in Internet Services, Windows

authenticating Apache against Windows 2003 Active Directory

Devlin’s rebuilding its intranet and moving away from the old Lotus Domino-based directory service. One of the developers on the intranet project asked me if he could authenticate employees against Active Directory instead. He’ll be using the MODx CMS, and would like to authenticate using mod_auth_ldap.

We’ve done this before to authenticate Subversion SCM users, but just as a test. This time I decided to try and create a user in Active Directory that would be used solely to bind to LDAP when doing lookups. I called this user “LDAP User”.

Making this work required a lot of trial and error, and I still haven’t managed to figure out a few things (see below). The first problem I had was that I was confused as to what the CN actually is for this particular user: it’s going to be cn=LDAP User, cn=Users, dc=devlin, dc=ca rather than cn=ldapuser, cn=Users, dc=devlin, dc=ca. ldapuser is just the login ID of the account rather than the actual CN.

The other thing I did wrong is that I put quotes around the Require statement, so rather than having

Require group “cn=Devlin Employees,cn=Users,dc=devlin,dc=ca”

the correct syntax is just

Require group cn=Devlin Employees,cn=Users,dc=devlin,dc=ca

A few things are still broken:

  1. I can’t figure out why LDAPS isn’t working. Doing searches from the command line using ldapsearch over SSL work fine, but the configuration of LDAP-SSL within Apache seems to be really tricky. I already have the directives
            LDAPTrustedCA certs/sf_issuing.crt
            LDAPTrustedCAType BASE64_FILE
    

    in the configuration file, and Apache does say [notice] LDAP: SSL support available, but any attempt to actually use it gives an

    [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
    

    error.

  2. I’m not particularly impressed that AuthLDAPBindPassword is stored in cleartext in the configuration file, but there doesn’t seem to be a way of hashing it or otherwise concealing it.
  3. I haven’t figured out how to enable LDAPS on Domain Controllers that aren’t already HTTPS-enabled, so for now I’m not authenticating against them.

Write a Comment

Comment

  1. ldaps is already installed on Windows servers. There's a number of ways to get around the issue but for now I'm investigating the fact that it may be requesting one of these authentication mechanisms:

    GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5

    My guess is that mod_ldap doesn't authenticate against those:(

    Cheers!