Allow any Active Directory user to access a folder on Apache 2.4 hosted on Linux

When you need to protect a folder on your Apache 2.4 web server installed on a Linux system (on Ubuntu in my case), here is how you do it:First you need to enable Apache modules 'ldap' and 'authnz_ldap'. You can do it on Ubuntu 14.04 by issuing the following command:

sudo a2enmod authnz_ldap

It will enable both modules.

Let's assume the following configuration: AD FQDN: sub.domain.intern AD server IP: AD User: ldapqueryuser AD Password: ldapquerypassword Folder you want to protect is inside the default host: /var/www/html/ad

Here is the code you need to paste into Apache config file:

<Directory /var/www/html/ad/>
        AuthLDAPBindDN "ldapqueryuser@sub.domain.intern"
        AuthLDAPBindPassword "ldapquerypassword"
        AuthLDAPURL "ldap://,dc=domain,dc=intern?sAMAccountName?sub?(objectClass=*)"
        Order deny,allow
        Allow from all
        AuthLDAPBindAuthoritative off
        AuthType Basic
        AuthBasicProvider ldap
        Require valid-user

You can change the folder so you can protect the whole web site, or another sub folder. AuthLDAPBindDN, AutlLDAPBindPassword and AuthLDAPURL must be inside double quotes.

I hope this helps you more than other tutorials helpded me. For more information on how to allow certain groups or list of users, visit the Apache site.

If you plan to run a PHP script in that location, the username will be available to PHP in the $_SERVER['REMOTE_USER'] variable.

Group membership
AuthName "AD authentication"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL ldap://{AD-Hostname/IP}:389/cn=Users,dc={your Domain DN}?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN cn=apache-connect,cn=Users,{your Domain DN}
AuthLDAPBindPassword {password}
require ldap-group cn=test,cn=Users,{your Domain DN}
Enter your comment:
49 -11 = 
  • linux/ubuntu/apache_ad.txt
  • Last modified: 2019-10-31 09:05
  • (external edit)