Most of us corporate application developers are subject to the boundaries of corporate networks and this is a good thing since we have our security and authentication infrastructure being taken care of by the IT security people, just like the databases are taken care of by DBA’s. Long time ago, we had to either maintain our own or provide users ways to manage their own application access credentials.
With Apache authenticating against Active Directory (AD), not anymore!
AD is a directory service created by Microsoft for Windows domain networks using the Lightweight Directory Access Protocol (LDAP). It is included in most Windows Server operating systems.
An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers. For example, when a user logs into a computer that is part of a Windows domain, AD checks the submitted password and determines the user assigned role within the domain.
Now to make Apache authenticate against AD is very simple, in the httpd.conf configuration file, set it up the following way:
First, make sure you have your httpd compiled with the mod_authnz_ldap, verify by looking into the modules directory for the mod_authnz_ldap.so module and uncomment its use in the httpd.conf file.
Supose you operate within the ‘domain.local’ realm, your AD server is ‘ad.domain.local:389′ (LDAP default port 389) and you have the protected files to be accessed by authenticated users only in the c:\MyProtectedDir having it previously aliased as “mpd”; the following is a literal copy of the relevent part of the httpd.conf file, the rest of the steps are included as comments in the excerpt:
< Directory "C:/MyProtectedDir">
Options Indexes Includes FollowSymLinks ExecCGI
Allow from all
< Location /mpd>
AuthName “MY PROTECTED FILES”
#First, bind to the AD server using a valid account. This is the account that will query the AD server.
#Preferably, a service account
AuthLDAPBindDN “CN=Service Account,OU=All Service Accounts,DC=domain,DC=local”
#Search the supplied username against the AD server
#The authorized users are under the ‘All Authenticated Users’ branch in the AD tree structure
AuthLDAPURL “ldap://AD.DOMAIN.LOCAL:389/ou=All Authenticated Users,DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)”
# Important, otherwise “(9)Bad file descriptor: Could not open password file: (null)”
#Require valid user here but it could also be an ldap-group if needed
And you’re done, now you are authenticating against AD with your Apache server.