Apache and LDAP

This is how to get users authenticated against LDAP on AD. We're using:

• Apache 2.2.16
• Debian 6
• AD on Server2012

First step is to create a user called apache-ldap, the user does not need to have any special permissions, it's just to read from LDAP.

• Install the user tools:

apt-get install ldap-utils

• Enable autnz on apache (Already installed with 2.2)

a2dismod authnz_ldap
a2enmod authnz_ldap

• Set some defaults in /etc/ldap/ldap.conf

BASE    dc=domain,dc=com
REFERRALS off

• Switch on debugging log in apache.conf

LogLevel debug

Query LDAP

• Basic Query

ldapsearch -LLL  -H ldap://intpdc.domain.com -x  -D 'apache-ldap' -w 'xxxxx'

• Full query with no size limits, usefull to pipe the entire catalog to file

ldapsearch -LLL  -E pr=1000/noprompt -x -H ldap://intpdc.domain.com -x  -D 'apache-ldap' -w '******'

• Sample query to show all users, NOTE THAT AD does not know the OU=Users so we have to use the common name CN=Users

ldapsearch -D "apache-ldap" -w xxxxxxxx -H ldap://intpdc.domain.com -b "CN=Users,DC=domain,DC=com" 

• Sample query to show all user group called Male

ldapsearch -D "apache-ldap" -w xxxxx -H ldap://intpdc.domain.com -b "CN=Male,CN=Users,DC=domain,DC=com" objectclass=*

HTACCESS

• sample of .htaccess

AuthName "Top Secret Area"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?
AuthLDAPBindDN "apache-ldap@domain.com"
AuthLDAPBindPassword ****

• Filter criterias, pick one or more

#Filter for one or more usernames
Require ldap-user "Username"

#Filter for existing mobile phone number and the department must be IT
Require ldap-filter &(mobile=*)(department=IT)

#Filter for Exchange attributes
Require ldap-attribute extensionAttribute3=GroupPolicy-ITAdmin

#Assumming a user calles stats within the group bookingstats at OU=IT
Require ldap-group CN=bookingstats,ou=IT,dc=domain,dc=com

• Links

See: http://stackoverflow.com/questions/1405011/ldap-directory-entry-in-net-not-working-with-ou-users
https://www.sit.auckland.ac.nz/LDAP_authentication_with_Apache_mod_authnz_ldap
http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication
http://www.conigliaro.org/2008/12/31/active-directory-authentication-on-apache-with-mod_authnz_ldap/

Setup the internal Exchange Attribute

Edit the exchange attribute number 4 and type STATUSER:

File:Ads-ldap02.png

Apache config sample for bookingstats.intern

We use the Exchange attributes as main authentication and the external OU External as second authentication. This is named like Apache authentication from multiple domains in AD with mod_authn_alias

• /etc/apache2/sites-available/bookingstats

<AuthnProviderAlias ldap first-ldap>
 AuthBasicProvider ldap
 AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?
 AuthLDAPBindDN "apache-ldap@domain.com"
 AuthLDAPBindPassword xxxxx
 Require ldap-attribute extensionAttribute4=STATUSER
 AuthType Basic
 # Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
 AuthUserFile /dev/null
</AuthnProviderAlias>
<AuthnProviderAlias ldap second-ldap>
 AuthBasicProvider ldap
 #AuthzLDAPAuthoritative Off
 AuthLDAPURL "ldap://pdc.domain.com/ou=External,dc=domain,dc=com?sAMAccountName?sub?
 AuthLDAPBindDN "apache-ldap@domain.com"
 AuthLDAPBindPassword xxxxx
 Require ldap-group CN=statistics,ou=External,dc=domain,dc=com
</AuthnProviderAlias>
<Directory "/usr/local/www/bookingstats/cgi-bin/">
 Options IncludesNoExec
 Allow from 10.0.1 192.168
 Order allow,deny
 Allow from all
 AddHandler cgi-script .cgi .pl
 PerlResponseHandler ModPerl::Registry
 PerlOptions +ParseHeaders
 Options +ExecCGI
 AuthName "Use your Windows account"
 AuthType Basic
 AuthBasicProvider first-ldap second-ldap
 AuthzLDAPAuthoritative off
 require valid-user
</Directory>
<Virtualhost *:80>
 ServerAdmin root@domain.com
 ServerName bookingstats.intern
 DocumentRoot /usr/local/www/bookingstats/cgi-bin/
 #Reroute to frame
 DirectoryIndex frame.pl /frame.pl
 ErrorLog /var/log/apache2/bookingstats.error
 LogLevel info
 CustomLog /var/log/apache2/bookingstats.access combined
 Redirect /index.html http://bookingstats.intern/cgi-bin/start.pl
</Virtualhost>

