Categories
Apache Directory Service LDAP Webserver

Apache authentication with Active Directory (no proxy account required)

While playing around with Apache web server authentication I was wondering: Is it possible to authenticate Apache against LDAP without requiring a proxy account to do the queries?

At first glance this seems to require an LDAP server that allows anonymous bind and read access, however there’s another way:

If a regular user (of the LDAP directory) is allowed to read (the required) data after authenticating, why not use the credentials provided to the Apache web server during login to connect to the directory and do so?

This is exactly what the following setup achieves:

<Location /ldap-protected>
  AuthType Basic
  AuthName "LDAP Auth"
  AuthBasicProvider ldap

  AuthLDAPURL "ldaps://ldap.mydomain.de/CN=Users,DC=mydomain,DC=de?sAMAccountName?sub?(objectClass=*)"
  AuthLDAPInitialBindPattern (.+) CN=$1,CN=Users,DC=mydomain,DC=de
  AuthLDAPInitialBindAsUser  on
  AuthLDAPSearchAsUser on
  AuthLDAPCompareAsUser on
            
  <RequireAll>
    Require valid-user
    Require ldap-group CN=Remote Users,CN=Users,DC=mydomain,DC=de
  </RequireAll>
  Require all denied
</Location>

This is only the short snippet without SSL setup and all the other things required in order to make your Apache setup work (but there’s plenty of documentation about that out there).

It uses the credentials provided upon web login to bind to the LDAP server (if login and password matches). The example also checks for a certain group membership (however this is optional).

LDAP basics

However, there’s still some LDAP specific settings you need to know about in order to use the above setup.

A user in a LDAP directory is not only identified by it’s login name, but also by the “path” where it is stored within the LDAP tree. That’s why we need to tell where to look for users:

AuthLDAPInitialBindPattern (.+) CN=$1,CN=Users,DC=mydomain,DC=de

One of the basics required in the LDAP world is the base path (that’s basically the “root” of our LDAP tree). The best was is probably to ask you local administrator for those values (and tell them what you’re about to do), or you may check things out yourself:

linux > ldapsearch -H ldap://dc1.mydomain.de -b '' -s base namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts 
#

#
dn:
namingContexts: CN=Schema,CN=Configuration,DC=mydomain,DC=de
namingContexts: CN=Configuration,DC=mydomain,DC=de
namingContexts: DC=mydomain,DC=de
namingContexts: DC=DomainDnsZones,DC=mydomain,DC=de
namingContexts: DC=ForestDnsZones,DC=mydomain,DC=de

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1