# Auth_LDAP with Active Directory

## KsE

I'm trying to get user authentication for apache to work with windows domain accounts via active directory. I haven't seen much documentation on this yet.

I'm using apache1 not 2. I have ldap installed and auth_ldap module for apache. As far as I can tell, there isn't anything else I need.

httpd.conf

```

<Directory "/path/to/dir">

        AuthLDAPEnabled On

        #AuthLDAPBindDN  "ip/dc=domain,dc=com,ou=ou here,cn=cn here"

        #AuthLDAPBindPassword ""

        AuthLDAPURL ldap://ip/CN=cn here,OU=ou here,DC=domain,DC=com

        AuthName "AuthName"

        AuthType Basic

        require valid-user

</Directory>

```

/var/log/httpd/error_log

```

[Fri Mar 19 14:19:51 2004] [error] [client myIP] Search must return exactly

1 entry; found 0 entries for search (&(objectclass=*)(uid=joe.user)): URI

/dir

```

I don't know what I'm doing. I probably have the wrong url or something. Can anyone help me with this?

-KsE

----------

## rinacabj

I'm having a sort of the same problem. Only difference is I'm using apache2. All the modules are in and apache loads, but I can't get any authentication box. It just says forbidden. Were you able to get it to work?

----------

## jayc

Theoretically, I would say that you can't use the LDAP module to authenticate against Active Directory.  I don't know this for sure, but this why I think that.

AD uses a bastardized form of Kerberos for authentication.  All Kerberos does is store a list of users and password and grant tickets.  LDAP is used for user information, etc.  Therefore, since LDAP has no idea of what the password is (only Kerberos would), you can't use the LDAP module.

I could be wrong, but that is how AD works.  I'd look into an NTLM authentication module or try using the Apache Kerberos auth module.  AD uses Kerberos from the MIT folks, anyhow.

----------

## rinacabj

someone please tell me this isn't true, and if it is what can be used instead

----------

## nobspangle

I don't know much about authentication in apache passed using .htaccess files, but if you can authenticate against pam then I would assume you could use winbind to do the authentication.

----------

## bin-doph

Do you have granted rights to "Everybody" or why aren't you binding with user/pass credentials to AD? By default "Everybody" doesn't have the rights to query the userdb but it doesn't aborts with something like "access denied" since "Everybody" does still have access... You should try with an account for your needs, since all "Autenticated Users" do have the rights to query those informations. Since I never used auth_ldap with apache I don't know if a normal user is enough...

maybe this helps http://www.contactor.se/~dast/svnusers/archive-2004-03/0877.shtml

hth

-fe

----------

## bin-doph

Well since I'm currently doing something similar and mod-ntlm is pretty crappy I tested auth_ldap ... works like a charm. So I guess a proper user is what u need. Use a bind and check that your query is ok (u don't even need an administrative account)

hth

-fe

----------

## rinacabj

bin-doph - here's your chance to be a real hero!

A post of what I'm trying to do/my current set-up is:

https://forums.gentoo.org/viewtopic.php?t=191372

If you could pretty please take a look and tell me what you think I may need. I'm driving myself crazy with it and can't figure it out. I said pretty please  :Smile: 

----------

## bin-doph

wow, I always wanted to be a real hero....lets give it a shot

----------

## mgladding4423

 *nobspangle wrote:*   

> I don't know much about authentication in apache passed using .htaccess files, but if you can authenticate against pam then I would assume you could use winbind to do the authentication.

 

We have this working, but only problem is since we're using winbind, the username has to be typed in as DOMAINNAME_<username> (as _ is our winbind seperator). Does anyone have any clue or tip on how to make it so that the username when passed to the server will tack on DOMAINNAME_ without typing it in with the username?

----------