Apache config sample for statistics.domain.com

<AuthnProviderAlias ldap first-ldap>
 AuthBasicProvider ldap
 AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?
 AuthLDAPBindDN "apache-ldap@domain.com"
 AuthLDAPBindPassword xxxx
 Require ldap-attribute extensionAttribute4=STATUSER
 AuthType Basic
 # Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
 AuthUserFile /dev/null
</AuthnProviderAlias>
<AuthnProviderAlias ldap second-ldap>
 AuthBasicProvider ldap
 AuthLDAPURL "ldap://pdc.domain.com/ou=External,dc=domain,dc=com?sAMAccountName?sub?
 AuthLDAPBindDN "apache-ldap@domain.com"
 AuthLDAPBindPassword xxxxx
 Require ldap-group CN=statistics,ou=External,dc=domain,dc=com
</AuthnProviderAlias>
<Directory "/ftpweb/web/statistics.domain.com/cgi-bin/">
 Options ExecCGI
 DirectoryIndex frame.pl
 Options IncludesNoExec
 #AuthType Basic
 Order allow,deny
 Allow from all
 AddHandler cgi-script .cgi .pl
 PerlResponseHandler ModPerl::Registry
 PerlOptions +ParseHeaders
 Options +ExecCGI
 AuthName "Statistic Area"
 AuthType Basic
 AuthBasicProvider second-ldap first-ldap
 AuthzLDAPAuthoritative off
 require valid-user
</Directory>
<VirtualHost *:80>
 ServerName statistics.domain.com
 Redirect permanent / https:/statistics.domain.com/
</VirtualHost>
<VirtualHost *:443>
 SSLCertificateFile /etc/apache2/ssl/statistics.domain.com.crt
 SSLCertificateKeyFile /etc/apache2/ssl/statistics.domain.com.key
 SSLEngine on
 ServerAdmin admin@domain.com
 ServerName statistics.domain.com
 DocumentRoot /ftpweb/web/statistics.domain.com/cgi-bin
 ErrorLog /var/log/apache2/statistics.domain.com.error
 CustomLog /var/log/apache2/statistics.domain.com.access combined
 DirectoryIndex frame.pl /frame.pl
 SSLHonorCipherOrder On
 SSLProtocol +ALL -SSLv3 -SSLv2
 SSLCipherSuite DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA
</VirtualHost>

Using AD Group within Directory, Location or File

Sample to use the AD Group MYGROUP' within a Files context

<Files "manage.pl">
 AuthName "Use your winwods accoutn to login"
 AuthBasicProvider ldap
 AuthType Basic
 AuthLDAPGroupAttribute member
 AuthLDAPGroupAttributeIsDN On
 AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
 AuthLDAPBindDN "apache-ldap@domain.com"
 AuthLDAPBindPassword xxxx
 Require ldap-group cn=MYGROUP,cn=Users,dc=domain,dc=com
</Files>

Sample to use the AD Group MYGROUP' within a Directryy context

<Directory "/usr/local/www/testcode.internxx">
 Options Indexes MultiViews ExecCGI
 DirectoryIndex index.htm
 Order allow,deny
 Allow from all
 AddHandler cgi-script .cgi .pl .htm
 DirectoryIndex index.htm
 AuthName "Use your winwods accoutn to login"
 AuthBasicProvider ldap
 AuthType Basic
 AuthLDAPGroupAttribute member
 AuthLDAPGroupAttributeIsDN On
 AuthLDAPURL "ldap://pdc.domain.com/cn=Users,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
 AuthLDAPBindDN "apache-ldap@domain.com"
 AuthLDAPBindPassword xxxx
 Require ldap-group cn=MYGROUP,cn=Users,dc=domain,dc=com
</Directory>

Caching

Caching is enabled by default, to see the stats add the following location:

<Location /server/cache-info>
 SetHandler ldap-status
</Location>

Disable caching in eg apache.conf

LDAPOpCacheEntries 0

See: https://httpd.apache.org/docs/2.4/mod/mod_ldap.html

Links:

http://serverfault.com/questions/312281/apache-authentication-from-multiple-domains-in-ad-with-mod-authn-alias\
http://serverfault.com/questions/140858/authenticating-apache-httpd-against-multiple-ldap-servers-with-expired-accounts

Resources

Keywords: bookingstats stats statistics statistics.domain.net bookingstats.intern ldap