how to set up single sign on with apache with Active directory

Braytac · 10-11-2006, 09:56 PM

Hi all.

I am attempting to set up Apache2 to replace IIS6. one of the bigger features of IIS which is preventing the migration is domain authentication for web pages.

the Linux machine is running Debian 3.1 Release 3. all packages are installed via apt so far.

i have read alot of articles about configuring the virtual host with the below details.

<VirtualHost *:443>
#Certificate
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/ldap.domain.com.pem

#Basic setup
ServerAdmin manager@domain.com
ServerName ldap.domain.com
DocumentRoot /home/hosting/ldap.domain.com/htdocs/

# HTML documents, with indexing.
<Directory />
Options ALL ExecCGI +Includes
Order allow,deny
Allow from all
AuthLDAPAuthoritative on
AuthType Basic
AuthName "Test IT LDAP"
AuthLDAPBindDN cn=ldapviewer,cn=Users,dc=domain,dc=com
AuthLDAPBindPassword ldapviewer_password
AuthLDAPURL "ldap://dc.domain.com:389/cn=Users,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
</Directory>

#private to IT Dept
<Directory "/home/hosting/ldap.domain.com/htdocs/private">
AuthName "Special User Area"
require group OU=ITStaff,OU=StaffAccounts,DC=domain,DC=com
</Directory>

# CGI Handling
ScriptAlias /cgi-bin/ /home/hosting/ldap.domain.com/cgi/
<Location /cgi-bin>
Options +ExecCGI
</Location>

# Logfiles
ErrorLog /home/hosting/ldap.domain.com/logs/error.log
CustomLog /home/hosting/ldap.domain.com/logs/access.log combined
</VirtualHost>

i dont know how to properly test it but what i am trying to achive for this test is to only grant access to the ITStaff group to the private folder. the error i get from /home/hosting/ldap.domain.com/logs/error.log is as follows.

[Thu Oct 12 20:35:39 2006] [warn] [client 192.168.4.13] [5021] auth_ldap authenticate: user ldapviewer authentication failed; URI /private [LDAP: ldap_simple_
bind_s() failed][Invalid credentials]

[Thu Oct 12 20:31:53 2006] [warn] [client 192.168.4.13] [4993] auth_ldap authenticate: user server authentication failed; URI /private [LDAP: ldap_simple_bind
_s() failed][Invalid credentials]

above are the attempts i tried. one being an account in the ITStaff OU and the other being the ldapviewer account which i created to be able to read AD. i read that a basic restricted account is required to read AD in order to run queries.

as far as i'm aware the mod_ldap module is loaded but i'm not 100% sure.

i've read on LQ that there are a few people that have already done this. however I have been unable to complete the task though those forums.

any advice would be greatly appreciated.

thanks

mrcoffee11 · 11-08-2007, 05:54 PM

Did you get it to work?
I need to authenticate to AD via LDAP using a AD group.
I tried a lot of possile combinatios, nothing worked.

Cheers