Posts Tagged active directory

Using mod_ldap With Apache

Posted by clifgriffin in Technology on December 8th, 2008

I did a small test of mod_ldap today. It wasn’t terribly difficult, but most guides online seemed to overly complicate the matter.

In my test, I chose a directory located off of my website root that I wanted to restrict to only users with an LDAP account.  (That’s any user…regardless of OU, Group, or hair color.)In this example, I’ll use http://server/ldaptest as my protected location and some.domain.com as my domain.

  • First, I setup a dummy index page in /var/www/html/ldaptest. (This location will vary obviously depending on your Apache installation)
  • Next, I opened my httpd.conf file (mine was in /etc/httpd/conf/httpd.conf) and made sure these two lines were present: 
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so      

    This indicates that mod_ldap and mod_authnz_ldap (both necessary) are installed. 

  • Next, I added the following lines to httpd.conf:
    <Directory "/var/www/html/ldaptest">
    Order deny,allow
    Deny from All
    AuthName "Company.com Intranet"
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPUrl ldap://dc1.some.domain.com/dc=some,dc=domain,dc=com?uid
    Require valid-user
    Satisfy any
    AuthLDAPBindDN "CN=PortalReader,OU=Service Accounts,OU=IS,OU=FSA,DC=some,DC=domain,DC=com"
    AuthLDAPBindPassword somePa$$W0rd
    </Directory> 
  • I then restarted apache by issuing the command:
    service httpd restart

Terms explained (as best I can):

  • /var/www/html/ldaptest is the directory location on the local server you want to set settings for.
  • Order deny,allow specifies the order permissions are applied in. (This is typical.)
  • Deny from All prohibits all non-authenticated users from proceeding. 
  • AuthName "Company.com Intranet" simply provides a name for your service that the browser will show in its authentication prompt.
  • AuthType Basic  specifies the type of authentication to be used for the directory. 
  • AuthBasicProvider ldap specifies who is going to handle the basic authentication.
  • AuthzLDAPAuthoritative off is required when using valid-user (see below)
  • AuthLDAPUrl is the location we are searching. This includes your domain controller and your domain.
  • Require valid-user tells mod_ldap to accept all valid domain users regardless of location.
  • AuthLDAPBindDN "CN=PortalReader,OU=Service Accounts..." tells mod_ldap the fully qualified location of the account to use to bind to your domain. This account needs read priviliges on your domain.
  • AuthLDAPBindPassword is simply the password for your bind account. 

That was all there was to it.  I did have a couple of issues though:

  1. I didn’t get the DN (Distinguished Name) for the AuthLDAPBindDN right the first time.  In order to get the correct DN, I used ADSIEdit to find the actual object and copy the DN directly,  putting it in quotes.  (If you fail to use quotes, Apache will not start on the basis that you cannot have more than one value for that setting.)
  2. In order to determine that I was having the above problem, I had to set logging to the debug level. You do this by finding LogLevel in httpd.conf and setting it to debug. Previously, I had warn set.
  3. Lastly,  I didn’t watch the right log for errors at first.  I defaulted to trying error_log, but in my particular case I was using SSL so the correct log was ssl_error_log. 

This code allows ANY valid user in the specified domain to login. In order to use groups and things of that nature, I recommend you look at this guide.

, , ,

No Comments