apache authentication with active directory

mstamat

Hi folks,
I'd like to setup apache2 to authenticate users from an existing active directory.

My server has already joined the active directory domain. i.e., I can see all the users using "wbinfo -u" and without being prompted for a password.

Unfortunately, I haven't managed to make Apache authenticate users without entering my username and password (plaintext!) in the .htaccess file. Is there a way to achieve this?

Configuration snippets are most welcome :-)

Cheers
_________________
Manolis

keyson · l33t Joined: 10 Jun 2003 Posts: 830 Location: Sweden

Hi

To read:
http://www.trustix.org/wiki/index.php/Active_Directory_Authentication_with_Apache
that ref to this:
http://thomas-howard.com/Reference/Articles/Apache+AD/

mstamat · Posted: Fri Jun 01, 2007 3:47 pm Post subject:

Thanks for the answer keyson, but I've already checked this. It wouldn't work for me because it requires a password in the .htaccess file:

keyson · l33t Joined: 10 Jun 2003 Posts: 830 Location: Sweden

OK.

Then you use winbind and then it should be possible to use mod_auth_pam
to authenticate apache users.

Have tested it but my memory is not so good, i think the mod_auth_pam config is something
like /etc/pam.d/httpd.
What you have to put in this should be something like

auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so

Check google for any information regarding mod_auth_pam apache and samba

Then you could use a .htaccess with something like.
AuthPAM_Enablead On
require group "DOMAIN\Apacheuser"

mstamat · Posted: Wed Jun 06, 2007 11:52 am Post subject:

Thanks for your help so far keyson! Now the my setup is almost working, with the exception of checking group membership.

The steps required were:

Enable mod_auth_pam on apache
Edit /etc/pam.d/apache2:

Code:

#%PAM-1.0
auth required pam_winbind.so
account required pam_winbind.so

Create an appropriate .htaccess file:

Code:

# Setup basic authentication with an empty password file.
# Using /dev/null as the authentication file saves us from
# annoying error messages in the Apache error log.
AuthType Basic
AuthName "Top Secret"
AuthUserFile "/dev/null"

# Allow Apache to try other authentication methods if Basic fails.
AuthBasicAuthoritative Off

# Enable PAM authentication.
# Edit /etc/pam.d/apache2 to define what this includes.
AuthPAM_Enabled on
Require valid-user

However, using the line you mentioned to require membership to a specific domain group won't work:

keyson · l33t Joined: 10 Jun 2003 Posts: 830 Location: Sweden

Hi.

You can authenticate by user as I understand.

If i remember right the group must be seen as a local group.
Check by getent group DOMAIN\Apacheuser if it see the group.

If it don't, then:
Check if you have winbind in the /etc/nsswitch.conf for the group.

Like this:

group: files winbind

Don't run any setup like this at the moment, so i can't test it.

Regards

keyson · l33t Joined: 10 Jun 2003 Posts: 830 Location: Sweden

OK

I had to test it. I have a samba server acting as PDC for some students.
I run a separat LDAP server to administrate the users. As I have apache on the
PDC I installed the mod_auth_pam and set it up with your .htaccess.
But i use LDAP to authenticate my users instead of winbind.

Now i noticed something. If i have the line

AuthUserFile "/dev/null"

inside the .htaccess it would not work with 'Require group testgroup'

But if i comment this out, it would grant access to a user in the testgroup.

I made a testgroup in the ldap and added some users to that group and it worked.

So try to comment out the line AuthUserFile "/dev/null" in the .htaccess

Regards

mstamat · Posted: Thu Jun 07, 2007 12:15 pm Post subject:

Thanks again keyson.
I'm afraid the problem lies with our Active Directory. The group memberships do not seem to be coherent.