Nethence Documentation Lab Webmail Your IP BBDock  


Those documents are obsolete, please use the Nethence Documentation instead.

HomeUnixWindowsOracleObsoleteHardwareDIYMechanicsScriptsConfigsPrivate

Setting up Apache 2.4 for AD authentication (with and without LDAPS)
Tested on ubuntu srv 14 LTS - apache 2.4
 
AD/LDAP Configuration
Using non-ssl on port 3268,
#http://stackoverflow.com/questions/14242734/apache-http-server-2-4-ldap-active-directory-authentication
<Directory /var/www/html/private>

# Using this to bind
AuthLDAPBindDN "CN=apache4ad,OU=IT,OU=OUDC=domain,DC=tld" 
AuthLDAPBindPassword "PASSWORD" 

# Search user
AuthLDAPURL "ldap://AD_ADDRESS:3268/dc=domain,dc=tld?sAMAccountName?sub?(objectClass=*)" 

AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
require valid-user
</Directory>
 
Additional notes
More sample configs in case of troubles,
# AuthLDAPGroupAttribute member
# AuthLDAPGroupAttributeIsDN on
#LDAPReferrals Off
#AuthzLDAPAuthoritative off
# Use the password without quotes, e.g. password instead of "password"
#AuthLDAPBindPassword password
 
 
AD/LDAPS Configuration
Using SSL on port 3269,
LDAPVerifyServerCert off
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CERT_BASE64 /etc/apache2/ssl/provided.cer

<Directory /var/www/html/private>
AuthBasicProvider ldap
AuthType Basic
#removed from 2.4 AuthzLDAPAuthoritative on
AuthName "USE YOUR WINDOWS ACCOUNT"
#AuthLDAPURL "ldaps://AD_FQDN:636/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)" SSL
AuthLDAPURL "ldaps://AD_FQDN:3269/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)" SSL
AuthLDAPBindDN "apache4ad@domain.tld"
AuthLDAPBindPassword "PASSWORD"
#getting a 500 error when using this,
  require valid-user
#require user apache4ad@domain.tld
</Directory>
 
Refs.
# AD auth http://stackoverflow.com/questions/14242734/apache-http-server-2-4-ldap-active-directory-authentication
# 3269 port https://technet.microsoft.com/fr-fr/library/dd772723(v=ws.10).aspx
# ports https://support.symantec.com/en_US/article.HOWTO80685.html
Apache Module mod_ldap
Upgrading to 2.4 from 2.2
Apache Module mod_authnz_ldap
Bug 807491 - LDAPS is not working if LDAPTrustedGlobalCert is defined
Apache LDAP authenticiation
LDAP-based Apache auth (mod_ldap + mod_authnz_ldap) using own CA for SSL/TLS
The definitive guide of connecting Apache via LDAP SSL to ActiveDirectory + Subversion
Issues with Apache 2.4.x and mod_ldap & mod_authnz_ldap
Setting up Apache and OpenLDAP to use Microsoft's ActiveDirectory
 
Troubleshooting
If you get this error,
Invalid command 'AuthzLDAPAuthoritative', perhaps misspelled or defined by a module not included in the server configuration
It's probably because you switched from Apache 2.2 to 2.4. Remove 'AuthzLDAPAuthoritative' and proceed as described above.
 
# AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
 

Last update: Mar 30, 2016