Edgewall Software

Version 2 (modified by r.sokoll@…, 16 years ago) ( diff )

missed certificates for ldaps

This is a short HOWTO for setting up Apache and OpenLDAP to use Microsoft's ActiveDirectory for authenticating users. As an option, you can secure LDAP by using SSL. We choose openssl.
It will give you an idea how to set up your apache configuration.

We assume that

  • your AD domain is called MYDOM
  • you have a user called MYUSER that has read access to sAMAccountName
  • your DC has the name mydc.example.org
  • your basedn is DC=mydom,DC=example,DC=org

Apache 2.0.x with mod_auth_ldap

You need to have mod_ldap.so and mod_auth_ldap.so compiled.

To do so, compile apache with 

./configure --enable-ldap=shared --enable-auth-ldap=shared --with-ldap \
--with-ldap-include=</path/to/your/openldap/installation>/include \
--with-ldap-lib=</path/to/your/openldap/installation>/lib

Of course, you'll have to provide more options to configure.
Build and install apache the usual way.
Make sure you have both mod_ldap.so and mod_auth_ldap.so in apaches's modules directory.

Now for the httpd.conf: 

LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
[...]
<Location /physical/path/to/your/trac-env/>
   AuthType Basic
   AuthLDAPEnabled on
   AuthLDAPAuthoritative on
   AuthLDAPBindDN "MyDOM\\MYUSER"
   AuthLDAPBindPassword apassword
   AuthLDAPUrl ldap://mydc.example.org:389/DC=mydom,DC=example,DC=org?sAMAccountName
   AuthName "Authorization required"
   require valid-user
   SetHandler mod_python
   PythonHandler trac.web.modpython_frontend
   PythonOption TracEnv /physical/path/to/your/trac-env
   PythonOption TracUriRoot /url/path/to/your/trac-env
</Location>

Apache 2.2.x with mod_authnz_ldap and LDAP over SSL

You need to have mod_ldap.so and mod_authnz_ldap.so compiled.

To do so, compile apache with 

./configure --enable-ldap=shared --enable-auth-ldap=shared --enable-ldap \
--enable-authnz-ldap --with-ldap --with-ldap-include=</path/to/your/openldap/installation>/include \
--with-ldap-lib=</path/to/your/openldap/installation>/lib

Of course, you'll have to provide more options to configure.
Build and install apache the usual way.
Make sure you have both mod_ldap.so and mod_authnz_ldap.so in apaches's modules directory.
Also make sure that your openldap has support for ssl built in.
Get the root certificate for your DC. In this example, it is BASE64 encoded.

Now for the httpd.conf: 

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
[...]
LDAPTrustedGlobalCert CA_BASE64 certs/ca_dc.cer
[...]
<Location /physical/path/to/your/trac-env/>
   AuthType Basic
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative off
   AuthUserFile /dev/null
   AuthLDAPBindDN "MyDOM\\MYUSER"
   AuthLDAPBindPassword apassword
   AuthLDAPUrl ldaps://mydc.example.org:636/DC=mydom,DC=example,DC=org?sAMAccountName
   AuthName "Authorization required"
   require valid-user
   SetHandler mod_python
   PythonHandler trac.web.modpython_frontend
   PythonOption TracEnv /physical/path/to/your/trac-env
   PythonOption TracUriRoot /url/path/to/your/trac-env
</Location>

Have fun!

Note: See TracWiki for help on using the wiki.