Web Authentication Source: ActiveDirectory

Instead of building yet another authentication source for your web application, you should strive to make use of existing sources. Depending on your environment, and your security requirements, an easily used source is your company’s ActiveDirectory domain. This can be used rather easily on Internet Information Services hosts in a trusting domain. ActiveDirectory may be used to authenticate Kerberos logins, or as an LDAP backend.

Here’s how to use ActiveDirectory with Apache‘s mod_auth_ldap.

If you are running an internal application in a predominantly Microsoft environment, an ActiveDirectory domain is an excellent choice for an authentication source. You should take steps* to prevent the exposure of usernames and passwords as they are traversing the network, but that is so with any authentication source. The following procedures describe configuring an Apachebased web server to use an existing Microsoft ActiveDirectory authentication source for HTTP Basic Authentication.

You’ll need a clean path from the web server to the directory service. A clean path in this instance means being able to establish a TCP/IP session on port 389 or 636 between the two end-points. You will also need an account in the authentication source in order to find distinguishedNames.

First, find the Directory Servers. All ActiveDirectory LDAP servers are listed in the DNS. They have to be for AD to work.

 nslookup -q=srv _ldap._tcp.example.com

Now that you have a list of LDAP servers, configure Apache. Confirm that you have mod_ldap and mod_auth_ldap compiled and available in your modules directory, then add the following lines to your Apache configuration. These lines are for httpd-2.x on Windows. Your specific installation may differ.

 LoadModule auth_ldap_module   modules/mod_auth_ldap.so
 LoadModule ldap_module   modules/util_ldap.so

At this point you may want to test the configuration to confirm you didn’t break anything.

 apache -t
 Syntax OK

Now, let’s protect a test location. Please reference the Apache documentation for authentication, mod_ldap, and mod_auth_ldap if you would like to understand the specific directives.

 <location /ldap>
     Options Indexes FollowSymLinks
     AllowOverride None
     order allow,deny
     allow from all
     AuthName "Test Platform"
     AuthType Basic
     AuthLDAPUrl ldap://myDomainController.example.com:389/ou=Users,dc=example,dc=com?sAMAccountName?sub?(objectclass=*)
     # need this account and setting because Active Directory
     # does not allow anonymous binding by default
     AuthLDAPBindDN "cn=apacheAccount,ou=Users,dc=example,dc=com"
     # alternately, you can use the NetBIOS logon name
     #AuthLDAPBindDN "myDomain\apache"
     AuthLDAPBindPassword "aPassword"
     require valid-user
 </location>

Any questions?


Transport Layer Security/Secure Sockets Layer will protect the conversation, but both sides must support this.

1 Comment

Comments are closed.