====== Allow any Active Directory user to access a folder on Apache 2.4 hosted on Linux ======
When you need to protect a folder on your Apache 2.4 web server installed on a Linux system (on Ubuntu in my case), here is how you do it:First you need to enable Apache modules 'ldap' and 'authnz_ldap'. You can do it on Ubuntu 14.04 by issuing the following command:
sudo a2enmod authnz_ldap
It will enable both modules.
Let's assume the following configuration:
AD FQDN: sub.domain.intern
AD server IP: 10.0.0.1
AD User: ldapqueryuser
AD Password: ldapquerypassword Folder you want to protect is inside the default host: /var/www/html/ad
Here is the code you need to paste into Apache config file:
AuthLDAPBindDN "ldapqueryuser@sub.domain.intern"
AuthLDAPBindPassword "ldapquerypassword"
AuthLDAPURL "ldap://10.0.0.1:389/dc=sub,dc=domain,dc=intern?sAMAccountName?sub?(objectClass=*)"
Order deny,allow
Allow from all
AuthLDAPBindAuthoritative off
AuthType Basic
AuthName "ENTER YOUR ACTIVE DIRECTORY CREDENTIALS"
AuthBasicProvider ldap
Require valid-user
You can change the folder so you can protect the whole web site, or another sub folder. AuthLDAPBindDN, AutlLDAPBindPassword and AuthLDAPURL must be inside double quotes.
I hope this helps you more than other tutorials helpded me. For more information on how to allow certain groups or list of users, visit the [[http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html|Apache site]].
If you plan to run a PHP script in that location, the username will be available to PHP in the $_SERVER['REMOTE_USER'] variable.
AuthName "AD authentication"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL ldap://{AD-Hostname/IP}:389/cn=Users,dc={your Domain DN}?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN cn=apache-connect,cn=Users,{your Domain DN}
AuthLDAPBindPassword {password}
require ldap-group cn=test,cn=Users,{your Domain DN}