Tags

, , ,

Apache 2.2 and Active Directory

by Rob Terhaar on April 30th, 2007

Apache 2.2 has introduced a new authentication framework: Authn/Authz
With this new framework, comes a new mod_authz_ldap module! Like every good UNIX software release, a torrent of esoteric, incompatible, and confusing configuration options present themselves! Read on for my experiences with Apache 2.2/mod_authz_ldap and Active Directory…

First off, this article isn’t really much of a A-Z how to get Apache/AD working. It’s meant more as a reference for people who have worked with apache 2.0/mod_auth_ldap and are upgrading to Apache 2.2/mod_authz_ldap. If you need help getting things going from scratch, i recommend doing some Googling to get you going.

So to get started, here is my configuration template for the inpatient:
items that are new to apache 2.2/mod_authz_ldap are in bold

order allow,deny

allow from all

AuthName “AD Authorize Me!”

AuthType Basic

AuthBasicProvider ldap

AuthzLDAPAuthoritative On

AuthLDAPBindDN user@domain.local

AuthLDAPBindPassword your-plain-text-ldap-pass

AuthLDAPURL ldap://domain.local:389/OU=Corporate,OU=company,

DC=domain,DC=local?sAMAccountName?sub?(objectCategory=person)

require ldap-group CN=Domain Admins,OU=Windows Groups,OU=Groups,OU=Corporate,OU=company,DC=domain,DC=local

REQUIRE valid-user

So lets go over what some of this means.

AuthBasicProvider ldap is fairly self explanatory for Apache veterans. AuthType basic is a classic option that everyone knows and loves, but now you can list multiple “Providers” for each location if necessary. This option is required for every location, otherwise Apache won’t know what auth plugin to use.


AuthzLDAPAuthoritative On there are some howto’s and postings on the internet that say to turn this off. If you listen to them and turn this off, you’ll lose the ability to filter groups. Since you want your authentication to be strictly by LDAP the AuthzLDAPAuthoritative needs to be set to “on”. If this option is set to Off, authentication will pass down to the GroupFile (or similar) mechanisms, and you might not have any other handlers set. So setting the LDAPAuthoritative to ON forces LDAP to do all the work (and avoids any “backup” authentication mechanisms.)


AuthLDAPBindDN user@domain.local is also new. Formating your BindDN this way isn’t required, but it’s recommended (somewhere) in the Apache documentation. I guess what this gives you is the ability to have directory agnostic binding authentication, when some noob decides to reorganize the structure of the Active Directory tree on their lunch break. (sure beats playing solitaire i suppose)


require ldap-group Require groups has an additional syntax option. Other documentation and howto’s on the internet were ambiguous about this. The only way I could get group filtering to work was to use “require ldap-group” and not the 2.0 formatted “require group”

Well, that’s all of the major stuff. I’m sure there are other surprises along the way. Best of luck, and enjoy Apache 2.2!!!

From Computers

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS