Setting Up LDAP Authenticated Directory in Apache HTTPD 🌱

In this quick video learn how to setup LDAP/Active Directory authentication on an Apache webserver to secure web based applications.

Active Directory Setup

  1. Open Active Directory Users and Computers
  2. Expand the domain > Users
  3. Right Click Users > New > User
  4. Create a read only account to use for LDAP binding
    First Name: Read
    Last Name: Only
    User logon name: readonly_svc
  5. Click Next
  6. Set the user's password and confirm it
  7. Uncheck User must change password on next logon
  8. Check User cannot change password
  9. Check Password never expires
  10. Click Next
  11. Click Finish
  12. Right Click Users > New > Group
  13. Give the group a name and click OK
  14. Right Click the newly created group > Properties
  15. Select the Members tab > Click Add...
  16. Add users that will be allowed access to the web application
  17. Click OK

Configuring Apache HTTPD for LDAP

  1. Navigate to the Apache install directory/conf in Explorer
  2. Edit httpd.conf in a text editor
  3. Find the authnz_ldap_module and make sure it is enabled by removing the # at the start of the line

    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

  4. Find the ldap_module and make sure it is enabled by removing the # at the start of the line

    LoadModule ldap_module modules/mod_ldap.so

  5. Create a Location block to enable LDAP authentication for the specified directory

    <location /ldaptest>
    # Basic authentication with LDAP against MS AD
    AuthType Basic
    AuthBasicProvider ldap

    # AuthLDAPURL specifies the LDAP server IP, port, base DN, scope and filter
    # using this format: ldap://host:port/basedn?attribute?scope?filter
    AuthLDAPURL "ldap://i12bretro.local:389/DC=i12bretro,DC=local?sAMAccountName?sub?(objectClass=user)" NONE

    # The LDAP bind username and password
    AuthLDAPBindDN "readonly_svc@i12bretro.local"
    AuthLDAPBindPassword "Read0nly!!"
    LDAPReferrals Off
    AuthUserFile /dev/null

    AuthName "Restricted Area [i12bretro.local]"
    # to authenticate a domain group, specify the full DN
    AuthLDAPGroupAttributeIsDN on
    require ldap-group CN=WebAuthAccess,CN=Users,DC=i12bretro,DC=local
    </location>

  6. Save httpd.conf
  7. Restart the Apache service
  8. Open a browser and navigate to the LDAP authenticated URL
  9. An authentication prompt should appear, allowing only users in the AD group specified access