930
31  

Categories


Enable Active Directory / LDAP authentication in Apache

Ástþór IPÁstþór IP

If you already have a central directory of users installed (AD or LDAP) you can configure most applications to use that directory instead of a local database for each application and make the user management much easier. Apache supports that so here are instructions on how to password protect a site or location using LDAP directory.

In squeeze, the Apache LDAP module is already installed with the Apache common package. You just need to enable the module and configure.

1. Enable the LDAP module

a2enmod authnz_ldap

2. Add Auth config variables to the site or directory that should be password protected (ex. pico /etc/apache2/sites-enabled/000-default). In this example, the “/protected” relative location will be password protected. You can protect any Location or Directory using the same method.

<Location /protected>
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthName "Password protected. Enter your AD username and password."
AuthLDAPURL "ldap://{host_or_ip}/CN=Users,DC=example,DC=org?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "{username}@example.org"
AuthLDAPBindPassword {password}
Require valid-user
</Location>

Replace {host_or_ip} with the AD/LDAP server hostname or IP address. Change example.org to your domain. Enter username and password for a user that has access to the domain.

The last line, “Require valid-user” will allow any user in the directory to login. To allow only certain users, change that line to:

Require ldap-user user1 user2

To allow only users from a specific group, change “Require valid-user” to:

Require ldap-group CN={group},CN=Users,dc=example,dc=org

Replace {group} to the name of a group and type correct domain name instead of example.org.

3. Restart Apache

/etc/init.d/apache2 restart

Comments 3
  • Oliver Bock
    Posted on

    Oliver Bock Oliver Bock

    Author

    Great tutorial. Had everything I needed and nothing I didn’t, except that I needed to add

    REFERRALS off

    to /etc/ldap/ldap.conf to make it work.


  • norman
    Posted on

    norman norman

    Author

    what about combining htpasswd and ldap users ?


  • Nicholas
    Posted on

    Nicholas Nicholas

    Author

    AuthzLDAPAuthoritative is obsolete in Apache 2.4.