This guide will show how to configure the Apache web server to authenticate users against Microsoft Active Directory. The most difficult part was to get the correct LDAP path for the AuthLDAPUrl and AuthLDAPBindDN parameters. Without the exact correct path it will NOT work, because LDAP does not traverse the Active Directoy for specified users, but relies on the exact full path specified.

CentOS – Apache, authenticating Microsoft Active Directory users:

vi /etc/httpd/conf/httpd.conf

Make sure the following 3 lines are NOT hashed out:

1
2
3

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_basic_module modules/mod_auth_basic.so

Wherever your web directory is, still in /etc/httpd/conf/httpd.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

<Directory "/var/www/html">

Options Indexes FollowSymLinks
Order deny,allow
Deny from All
AuthName "AD Username Password please"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl "ldap://your_dc_fqdn:389/OU=SOME_OU,DC=yourdomain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=your_AD_user,CN=Users,DC=yourdomain,DC=com"
AuthLDAPBindPassword your_AD_user_password
Require valid-user
Satisfy any

</Directory>

vi /etc/openldap/ldap.conf

Hash everything out and add the following line:

1

REFERRALS off

Restart Apache

1

/etc/init.d/httpd restart

Now if you go to your web server’s root with your browser, you will be prompted for a username and password. If you do have a valid Active Directory user account, you will be authenticated against AD.