linux:ubuntu:apache_ad

Differences

This shows you the differences between two versions of the page.


linux:ubuntu:apache_ad [2019/10/31 09:05] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== Allow any Active Directory user to access a folder on Apache 2.4 hosted on Linux ======
 +When you need to protect a folder on your Apache 2.4 web server installed on a Linux system (on Ubuntu in my case), here is how you do it:First you need to enable Apache modules 'ldap' and 'authnz_ldap'. You can do it on Ubuntu 14.04 by issuing the following command:
 +<code>
 +sudo a2enmod authnz_ldap
 +</code>
 +It will enable both modules.
  
 +Let's assume the following configuration:
 +AD FQDN: sub.domain.intern
 +AD server IP: 10.0.0.1
 +AD User: ldapqueryuser
 +AD Password: ldapquerypassword Folder you want to protect is inside the default host: /var/www/html/ad
 +
 +Here is the code you need to paste into Apache config file:
 +<code>
 +<Directory /var/www/html/ad/>
 +        AuthLDAPBindDN "ldapqueryuser@sub.domain.intern"
 +        AuthLDAPBindPassword "ldapquerypassword"
 +        AuthLDAPURL "ldap://10.0.0.1:389/dc=sub,dc=domain,dc=intern?sAMAccountName?sub?(objectClass=*)"
 +        Order deny,allow
 +        Allow from all
 +        AuthLDAPBindAuthoritative off
 +        AuthType Basic
 +        AuthName "ENTER YOUR ACTIVE DIRECTORY CREDENTIALS"
 +        AuthBasicProvider ldap
 +        Require valid-user
 +</Directory>
 +</code>
 +You can change the folder so you can protect the whole web site, or another sub folder. AuthLDAPBindDN, AutlLDAPBindPassword and AuthLDAPURL must be inside double quotes.
 +
 +I hope this helps you more than other tutorials helpded me. For more information on how to allow certain groups or list of users, visit the [[http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html|Apache site]].
 +
 +If you plan to run a PHP script in that location, the username will be available to PHP in the $_SERVER['REMOTE_USER'] variable.
 +
 +<code | Group membership>
 +AuthName "AD authentication"
 +AuthBasicProvider ldap
 +AuthType Basic
 +AuthLDAPGroupAttribute member
 +AuthLDAPGroupAttributeIsDN On
 +AuthLDAPURL ldap://{AD-Hostname/IP}:389/cn=Users,dc={your Domain DN}?sAMAccountName?sub?(objectClass=*)
 +AuthLDAPBindDN cn=apache-connect,cn=Users,{your Domain DN}
 +AuthLDAPBindPassword {password}
 +require ldap-group cn=test,cn=Users,{your Domain DN}
 +</code>