this is obsolete doc -- see http://doc.nethence.com/ instead
Setting up Apache 2.4 for AD authentication (with and without LDAPS)
Tested on ubuntu srv 14 LTS - apache 2.4
AD/LDAP Configuration
Using non-ssl on port 3268,
#http://stackoverflow.com/questions/14242734/apache-http-server-2-4-ldap-active-directory-authentication
<Directory /var/www/html/private>
# Using this to bind
AuthLDAPBindDN "CN=apache4ad,OU=IT,OU=OUDC=domain,DC=tld"
AuthLDAPBindPassword "PASSWORD"
# Search user
AuthLDAPURL "ldap://AD_ADDRESS:3268/dc=domain,dc=tld?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
require valid-user
</Directory>
Additional notes
More sample configs in case of troubles,
# AuthLDAPGroupAttribute member
# AuthLDAPGroupAttributeIsDN on
#LDAPReferrals Off
#AuthzLDAPAuthoritative off
# Use the password without quotes, e.g. password instead of "password"
#AuthLDAPBindPassword password
AD/LDAPS Configuration
Using SSL on port 3269,
LDAPVerifyServerCert off
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CERT_BASE64 /etc/apache2/ssl/provided.cer
<Directory /var/www/html/private>
AuthBasicProvider ldap
AuthType Basic
#removed from 2.4 AuthzLDAPAuthoritative on
AuthName "USE YOUR WINDOWS ACCOUNT"
#AuthLDAPURL "ldaps://AD_FQDN:636/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)" SSL
AuthLDAPURL "ldaps://AD_FQDN:3269/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)" SSL
AuthLDAPBindDN "apache4ad@domain.tld"
AuthLDAPBindPassword "PASSWORD"
#getting a 500 error when using this,
require valid-user
#require user apache4ad@domain.tld
</Directory>
Refs.
# AD auth http://stackoverflow.com/questions/14242734/apache-http-server-2-4-ldap-active-directory-authentication
# 3269 port https://technet.microsoft.com/fr-fr/library/dd772723(v=ws.10).aspx
# ports https://support.symantec.com/en_US/article.HOWTO80685.html
Apache Module mod_ldap: https://httpd.apache.org/docs/2.4/mod/mod_ldap.html
Upgrading to 2.4 from 2.2: https://httpd.apache.org/docs/2.4/en/upgrading.html
Apache Module mod_authnz_ldap: https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html
Bug 807491 - LDAPS is not working if LDAPTrustedGlobalCert is defined: https://bugzilla.redhat.com/show_bug.cgi?id=807491
Apache LDAP authenticiation: http://www.daniel-steiner.org/linux/apachessl
LDAP-based Apache auth (mod_ldap + mod_authnz_ldap) using own CA for SSL/TLS: http://serverfault.com/questions/573536/ldap-based-apache-auth-mod-ldap-mod-authnz-ldap-using-own-ca-for-ssl-tls
The definitive guide of connecting Apache via LDAP SSL to ActiveDirectory + Subversion: http://www.panz.in/2009/06/definitive-guide-of-connecting-apache.html
Issues with Apache 2.4.x and mod_ldap & mod_authnz_ldap: https://www.apachelounge.com/viewtopic.php?t=5370
Setting up Apache and OpenLDAP to use Microsoft's ActiveDirectory: https://trac.edgewall.org/wiki/ActiveDirectory
Troubleshooting
If you get this error,
Invalid command 'AuthzLDAPAuthoritative', perhaps misspelled or defined by a module not included in the server configuration
It's probably because you switched from Apache 2.2 to 2.4. Remove 'AuthzLDAPAuthoritative' and proceed as described above.
# AH01626: authorization result of Require valid-user : denied (no authenticated user yet)