I would like to create a very simple website (on Slackware) which authenticates AD domain users connecting from Windows machines. I'm a bit confused about whether this needs PAM, has anyone done this without it?

thanks!

I am using this configuration with Apache:

Adjust the red parts for your environment, the rest should be copy & paste.

AuthName is a custom text shown in the browser login prompt.

AuthBasicFake is optional. It hides the password (replaces it with the text "***HIDDEN***" in this case, feel free to change it) for PHP/CGI scripts, so they only see the (authenticated) username.

In AuthLDAPURL the "sAMAccountName" is the AD field containing the username. The part behind "?" is a filter to search only users (objectclass) and to exclude disabled accounts (userAccountControl).

AuthLDAPBindDN and AuthLDAPBindPassword are only required if anonymous AD access (to search for valid users) is not allowed. Use an existing account or create a special user (I named it "ldapagent") in the AD for this that is allowed to search the AD.

Put those lines in a separate configuration file, chmod 600 (to protect the plaintext AuthLDAPBindPassword!) and Include it where required.

4 members found this post helpful.

Thanks Markus,

I get this error:

When I've checked my ldap server is accessible and has port 389 open (and reachable). Any ideas?

Change the AuthLDAPURL from ldaps:// (that's LDAP over TLS on port 636) to ldap:// (without "s").

I don't think that was the problem, because port 636 was open as well.

However, when I enabled https it started to work properly. Guess I must have changed something else at the same time :-/.
Am I right in thinking I require Kerberos to get rid of the login prompt altogether, AKA SSO (Single Sign-On)?

Many thanks for your help.

Maybe the TLS certificate validation failed? Is it self-signed, from an internal CA or does not contain the hostname from AuthLDAPURL? The first two should be solved by copying it to /usr/local/share/ca-certificates/ followed by update-ca-certificates.

Unfortunately I can't help you with that, I haven't tried it yet.

If LDAP is using TLS I'm surprised adding an HTTPS virtual host to Apache solved anything. The HTTPS cert was self-signed, and nothing to do with the actual AD domain. I think I just screwed up some setting and later fixed it.

It seems a somewhat specialist subject. This will do me for now, and at least I didn't have to recompile bits of Slackware to achieve it

I meant the certificate of the LDAP/AD server which is probably checked by Apache (in its role as client for the AD connection).

Do you just need to control access to the vhost on apache or does your website need user details from AD (group, name, email, etc...)?
I use SimpleSAMLphp with my application to authenticate against AD and provide single sign-on.

Yes, I understood.

Only need access control. That looks interesting though.