Setting Up LDAP Authenticated Directory in Apache HTTPD 🌱

In this quick video learn how to setup LDAP/Active Directory authentication on an Apache webserver to secure web based applications.

Active Directory Setup

1. Open Active Directory Users and Computers
2. Expand the domain > Users
3. Right Click Users > New > User
4. Create a read only account to use for LDAP binding
   First Name: Read
   Last Name: Only
   User logon name: readonly_svc
5. Click Next
6. Set the user's password and confirm it
7. Uncheck User must change password on next logon
8. Check User cannot change password
9. Check Password never expires
10. Click Next
11. Click Finish
12. Right Click Users > New > Group
13. Give the group a name and click OK
14. Right Click the newly created group > Properties
15. Select the Members tab > Click Add...
16. Add users that will be allowed access to the web application
17. Click OK

Configuring Apache HTTPD for LDAP

1. Navigate to the Apache install directory/conf in Explorer
2. Edit httpd.conf in a text editor
3. Find the authnz_ldap_module and make sure it is enabled by removing the # at the start of the line

   LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

4. Find the ldap_module and make sure it is enabled by removing the # at the start of the line

   LoadModule ldap_module modules/mod_ldap.so

5. Create a Location block to enable LDAP authentication for the specified directory

   <location /ldaptest>
   # Basic authentication with LDAP against MS AD
   AuthType Basic
   AuthBasicProvider ldap
   
   # AuthLDAPURL specifies the LDAP server IP, port, base DN, scope and filter
   # using this format: ldap://host:port/basedn?attribute?scope?filter
   AuthLDAPURL "ldap://i12bretro.local:389/DC=i12bretro,DC=local?sAMAccountName?sub?(objectClass=user)" NONE
   
   # The LDAP bind username and password
   AuthLDAPBindDN "readonly_svc@i12bretro.local"
   AuthLDAPBindPassword "Read0nly!!"
   LDAPReferrals Off
   AuthUserFile /dev/null
   
   AuthName "Restricted Area [i12bretro.local]"
   # to authenticate a domain group, specify the full DN
   AuthLDAPGroupAttributeIsDN on
   require ldap-group CN=WebAuthAccess,CN=Users,DC=i12bretro,DC=local
   </location>

6. Save httpd.conf
7. Restart the Apache service
8. Open a browser and navigate to the LDAP authenticated URL
9. An authentication prompt should appear, allowing only users in the AD group specified access