195 | | Or the LDAP interface to a Microsoft Active Directory: |
196 | | |
| 195 | |
| 196 | 3. You can use the LDAP interface as a way to authenticate to a Microsoft Active Directory: |
| 197 | |
| 198 | |
| 199 | Use the following as your LDAP URL: |
| 200 | {{{ |
| 201 | AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)" |
| 202 | }}} |
| 203 | |
| 204 | You will also need to provide an account for Apache to use when checking |
| 205 | credentials. As this password will be listed in plaintext in the |
| 206 | config, you should be sure to use an account specifically for this task: |
| 207 | {{{ |
| 208 | AuthLDAPBindDN ldap-auth-user@example.com |
| 209 | AuthLDAPBindPassword "password" |
| 210 | }}} |
| 211 | |
| 212 | The whole section looks like: |
217 | | Note 2: Active Directory requires an authenticating user/password to access records (AuthLDAPBindDN and AuthLDAPBindPassword). |
218 | | |
219 | | Note 3: The directive "require ldap-group ..." specifies an AD group whose members are allowed access. |
220 | | |
221 | | |
| 233 | Note 2: You can also require the user be a member of a certain LDAP group, instead of |
| 234 | just having a valid login: |
| 235 | {{{ |
| 236 | Require ldap-group CN=Trac Users,CN=Users,DC=example,DC=com |
| 237 | }}} |
| 238 | |
| 239 | See also: |
| 240 | - [http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html mod_authnz_ldap], documentation for mod_authnz_ldap |
| 241 | |
| 242 | - [http://httpd.apache.org/docs/2.2/mod/mod_ldap.html mod_ldap], documentation for mod_ldap, which provides connection pooling and a shared cache. |
| 243 | - [http://trac-hacks.org/wiki/LdapPlugin TracHacks:LdapPlugin] for storing TracPermissions in LDAP. |