logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache 2.4 LDAP configuration
Author
Mark3024



Joined: 15 May 2022
Posts: 5
Location: Adelaide

PostPosted: Sun 15 May '22 12:52    Post subject: Apache 2.4 LDAP configuration Reply with quote

Hi Team, I’m having a hard time setting up my ldap syntax for Apache. I want to be able to restrict site access using AD and limit it to just a secure group.

Domain: mydomain.dom.org
Organisational unit: MM/Users/MM_Secure/
User Group: Sop_Admin
Server: Win 2019

<vhost :*80>

<location /localhost>

Authtype Basic
Authname “Please seek admin approval if you can’t get in:”
Ldap://myldapsrv.mydomain.don.org/OU=MM_Secure,OU=Users,OU=MM,DC=mydomain,DC=dom,DC=org

Require ldap-group CN=Sop_Admin,OU=MM_Secure,OU=Users,OU=MM,DC=mydomain,DC=dom,DC=org

</location>

</vhost>

I can get it to work if I’m using file for authentication. But when I’m using ldap, it prompts the message but once logged in, it pops “there’s an error connecting to server”

Access/Error logs show error 400 and 500. Most of the time it’s 500.

My colleague and I agreed that it might be an issue with how we are calling ldap
Back to top
Mark3024



Joined: 15 May 2022
Posts: 5
Location: Adelaide

PostPosted: Fri 20 May '22 7:33    Post subject: Reply with quote

- Anybody, please help:

Here's my logs:

error.log:
[Fri May 13 13:32:17.830279 2022] [authz_core:error] [pid 9560:tid 1256] [client ::1:62204] AH01630: client denied by server configuration: C:/temp/IMR_Site/Apache_2_4/Apache24_MarkTest/docs, referer: http://localhost/

Access.log:
::1 - - [13/May/2022:13:32:17 +0930] "GET / HTTP/1.1" 403 199
::1 - - [13/May/2022:13:32:17 +0930] "GET /favicon.ico HTTP/1.1" 403 199
::1 - - [13/May/2022:13:33:17 +0930] "-" 408 -

Here's my full ldap block in httpd.conf:

<Directory "${SRVROOT}/htdocs">

AuthType Basic
AuthName "Mark LDAP Restricted"
AuthBasicProvider ldap
AuthLDAPURL ldap://myldapsrv.mydomain.dom.org/OU=MM_Secure,OU=Users,OU=MM,DC=mydomain,DC=dom,DC=org
Require ldap-group CN=Sop_Admin,OU=MM_Secure,OU=Users,OU=MM,DC=mydomain,DC=dom,DC=org

</Directory>
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 305
Location: UK

PostPosted: Tue 24 May '22 12:17    Post subject: Reply with quote

Sorry that no one has responded to your post so far.

I presume you've searched the site for LDAP to AD related posts; this one might be helpful https://www.apachelounge.com/viewtopic.php?t=8623

AD doesn't support anonymous queries, so your LDAP auth will require a bind DN and associated password. You'll also need to configure for LDAPS, unless you want those bind credentials being passed in clear on your network. However security wise, the bind account only needs rights to search the target LDAP group, which your domain admins should be able to set up.

Code:
AuthLDAPURL             ldaps://host/basedn?attribute?scope?filter
AuthLDAPBindDN          "myBIndDN"
AuthLDAPBindPassword    "mypassword"
# AuthLDAPGroupAttributeIsDN on
AuthBasicProvider       ldap

The above post also mentions Kerberos / SPNEGO modules as alternatives, which I've managed to configure on Linux, but not Windows.

Also James Blond (moderator) and others have used mod_authn_ntlm https://github.com/TQsoft-GmbH/mod_authn_ntlm against AD.
Back to top
Mark3024



Joined: 15 May 2022
Posts: 5
Location: Adelaide

PostPosted: Wed 25 May '22 5:14    Post subject: Reply with quote

Thank you so much for the update. I will try this asap and provide feedback.
Back to top
Mark3024



Joined: 15 May 2022
Posts: 5
Location: Adelaide

PostPosted: Fri 27 May '22 2:06    Post subject: Reply with quote

Hi Tangent,

Is there a special way a "bindDn" needs to be created? I found the guide below but we are not using any PAN-OS environment:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POC4CAO
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 305
Location: UK

PostPosted: Fri 27 May '22 23:24    Post subject: Reply with quote

This all rather depends on the design and layout of your organisation's Active Directory tree.

The bind DN should be defined by your AD domain admins decision on the location of what should be classed as a "service account". Service accounts typically have restricted rights compared to normal user accounts, e.g. access permissions, password policy, etc. If your security people allow it, you'll most likely want a non-expiring password policy assigned to said service account.

There's any amount of wisdom out on the net over best practice for configuring service accounts, e.g. https://www.dnsstuff.com/active-directory-service-accounts

Sorry I can't be more specific.
Back to top
Mark3024



Joined: 15 May 2022
Posts: 5
Location: Adelaide

PostPosted: Fri 03 Jun '22 1:41    Post subject: Reply with quote

Thanks Tangent!
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Tue 07 Jun '22 11:54    Post subject: Reply with quote

Hi,
there are some example in the RTFM https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html

the base dn should look like

Code:
dc=example,dc=com



If your ldap server is active directory see https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#activedirectory


mod_authn_ntlm is easier to use against windows ldap / active directory.
Back to top


Reply to topic   Topic: Apache 2.4 LDAP configuration View previous topic :: View next topic
Post new topic   Forum Index -> Apache