I needed to authenticate a website for a schoole against an Active Directory server today. I found the job surprisingly easy.

My first attempt was using a pam smb module, and an apache pam module. This worked well, but had a couple of flaws:

• You could only have one /etc/pam.d/ file for apache, so if you wanted different styles of authentication you are out of luck. doh.
• the pam smb module doesn't support groups, so I couldn't have an area just for Teachers only.

Oh well, scraped that idea.

I looked at the smb modules for apache. This was a port of the pam_smb module to the apache api, didn't really gain me much, except it removed the limitation on one /etc/pam.d/ file for apache. Not that this really was much of a problem if you didn't have group support.

my final approach to the problem was an ldap authentication module for apache. This hit the nail on the head.

The major stumbling block I had was trying to find out the BaseDN. If you bind anonymously you can't search or anything useful. To bind as someone useful, you have to know their dn, including the BaseDN. Turns out the BaseDN was the name of the 'domain' with dc1?'s inserted. so if your domain is 'example.com', your baseDN is dc=example,dc=com. I'm not sure if this can be configured to be something else.

I had to learn how to write ldap url's, but it was dead basic, the configuration I used was

<Directory /var/www/staff>

AuthLDAPURL ldap://ads.example.com:389/OU=Users,OU=Teachers,DC=example,DC=com?sAMAccountName?sub?(objectClass=user) AuthLDAPBindDN cn=user,cn=Users,dc=example,dc=com AuthLDAPBindPassword password-here AuthType? Basic AuthName? "Mumble School Intranet" require valid-user

</Directory>

/var/www/staff should be the path that you want to secure.

ads.example.com should be the hostname of your ads server, I suspect you can use something like _ldap._tcp.example.com here, but I didn't experiment, comments anyone?

user should be some user which has read privilege to the directory

password-here should be users password

and voila! It worked.

you can test the ldap stuff from active directory by using

ldapsearch -x -b basedn -D cn=user,cn=Users,dc=example,dc=com -W

-x

use simple auth. Never got the non-simple auth to ever work

-b

use this base DN

-D

use this as the dn to bind as

-W

prompt for the binddn's password

the URL is

ldap://hostname:389/search basedn?username attribute?search type?search filter

where:

hostname

is the hostname of the ldap server

search basedn

is the root of the search you're going to do.

username attribute

is the name of the attribute for the username

search type

is 'sub' for subtree

search filter

is a filter to apply, we only want to return user's (since we don't want people doing something silly like authenticating as a printer or a domain name)

the sAMAccountName is the ldap attribute ActiveDirectory uses for storing the username.

1?: Domain Component