Version 2 (modified by 16 years ago) ( diff ) | ,
---|
This is a short HOWTO for setting up Apache and OpenLDAP to use Microsoft's ActiveDirectory for authenticating users. As an option, you can secure LDAP by using SSL. We choose openssl.
It will give you an idea how to set up your apache configuration.
We assume that
- your AD domain is called
MYDOM
- you have a user called
MYUSER
that has read access tosAMAccountName
- your DC has the name
mydc.example.org
- your basedn is
DC=mydom,DC=example,DC=org
Apache 2.0.x with mod_auth_ldap
You need to have mod_ldap.so
and mod_auth_ldap.so
compiled.
To do so, compile apache with
./configure --enable-ldap=shared --enable-auth-ldap=shared --with-ldap \ --with-ldap-include=</path/to/your/openldap/installation>/include \ --with-ldap-lib=</path/to/your/openldap/installation>/lib
Of course, you'll have to provide more options to configure
.
Build and install apache the usual way.
Make sure you have both mod_ldap.so
and mod_auth_ldap.so
in apaches's modules directory.
Now for the httpd.conf
:
LoadModule ldap_module modules/mod_ldap.so LoadModule auth_ldap_module modules/mod_auth_ldap.so [...] <Location /physical/path/to/your/trac-env/> AuthType Basic AuthLDAPEnabled on AuthLDAPAuthoritative on AuthLDAPBindDN "MyDOM\\MYUSER" AuthLDAPBindPassword apassword AuthLDAPUrl ldap://mydc.example.org:389/DC=mydom,DC=example,DC=org?sAMAccountName AuthName "Authorization required" require valid-user SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonOption TracEnv /physical/path/to/your/trac-env PythonOption TracUriRoot /url/path/to/your/trac-env </Location>
Apache 2.2.x with mod_authnz_ldap and LDAP over SSL
You need to have mod_ldap.so
and mod_authnz_ldap.so
compiled.
To do so, compile apache with
./configure --enable-ldap=shared --enable-auth-ldap=shared --enable-ldap \ --enable-authnz-ldap --with-ldap --with-ldap-include=</path/to/your/openldap/installation>/include \ --with-ldap-lib=</path/to/your/openldap/installation>/lib
Of course, you'll have to provide more options to configure
.
Build and install apache the usual way.
Make sure you have both mod_ldap.so
and mod_authnz_ldap.so
in apaches's modules directory.
Also make sure that your openldap has support for ssl built in.
Get the root certificate for your DC. In this example, it is BASE64 encoded.
Now for the httpd.conf
:
LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so [...] LDAPTrustedGlobalCert CA_BASE64 certs/ca_dc.cer [...] <Location /physical/path/to/your/trac-env/> AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthUserFile /dev/null AuthLDAPBindDN "MyDOM\\MYUSER" AuthLDAPBindPassword apassword AuthLDAPUrl ldaps://mydc.example.org:636/DC=mydom,DC=example,DC=org?sAMAccountName AuthName "Authorization required" require valid-user SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonOption TracEnv /physical/path/to/your/trac-env PythonOption TracUriRoot /url/path/to/your/trac-env </Location>
Have fun!