How to Configure Apache Authentication with Active Directory

From ChekMate Security Group

©2003 by Thomas Gary Howard, Luminary Arts

First enable the mod_auth_ldap module within your Apache configuration: 

LoadModule ldap_module modules/util_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so

Next step is to configure the universal parameters for LDAP authentication for your site. All users and groups are stored under the Users CN in Active Directory (AD) so all accounts must reference this location (Users:domain:com) in the directory tree. Also note that you must provide a username (AuthLDAPBindDN) and password (AuthLDAPBindPassword) of an existing AD account in order to perform authentication. Without it, AD will not authorize the query. 

<Directory />
  Options All ExecCGI -Indexes
  Order allow,deny
  Allow from all

  # LDAP Authentication & Authorization is final; do not check other databases
  AuthLDAPAuthoritative on
  # Do basic password authentication in the clear
  AuthType Basic
  # The name of the protected area or "realm"
  AuthName "Luminary Arts"
  # Active Directory requires an authenticating DN to access records
  AuthLDAPBindDN cn=LDAP_Username,cn=Users,dc=yourdomain,dc=com
  # This is the password for the AuthLDAPBindDN user in Active Directory
  AuthLDAPBindPassword LDAP_Password
  # The LDAP query URL
  AuthLDAPURL "ldap://ldap.yourdomain.com:389/cn=Users,dc=yourdomain,dc=com?sAMAccountName?sub?(objectClass=*)"
</Directory>

To allow access to only specific users, configure the following commands within a directory configuration block: 

<Directory "D:/UserDirectory">
  AuthName "Special User Area"
  require user username1 username2 username3
</Directory>

To allow access by user group, place the following command within the directory's configuration block: 

<Directory "D:/GroupDirectory">
  AuthName "Special Group Area"
  require group cn=Group,cn=Users,dc=yourdomain,dc=com
</Directory>

Note that Administrators is a special group within Windows and is located in the Builtin folder of Active Directory. To restrict access to the Administrators group, you will need to use Builtin for the CN, not Users! 

<Directory "D:/AdministratorsOnlyDirectory">
  require group cn=Administrators,cn=Builtin,dc=yourdomain,dc=com
</Directory>

If you create a complicated directory structure and aren't sure how to specify the LDAP directory path, use the following from the Windows command prompt (Start > Run ...) to export your directory tree and view it: 

ldifde -f my_domain.ldif -s 127.0.0.1
[edit]

Resources

Retrieved from "http://www.chekmate.org//wiki/index.php/How_to_Configure_Apache_Authentication_with_Active_Directory"