Instead of building yet another authentication source for your web application, you should strive to make use of existing sources. Depending on your environment, and your security requirements, an easily used source is your company’s ActiveDirectory domain. This can be used rather easily on Internet Information Services hosts in a trusting domain. ActiveDirectory may be used to authenticate Kerberos logins, or as an LDAP backend.
Here’s how to use ActiveDirectory with Apache‘s mod_auth_ldap.
If you are running an internal application in a predominantly Microsoft environment, an ActiveDirectory domain is an excellent choice for an authentication source. You should take steps* to prevent the exposure of usernames and passwords as they are traversing the network, but that is so with any authentication source. The following procedures describe configuring an Apache–based web server to use an existing Microsoft ActiveDirectory authentication source for HTTP Basic Authentication.
You’ll need a clean path from the web server to the directory service. A clean path in this instance means being able to establish a TCP/IP session on port 389 or 636 between the two end-points. You will also need an account in the authentication source in order to find distinguishedNames.
First, find the Directory Servers. All ActiveDirectory LDAP servers are listed in the DNS. They have to be for AD to work.
nslookup -q=srv _ldap._tcp.example.com
Now that you have a list of LDAP servers, configure Apache. Confirm that you have mod_ldap and mod_auth_ldap compiled and available in your modules directory, then add the following lines to your Apache configuration. These lines are for httpd-2.x on Windows. Your specific installation may differ.
LoadModule auth_ldap_module modules/mod_auth_ldap.so LoadModule ldap_module modules/util_ldap.so
At this point you may want to test the configuration to confirm you didn’t break anything.
apache -t Syntax OK
Now, let’s protect a test location. Please reference the Apache documentation for authentication, mod_ldap, and mod_auth_ldap if you would like to understand the specific directives.
<location /ldap>
Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthName "Test Platform"
AuthType Basic
AuthLDAPUrl ldap://myDomainController.example.com:389/ou=Users,dc=example,dc=com?sAMAccountName?sub?(objectclass=*)
# need this account and setting because Active Directory
# does not allow anonymous binding by default
AuthLDAPBindDN "cn=apacheAccount,ou=Users,dc=example,dc=com"
# alternately, you can use the NetBIOS logon name
#AuthLDAPBindDN "myDomain\apache"
AuthLDAPBindPassword "aPassword"
require valid-user
</location>
Any questions?
Transport Layer Security/Secure Sockets Layer will protect the conversation, but both sides must support this.
Interesting tip; I hadn’t thought about this for some reason. Can’t want to give it a shot on Monday…