Instead of building yet another authentication source for your web application, you should strive to make use of existing sources. Depending on your environment, and your security requirements, an easily used source is your company’s ActiveDirectory domain. This can be used rather easily on Internet Information Services hosts in a trusting domain. ActiveDirectory may be used to authenticate Kerberos logins, or as an LDAP backend.
If you are running an internal application in a predominantly Microsoft environment, an ActiveDirectory domain is an excellent choice for an authentication source. You should take steps* to prevent the exposure of usernames and passwords as they are traversing the network, but that is so with any authentication source. The following procedures describe configuring an Apache–based web server to use an existing Microsoft ActiveDirectory authentication source for HTTP Basic Authentication.
You’ll need a clean path from the web server to the directory service. A clean path in this instance means being able to establish a TCP/IP session on port 389 or 636 between the two end-points. You will also need an account in the authentication source in order to find
First, find the Directory Servers. All ActiveDirectory LDAP servers are listed in the DNS. They have to be for AD to work.
nslookup -q=srv _ldap._tcp.example.com
Now that you have a list of LDAP servers, configure Apache. Confirm that you have
mod_auth_ldap compiled and available in your modules directory, then add the following lines to your Apache configuration. These lines are for httpd-2.x on Windows. Your specific installation may differ.
LoadModule auth_ldap_module modules/mod_auth_ldap.so LoadModule ldap_module modules/util_ldap.so
At this point you may want to test the configuration to confirm you didn’t break anything.
apache -t Syntax OK
<location /ldap> Options Indexes FollowSymLinks AllowOverride None order allow,deny allow from all AuthName "Test Platform" AuthType Basic AuthLDAPUrl ldap://myDomainController.example.com:389/ou=Users,dc=example,dc=com?sAMAccountName?sub?(objectclass=*) # need this account and setting because Active Directory # does not allow anonymous binding by default AuthLDAPBindDN "cn=apacheAccount,ou=Users,dc=example,dc=com" # alternately, you can use the NetBIOS logon name #AuthLDAPBindDN "myDomain\apache" AuthLDAPBindPassword "aPassword" require valid-user </location>
Transport Layer Security/Secure Sockets Layer will protect the conversation, but both sides must support this.