Apache Active Directory Authentication

Apache server is a strong web server that can serve great open source application like Mediawiki which is a great solution for information sharing,
but what if you want to use Mediawiki to share information only for the local office active directory domain members?
Or even only to members of a specific group in the active directory?

In Apache you have a specific module called mod_ldap which allows you to use the Active Directory as an authentication server for your users,
so you can create a secure wiki branch for each department users.

To setup the apache server to use Active Directory as access manager you will need to make sure the mod_ldap was compiled with the apache server and that these lines are in the httpd.conf file:

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so

If you have a Windows server installed with the xampp install of apache and mysql, you will have the module pre-compiled into the apache server,
however testing that it’s loaded can be done with:

C:\xampp\apache\bin\httpd.exe -t -D DUMP_MODULES
the output should have these lines:
authnz_ldap_module (shared)
ldap_module (shared)

Once you have the mod_ldap modules loaded you can add to the apache configuration file the user authentication support:

Any Authenticated user from the Domain:

<Location /Finance_Wiki>
Require valid-user
AuthType Basic
AuthName “Finance Wiki Access”
AuthBasicProvider “ldap”
AuthLDAPBindDN “CN=proxy_user,OU=sub_group,OU=main_group,DC=some,DC=domain,DC=com”
AuthLDAPBindPassword “proxy_user_pass”
AuthLDAPURL “ldap://pdc.some.domain.com:389/OU=main_group,DC=some,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)”
</Location>

The AuthLDAPBindDN and AuthLDAPBindPassword settings are for setting a user that will allow the apache server to browse the Active Directory structure,
the user created for this should have the minimum rights possible in the domain.

This specific apache configuration will allow any user from the domain to share the /Finance_Wiki folder, but if you want to allow access for a specific group you need to add this configuration line:

require ldap-group CN=groupname,OU=group.container,OU=main_group,DC=some,DC=domain,DC=com

This is the part that will require the active directory authentication for a specific group.

This way you can prepare a wiki branch for each group in your company to securely share internal files.

Technorati Tags: , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>