When you need to protect a folder on your Apache 2.4 web server installed on a Linux system (on Ubuntu in my case), here is how you do it:First you need to enable Apache modules 'ldap' and 'authnz_ldap'. You can do it on Ubuntu 14.04 by issuing the following command:
sudo a2enmod authnz_ldap
It will enable both modules.
Let's assume the following configuration: AD FQDN: sub.domain.intern AD server IP: 10.0.0.1 AD User: ldapqueryuser AD Password: ldapquerypassword Folder you want to protect is inside the default host: /var/www/html/ad
Here is the code you need to paste into Apache config file:
<Directory /var/www/html/ad/>
AuthLDAPBindDN "ldapqueryuser@sub.domain.intern"
AuthLDAPBindPassword "ldapquerypassword"
AuthLDAPURL "ldap://10.0.0.1:389/dc=sub,dc=domain,dc=intern?sAMAccountName?sub?(objectClass=*)"
Order deny,allow
Allow from all
AuthLDAPBindAuthoritative off
AuthType Basic
AuthName "ENTER YOUR ACTIVE DIRECTORY CREDENTIALS"
AuthBasicProvider ldap
Require valid-user
</Directory>
You can change the folder so you can protect the whole web site, or another sub folder. AuthLDAPBindDN, AutlLDAPBindPassword and AuthLDAPURL must be inside double quotes.
I hope this helps you more than other tutorials helpded me. For more information on how to allow certain groups or list of users, visit the Apache site.
If you plan to run a PHP script in that location, the username will be available to PHP in the $_SERVER['REMOTE_USER'] variable.
AuthName "AD authentication"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL ldap://{AD-Hostname/IP}:389/cn=Users,dc={your Domain DN}?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN cn=apache-connect,cn=Users,{your Domain DN}
AuthLDAPBindPassword {password}
require ldap-group cn=test,cn=Users,{your Domain DN}