Skip to main content

Apache 2.2 - authnz_ldap - Active Directory (follow-up)

Given that I've had quite a few comments about my last post on authnz_ldap and Active Directory, I thought I'd summarize the issues involved a little. Basically, without setting Referrals Off in /etc/ldap/ldap.conf you get an Operations Error when Apache tries to authenticate to AD. So far so good.

A quick glance in the apache2 code, didn't turn up any option to disable this behaviour, unfortunately. So we're either stuck with editing _/etc/ldap/ldap.conf _or we can always point the authnz_ldap module towards the AD Global Catalog port (TCP/3268). That is, if you have one available to be pounded by your authentications ;)

Switching to an encrypted channel with LDAP+SSL is fairly trivial (the example below is still subject to MITM, I'll leave solving that as an exercise for the reader), you just need to ask the Global Catalog SSL port (TCP/3269) :

AuthType basic
AuthName Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://globalcatalogdc.domain:3269/DC=DOMAIN?sAMAccountName?sub?(objectClass=user)"
NONE
AuthLDAPBindDN "LDAPQueryUser@DOMAIN"
AuthLDAPBindPassword "foo"
require ldap-group CN=GP-SVN-USERS,CN=Users,DC=DOMAIN
require ldap-user michele
# MITM
LDAPVerifyServerCert Off