LinuxSysAdmin

Things I don't want to look for twice..

Monthly Archives: June 2011

Apache 2.2 LDAPS authentication in Active Directory 2008

So, I’ve been trying the whole day to get this Apache 2.2 installation to authenticate into an Active Directory LDAP using secure connection. These will be Ubuntu settings, particulary for 10.04 LTS (probably works for every Debian, RedHat versions as well).

First, I exported the CA from my browser (IE9) using Internet Options > Content > Certificates > Trusted Root Certificate Authority and export the one from Active Directory (CA from Active Directory) and saved is as BASE64 file, because by default, OpenSSL can use this kind of file and not DER or whatever, and saved the file on the Linux server in /certs/cert.cer.

Second, edit the httpd.conf in /etc/apache2 to look like this:

 

#LDAPSharedCacheSize 500000

#LDAPCacheEntries 128

#LDAPCacheTTL 60

#LDAPOpCacheEntries 128

#LDAPOpCacheTTL 60

LDAPConnectionTimeout 10

LDAPTrustedMode SSL

LDAPVerifyServerCert on

LDAPTrustedGlobalCert  CA_BASE64 /certs/cert.cer

 

Thirds step is to add your LDAP configuration to your website using tag in /etc/apache2/sites-enabled/000-default or whatever path you have for your website, and add the following:

 

    AuthType Basic

    AuthName “AD Authentication”

    AuthBasicProvider ldap

    AuthzLDAPAuthoritative  Off

    AuthLDAPURL             “ldaps://xx.xx.xx:636/OU=testOU,DC=domain,DC=local?sAMAccountName?sub?(objectClass=user)”

    AuthLDAPBindDN          “CN=user,OU=Users,OU=testOU,DC=domain,DC=local”

    AuthLDAPBindPassword    passforuser

    AuthLDAPRemoteUserAttribute sAMAccountName

    Require valid-user

 

This implies that you have an AD running at IP xx.xx.xx.xx, has 636 port opened (LDAPS), there’s an user called “user” in the specified OU and has the DN specified at AuthLDAPBindDN, the password “passforuser” and AuthLDAPURL is the query Apache is doing to the Active Directory server. Instead of “Require valid-user” you can require different things, like ..specific user, specific group, etc. So, save the website file after doing this. And there’s one more step.

Fourth step, and the last before restarting apache, is to edit ldap.conf. Don’t know for sure where this file can be found on RedHat, but on Debian (and in my case, Ubuntu 10.04 LTS) can be found in /etc/ldap/ldap.conf. So, edit this file, ..of course, there are some commented options, but add this line:

 

TLS_REQCERT never

 

Restart apache, and that’s it.

Advertisements