httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ed Avis <>
Subject [users@httpd] Confused about LDAP authentication with Active Directory
Date Thu, 26 Feb 2009 14:31:11 GMT
Hi, I have been reading the list archives and searching the web for
how to configure Apache to authenticate users using Active Directory
but I think I may be missing some obvious points.  Hopefully someone
can explain what I'm missing.

Apache is running on the only Linux machine in a Windows network.
(Fedora 10.)  There is a domain controller which runs Active Directory
and is reachable by LDAP (port 389).  What I want is that when someone
views the Apache-hosted web site, they are prompted to enter a
username and password.  These credentials are then checked against
Active Directory, and if do not match an existing Windows user account
then access is denied.  (If they do match then access can be
restricted based on a list of allowed usernames.)

I know it is possible to use Kerberos for this but I expected that
connecting to AD would be simpler.  However, docs such as
<> imply that
Apache connects to the LDAP server using a fixed username and
password, and then merely queries the existence of an object in the
directory that matches the username. If so how does it check the
password supplied by the user?  Or is mod_authnz_ldap intended just
for authorization once the user has already been authenticated by some
other means?

The thing is, the authentication to Active Directory itself does
exactly what I want.  If I could configure Apache to connect to AD
over LDAP using the username and password given by the user, and allow
or deny access based on that, there would be no need to issue a
directory query.  But I guess that's not how it works?

(I am trying to set up mod_authnz_ldap following those instructions
but I don't know how to make the right LDAP search string.  If I use
the Active Directory Browser ( giving
'DC=wcl,DC=local' as the base DN then I can see 'WCL Logins' and under
that 'WCL Users' which contains the user objects.  I have been using
perl's Net::LDAP module to try to find the correct search filter
string before putting it into httpd.conf.  However, specifying a DN
'CN=WCL Users,CN=WCL Logins,DC=wcl,DC=local' does not work.  Any

Ed Avis <>

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message