Authenticating Apache against an Active Directory with multiple top level OUs containing users
Wow that was a long title, but just what I have been dealing with recently. The first
solution which, is easy, is to use Kerberos, this works great unless you also want
authenticationto fall back to a standard
.htpasswd` file. In that case you need
to use LDAP. Why? because LDAP and File use the same AuthType of Basic where as
Kerberos uses an AuthType of Kerberos. Using LDAP and File authentication you can
use a config like this
<Directory /var/www/html/private>
SSLRequireSSL
AuthName "Private"
AuthType Basic
AuthBasicProvider ldap file
# File Auth
AuthUserFile /var/www/.htpasswd
AuthLDAPURL "ldap://ADServer.domain.co.uk/ou=Users,dc=domain,dc=co,dc=uk?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN User@Domain.co.uk
AuthLDAPBindPassword XXXXXXX
AuthzLDAPAuthoritative off
Require valid-user
Satisfy any
</Directory>
This works unless you have your users split over a number of OUs in the Active Directory. If that is the case here is the way I got around it.
<AuthnProviderAlias ldap ldap-group1>
AuthLDAPURL "ldap://ADServer.domain.co.uk/ou=Group-OU1,dc=domain,dc=co,dc=uk?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN User@Domain.co.uk
AuthLDAPBindPassword XXXXXXX
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-group2>
AuthLDAPURL "ldap://ADServer.domain.co.uk/ou=Group-OU2,dc=domain,dc=co,dc=uk?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN User@Domain.co.uk
AuthLDAPBindPassword XXXXXXX
</AuthnProviderAlias>
<Directory /var/www/html/private>
SSLRequireSSL
AuthName "Private"
AuthType Basic
AuthBasicProvider ldap-group1 ldap-group2 file
# File Auth
AuthUserFile /var/www/.htpasswd
AuthzLDAPAuthoritative off
Require valid-user
Satisfy any
</Directory>