= Setting up Apache and OpenLDAP to use Microsoft's ActiveDirectory

This is a short HOWTO for setting up Apache and OpenLDAP to use Microsoft's !ActiveDirectory for authenticating users. As an option, you can secure LDAP by using SSL. We choose openssl.[[BR]]
It will give you an idea how to set up your Apache configuration.

We assume that:
 * your AD domain is called `MYDOM`
 * you have a user called `MYUSER` that has read access to `sAMAccountName`
 * your DC has the name `mydc.example.org`
 * your basedn is `DC=mydom,DC=example,DC=org`

== Apache 2.0.x with [https://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html mod_auth_ldap]

You need to have `mod_ldap.so` and `mod_auth_ldap.so` compiled.

To do so, compile apache with
{{{
./configure --enable-ldap=shared --enable-auth-ldap=shared --with-ldap \
--with-ldap-include=</path/to/your/openldap/installation>/include \
--with-ldap-lib=</path/to/your/openldap/installation>/lib
}}}
Of course, you'll have to provide more options to `configure`.[[BR]]
Build and install apache the usual way.[[BR]]
Make sure you have both `mod_ldap.so` and `mod_auth_ldap.so` in apaches's modules directory.

Now for the `httpd.conf`:
{{{
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
[...]
<Location /physical/path/to/your/trac-env/>
   AuthType Basic
   AuthLDAPEnabled on
   AuthLDAPAuthoritative on
   AuthLDAPBindDN "MyDOM\\MYUSER"
   AuthLDAPBindPassword apassword
   AuthLDAPUrl ldap://mydc.example.org:389/DC=mydom,DC=example,DC=org?sAMAccountName
   AuthName "Authorization required"
   require valid-user
   SetHandler mod_python
   PythonHandler trac.web.modpython_frontend
   PythonOption TracEnv /physical/path/to/your/trac-env
   PythonOption TracUriRoot /url/path/to/your/trac-env
</Location>
}}}

== Apache 2.2.x with [https://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html mod_authnz_ldap] and LDAP over SSL

You need to have `mod_ldap.so` and `mod_authnz_ldap.so` compiled. To do so, compile Apache with:

{{{
./configure --enable-ldap=shared --enable-auth-ldap=shared --enable-ldap \
--enable-authnz-ldap --with-ldap --with-ldap-include=</path/to/your/openldap/installation>/include \
--with-ldap-lib=</path/to/your/openldap/installation>/lib
}}}

Of course, you'll have to provide more options to `configure`.[[BR]]
Build and install Apache the usual way.[[BR]]
Make sure you have both `mod_ldap.so` and `mod_authnz_ldap.so` in Apaches's modules directory.[[BR]]
Also make sure that your openldap has support for ssl built in.[[BR]]
Get the root certificate for your DC. In this example, it is BASE64 encoded.

Now for the `httpd.conf`:

{{{
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
[...]
LDAPTrustedGlobalCert CA_BASE64 certs/ca_dc.cer
[...]
<Location /physical/path/to/your/trac-env/>
   AuthType Basic
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative off
   AuthUserFile /dev/null
   AuthLDAPBindDN "MyDOM\\MYUSER"
   AuthLDAPBindPassword apassword
   AuthLDAPUrl ldaps://mydc.example.org:636/DC=mydom,DC=example,DC=org?sAMAccountName
   AuthName "Authorization required"
   require valid-user
   SetHandler mod_python
   PythonHandler trac.web.modpython_frontend
   PythonOption TracEnv /physical/path/to/your/trac-env
   PythonOption TracUriRoot /url/path/to/your/trac-env
</Location>
}}}

=== Using mm_mod_auth_ldap and authentication on bind

Some LDAP providers require some form of authentication in order to check credentials.  There are two ways of handling this.  One is to put a specific username and password into the Apache configuration file (as shown in the above example).  This can be problematic in certain environments (the author of this section works in a US National Lab, with some occasionally insane security rules).  And it is true that burying passwords in configuration files can be a maintenance problem.  The third party mm_mod_auth_ldap (http://muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html) provides an interesting solution, which is that it attempts to use the username/password supplied by the user to do the bind to the LDAP provider.  If the bind works that's part of the authentication.  If the bind doesn't work, then the user is presumed to not be real, and the authentication fails.  This does, however, have a couple of unfortunate side effects.  One is that if the user fat-fingers the password, the bind fails and the user sees a server configuration error (bad).  The other is that since the credentials are different on each bind, there's no caching or pooling of LDAP connections possible.  However, this is a useful concept, and one that can hopefully be improved.  The gist of the configuration is
{{{
LoadModule mm_auth_ldap_module /usr/lib/httpd/modules/mm_mod_auth_ldap.so

<Location /test-ldap>
     Options None

     #Authentication
     AuthType Basic
     AuthBasicProvider mm_ldap
     AuthName "Authenticate"
     #Server information
     LDAP_Port <LDAP port> #often 389
     LDAP_Server <ldapserver.your.domain>
     LDAP_StartTLS On
     #Where to look
     Base_DN "<base DN for where to bind>"  # e.g. "ou=People,dc=example,dc=com"
     UID_Attr uid
     #Require these users
     require valid-user
     #Authenticate on bind - important!
     AuthOnBind On
     #Debugging
     LDAP_Debug Off
</Location> 
}}}