Quote:
Originally Posted by bifferos
I would like to create a very simple website (on Slackware) which authenticates AD domain users connecting from Windows machines. I'm a bit confused about whether this needs PAM, has anyone done this without it?
|
I am using this configuration with Apache:
Code:
AuthType Basic
AuthName "AD login"
AuthBasicProvider ldap
AuthBasicFake %{REMOTE_USER} ***HIDDEN***
AuthLDAPURL "ldaps://ADSERVER.MY.DOMAIN/dc=MY,dc=DOMAIN?sAMAccountName?sub?(&(|(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
AuthLDAPBindDN ldapagent@MY.DOMAIN
AuthLDAPBindPassword PASSWORD_OF_LDAPAGENT_USER
Require valid-user
Adjust the
red parts for your environment, the rest should be copy & paste.
AuthName is a custom text shown in the browser login prompt.
AuthBasicFake is optional. It hides the password (replaces it with the text "***HIDDEN***" in this case, feel free to change it) for PHP/CGI scripts, so they only see the (authenticated) username.
In AuthLDAPURL the "sAMAccountName" is the AD field containing the username. The part behind "?" is a filter to search only users (objectclass) and to exclude disabled accounts (userAccountControl).
AuthLDAPBindDN and AuthLDAPBindPassword are only required if anonymous AD access (to search for valid users) is not allowed. Use an existing account or create a special user (I named it "ldapagent")
in the AD for this that is allowed to search the AD.
Put those lines in a separate configuration file,
chmod 600 (to protect the plaintext AuthLDAPBindPassword!) and
Include it where required.