Apache and LDAP authentication

**willywill** · 06-17-2008

Hello,

I've been trying to get Apache and Active Directory authentication working properly. My understanding is that I need to have mod_auth_ldap compiled in Apache. That said, I'm still baffled why I'm unable to get it running.

That said, I have the following specs:

RHEL4U4 - 2.6.9-42.ELsmp
httpd -v 2.0.52
mod_auth_ldap

I was following a cook book to see if Ican get it working: Security - Active Directory Security Groups for Apache Authorization

My question to you is:

Has anyone gotten AD authentication working with Apache?

I mean really really working

I can search for cook books all day long, unfortunately nearly all of them use the same reiterated content.

If you have anything that might help me out would be appreciated. I can provide more details on the confs, etc. when needed.

Thanks!

**jledhead** · 06-17-2008

Originally Posted by willywill

Has anyone gotten AD authentication working with Apache?

yes

I mean really really working

I can search for cook books all day long, unfortunately nearly all of them use the same reiterated content.

really really yes

If you have anything that might help me out would be appreciated. I can provide more details on the confs, etc. when needed.

Thanks!

I use debian and installed apache and apache ldap modules using debian binaries, so I can't really help much with compliling. but if you post you configure script and maybe an apache confi file I might be able to get you going.

I personnally dislike breaking the distro package manager unless its absolutely necessary. that being said I know you can install an apache binary on redhat (yum install apache), and I just found this module RPM resource mod_authz_ldap

in my setup I have different virtual hosts on the same server, some using different ldap (AD) setups and some not using any authentication at all. give me some more info and lets see if we can get you going.

**willywill** · 06-17-2008

Alright here, is what I have for the repos.conf under conf.d:

Code:

<VirtualHost *:80>
    ServerName svn.domain.com
    ServerAlias svn svn.hq subversion

    SetOutputFilter DEFLATE

    DocumentRoot /var/www/html/

    ErrorLog logs/svn.hq.domain.com.error
    CustomLog logs/svn.hq.domain.com common

    <Location "/">
        AuthBasicProvider ldap
        AuthType Basic
        AuthzLDAPAuthoritative off
        AuthName "Domain User Required:"
        AuthLDAPURL "ldap://corp.domain.com:389/DC=corp,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
        AuthLDAPBindDN "CN=unixldap,CN=Special Accounts,CN=IK-Accounts,DC=corp,DC=domain,DC=com"
        AuthLDAPBindPassword "blah"

        require valid-user

<LimitExcept GET PROPFIND OPTIONS REPORT>
         require ldap-group CN=Special Security Groups,CN=SW SVN,DC=corp,DC=domain,DC=com
        </LimitExcept>
</Location>
</VirtualHost>

Apache server modules:

Server Settings, mod_cgi.c, mod_mem_cache.c, mod_file_cache.c, mod_disk_cache.c, mod_suexec.c, mod_cache.c, proxy_connect.c, proxy_http.c, proxy_ftp.c, mod_proxy.c, mod_rewrite.c, mod_alias.c, mod_userdir.c, mod_speling.c, mod_actions.c, mod_imap.c, mod_dir.c, mod_negotiation.c, mod_vhost_alias.c, mod_dav_fs.c, mod_info.c, mod_asis.c, mod_autoindex.c, mod_status.c, mod_dav.c, mod_mime.c, mod_setenvif.c, mod_usertrack.c, mod_headers.c, mod_deflate.c, mod_expires.c, mod_cern_meta.c, mod_mime_magic.c, mod_env.c, mod_log_config.c, mod_include.c, mod_auth_ldap.c, util_ldap.c, mod_auth_digest.c, mod_auth_dbm.c, mod_auth_anon.c, mod_auth.c, mod_access.c, mod_so.c, http_core.c, prefork.c, core.c

I receive an error when I try to start HTTPD:

Invalid command 'AuthBasicProvider', perhaps mis-spelled or defined by a module not included in the server configuration

My understsanding is that 'AuthBasicProvider' is part of some other module, not sure, which.

I haven't queried ldap just yet. However, I've setup LDAP authentication for users before, and that works, so the liklihood of this being on layer 2 is low.

**jledhead** · 06-18-2008

here is one of my virtual hosts

Code:

<Location />
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative Off
        AuthName "The Biltmore Company"
    AuthLDAPURL "ldap://myserver.my.domain.com/ou=it,ou=departments,dc=my,dc=domain,dc=com?sAMAccountName"
    AuthLDAPBindDN "myusername@my.domain.com"
    AuthLDAPBindPassword "mypassword"
    require valid-user
</location>

and then here are the modules apache is currently loading

Code:

alias.load -> ../mods-available/alias.load
auth_basic.load -> ../mods-available/auth_basic.load
authn_file.load -> ../mods-available/authn_file.load
authnz_ldap.load -> /etc/apache2/mods-available/authnz_ldap.load
authz_default.load -> ../mods-available/authz_default.load
authz_groupfile.load -> ../mods-available/authz_groupfile.load
authz_host.load -> ../mods-available/authz_host.load
authz_user.load -> ../mods-available/authz_user.load
autoindex.load -> ../mods-available/autoindex.load
cgi.load -> ../mods-available/cgi.load
dir.conf -> ../mods-available/dir.conf
dir.load -> ../mods-available/dir.load
env.load -> ../mods-available/env.load
headers.load -> /etc/apache2/mods-available/headers.load
ldap.load -> /etc/apache2/mods-available/ldap.load
mime.load -> ../mods-available/mime.load
negotiation.load -> ../mods-available/negotiation.load
php5.conf -> ../mods-available/php5.conf
php5.load -> ../mods-available/php5.load
proxy.conf -> /etc/apache2/mods-available/proxy.conf
proxy_html.load -> ../mods-available/proxy_html.load
proxy_http.load -> /etc/apache2/mods-available/proxy_http.load
proxy.load -> /etc/apache2/mods-available/proxy.load
rewrite.load -> ../mods-available/rewrite.load
setenvif.load -> ../mods-available/setenvif.load
ssl.conf -> ../mods-available/ssl.conf
ssl.load -> ../mods-available/ssl.load
status.load -> ../mods-available/status.load

from mine to yours I notice you don't have a auth_basic module, probably why you are getting the error. I have also heard from other sources that something is wrong with my domain causing me to use username@my.domain, so your method using the full dn of the user is probably correct. but if you get the basic provider error worked out and can't authenticate then try username@my.domain.com

report back with troubles

**willywill** · 06-18-2008

Thanks for replying. I'm curious, what Apache version are you running? 2.2.x? It seems when I lookup information on mod_auth_basic, it refers to Apache versions 2.1 and above.

Seeing that I'm running 2.0.59, I think I might have stumbled on the issue. Agreed?

**jledhead** · 06-18-2008

Originally Posted by willywill

Thanks for replying. I'm curious, what Apache version are you running? 2.2.x? It seems when I lookup information on mod_auth_basic, it refers to Apache versions 2.1 and above.

Seeing that I'm running 2.0.59, I think I might have stumbled on the issue. Agreed?

possibly, I am running 2.2.3, there should be a basic auth module for 2.0.59 though, at least I would think there should be.

**willywill** · 06-19-2008

Thanks, for some reason 2.0.59 just doesn't compile with mod_auth_basic. So, I compliled 2.2.9 but now I have problems getting mod_authz_ldap to compile

I'll have to post a new thread for that.

Thanks for your help though.

Thread Tools

Display

Apache and LDAP authentication

Posting Permissions