= Setting up Apache and OpenLDAP to use Microsoft's ActiveDirectory
This is a short HOWTO for setting up Apache and OpenLDAP to use Microsoft's !ActiveDirectory for authenticating users. As an option, you can secure LDAP by using SSL. We choose openssl.[[BR]]
It will give you an idea how to set up your Apache configuration.
We assume that:
* your AD domain is called `MYDOM`
* you have a user called `MYUSER` that has read access to `sAMAccountName`
* your DC has the name `mydc.example.org`
* your basedn is `DC=mydom,DC=example,DC=org`
== Apache 2.0.x with [https://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html mod_auth_ldap]
You need to have `mod_ldap.so` and `mod_auth_ldap.so` compiled.
To do so, compile apache with
{{{
./configure --enable-ldap=shared --enable-auth-ldap=shared --with-ldap \
--with-ldap-include=/include \
--with-ldap-lib=/lib
}}}
Of course, you'll have to provide more options to `configure`.[[BR]]
Build and install apache the usual way.[[BR]]
Make sure you have both `mod_ldap.so` and `mod_auth_ldap.so` in apaches's modules directory.
Now for the `httpd.conf`:
{{{
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
[...]
AuthType Basic
AuthLDAPEnabled on
AuthLDAPAuthoritative on
AuthLDAPBindDN "MyDOM\\MYUSER"
AuthLDAPBindPassword apassword
AuthLDAPUrl ldap://mydc.example.org:389/DC=mydom,DC=example,DC=org?sAMAccountName
AuthName "Authorization required"
require valid-user
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnv /physical/path/to/your/trac-env
PythonOption TracUriRoot /url/path/to/your/trac-env
}}}
== Apache 2.2.x with [https://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html mod_authnz_ldap] and LDAP over SSL
You need to have `mod_ldap.so` and `mod_authnz_ldap.so` compiled. To do so, compile Apache with:
{{{
./configure --enable-ldap=shared --enable-auth-ldap=shared --enable-ldap \
--enable-authnz-ldap --with-ldap --with-ldap-include=/include \
--with-ldap-lib=/lib
}}}
Of course, you'll have to provide more options to `configure`.[[BR]]
Build and install Apache the usual way.[[BR]]
Make sure you have both `mod_ldap.so` and `mod_authnz_ldap.so` in Apaches's modules directory.[[BR]]
Also make sure that your openldap has support for ssl built in.[[BR]]
Get the root certificate for your DC. In this example, it is BASE64 encoded.
Now for the `httpd.conf`:
{{{
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
[...]
LDAPTrustedGlobalCert CA_BASE64 certs/ca_dc.cer
[...]
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthUserFile /dev/null
AuthLDAPBindDN "MyDOM\\MYUSER"
AuthLDAPBindPassword apassword
AuthLDAPUrl ldaps://mydc.example.org:636/DC=mydom,DC=example,DC=org?sAMAccountName
AuthName "Authorization required"
require valid-user
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnv /physical/path/to/your/trac-env
PythonOption TracUriRoot /url/path/to/your/trac-env
}}}
=== Using mm_mod_auth_ldap and authentication on bind
Some LDAP providers require some form of authentication in order to check credentials. There are two ways of handling this. One is to put a specific username and password into the Apache configuration file (as shown in the above example). This can be problematic in certain environments (the author of this section works in a US National Lab, with some occasionally insane security rules). And it is true that burying passwords in configuration files can be a maintenance problem. The third party mm_mod_auth_ldap (http://muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html) provides an interesting solution, which is that it attempts to use the username/password supplied by the user to do the bind to the LDAP provider. If the bind works that's part of the authentication. If the bind doesn't work, then the user is presumed to not be real, and the authentication fails. This does, however, have a couple of unfortunate side effects. One is that if the user fat-fingers the password, the bind fails and the user sees a server configuration error (bad). The other is that since the credentials are different on each bind, there's no caching or pooling of LDAP connections possible. However, this is a useful concept, and one that can hopefully be improved. The gist of the configuration is
{{{
LoadModule mm_auth_ldap_module /usr/lib/httpd/modules/mm_mod_auth_ldap.so
Options None
#Authentication
AuthType Basic
AuthBasicProvider mm_ldap
AuthName "Authenticate"
#Server information
LDAP_Port #often 389
LDAP_Server
LDAP_StartTLS On
#Where to look
Base_DN "" # e.g. "ou=People,dc=example,dc=com"
UID_Attr uid
#Require these users
require valid-user
#Authenticate on bind - important!
AuthOnBind On
#Debugging
LDAP_Debug Off
}}}