How to configure Apache with LDAP Authentication

Posted on | Edited on | In | Comments:

Abstract: This article introduce how to configure the Apache to use LDAP authentication for the website access.

Ref:http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication.html

https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory

Install Module

Apache should be installed 

1
sudo yum install httpd mod_ssl

Install the LDAP module

1
2
sudo yum install mod_ldap -y
sudo yum install mod_authnz_ldap -y

After finishing the installation, you will find the corresponding *.so file in the apache directory.

1
2
3
[dm@devops ~]$ ls /etc/httpd/modules/ | grep ldap
mod_authnz_ldap.so
mod_ldap.so

Configuration

we just give the simplest way to configure the LDAP authentication for the welcome configuration.

after starting the httpd, you will access the website on the server by visiting the IP address directly.

the default of welcome.conf under the /etc/httpd/conf.d the directory is as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 
# This configuration file enables the default "Welcome" page if there
# is no default index page present for the root URL.  To disable the
# Welcome page, comment out all the lines below. 
#
# NOTE: if this file is removed, it will be restored on upgrades.
#
<LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /.noindex.html
</LocationMatch>
<Directory /usr/share/httpd/noindex>
    AllowOverride None
    Require all granted
</Directory>
Alias /.noindex.html /usr/share/httpd/noindex/index.html
Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif

Now we add some configuration for the Directory, we suppose the LDAP server is AD Server, which will be use the AuthLDAPURL ldap://{AD-Hostname/IP}:389/cn=Users,dc={your Domain DN}?sAMAccountName?sub?(objectClass=*) send bind request.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# 
# This configuration file enables the default "Welcome" page if there
# is no default index page present for the root URL.  To disable the
# Welcome page, comment out all the lines below. 
#
# NOTE: if this file is removed, it will be restored on upgrades.
#
<LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /.noindex.html
</LocationMatch>

<Directory "/var/www/html">
    Options Indexes FollowSymLinks

    AllowOverride None
    Require valid-user
    AuthName "AD authentication"
    AuthBasicProvider ldap
    AuthType Basic
    AuthLDAPGroupAttribute member
    AuthLDAPGroupAttributeIsDN On
    AuthLDAPURL ldap://[IP or Domain]:389/[Base DN]?sAMAccountName?sub?(objectClass=*)
    AuthLDAPBindDN [Admin DN]
    AuthLDAPBindPassword [Admin password]
</Directory>

<Directory /usr/share/httpd/noindex>
    AllowOverride None
    Require all granted
</Directory>

Alias /.noindex.html /usr/share/httpd/noindex/index.html
Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif

Then we need to restart the httpd and try to access the website. 

1
2
3
sudo systemctl restart httpd
# check the log
tail /etc/httpd/logs/error_log -f

we will see some dialog pop up and we need to input the AD server sAMAccountName and password. If input is right, we will see the previous welcome page. Or we will get 401 Unauthorized page.

Disable the LDAP authentication cache

when debug, we want every time we need send LDAP request to server. So we’d better disable the LDAP cache.

1
2
3
4
5
LDAPSharedCacheSize 500000
LDAPCacheEntries -1
LDAPCacheTTL -1
LDAPOpCacheEntries -1
LDAPOpCacheTTL -1

Add this configuration outside (Top level or in the root configuration file) and restart the httpd, then the

Capture LDAP traffic by tShark

1
sudo tshark -i ens192 -f "tcp port 389" -Y ldap -O ldap

The short introduction for the usage:

-i specific the network adapter interface

-f filter the tcp port of LDAP default 389
-Y ldap display filter for LDAP
-O ldap output LDAP protocol only

https://www.wireshark.org/docs/wsug_html_chunked/AppToolstshark.html