Ubuntu 26.04
Sponsored Link

Apache2 : Basic Authentication + LDAP2026/05/25
 

Configure [mod_ldap] to use LDAP directory users on httpd Basic authentication.
On this example, it uses Active Directory like following environment for it.

Domain Server : Windows Server 2025
Domain Name : srv.world
Hostname : fd3s.srv.world (10.0.0.100)
NetBIOS Name : FD3S01
Realm : SRV.WORLD

[1]

Username and password are sent with plain text on Basic Authentication,
so Use secure connection with SSL/TLS setting, refer to here.

[2]

Configure LDAP over SSL/TLS on Active Directory, refer to here.

[3]

Create a user on Active Directory for binding Active Directory from Apache2.
On this example, it creates [ldapuser], it's OK to grant [Domain Users] rights only for it.

[4] Configure Basic authentication + LDAP.
For example, set Basic Authentication to the directory [/var/www/html/auth-ldap].
# get certificate on AD

root@www:~#
echo | openssl s_client -connect fd3s.srv.world:636 2>&1 |awk '/BEGIN/,/END/' > /etc/ssl/certs/fd3s.srv.world.cer
root@www:~#
vi /etc/apache2/sites-available/auth-ldap.conf
# create new
# on example below, it limits the range to search the directory only [Hiroshima] OU
# so only users under the [Hiroshima] OU can authenticate with this setting
# for [AuthLDAPBindDN] and [AuthLDAPBindPassword], specify the AD user for binding

LDAPTrustedMode SSL
LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/fd3s.srv.world.cer
<Directory "/var/www/html/auth-ldap">
    SSLRequireSSL
    AuthType Basic
    AuthName "LDAP Authentication"
    AuthBasicProvider ldap
    AuthLDAPURL "ldaps://fd3s.srv.world:636/ou=Hiroshima,dc=srv,dc=world?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN ldapuser@srv.world
    AuthLDAPBindPassword Password
    Require valid-user
</Directory>
root@www:~#
chgrp www-data /etc/apache2/sites-available/auth-ldap.conf

root@www:~#
chmod 640 /etc/apache2/sites-available/auth-ldap.conf

root@www:~#
a2ensite auth-ldap 

Enabling site auth-ldap.
To activate the new configuration, you need to run:
  systemctl reload apache2
root@www:~#
a2enmod authnz_ldap 

Considering dependency ldap for authnz_ldap:
Enabling module ldap.
Enabling module authnz_ldap.
To activate the new configuration, you need to run:
  systemctl restart apache2
root@www:~#
systemctl restart apache2

# create a test page

root@www:~#
mkdir /var/www/html/auth-ldap

root@www:~#
vi /var/www/html/auth-ldap/index.html 
<html>
<body>
<h1 style="width: 100%; font-size: 40px; text-align: center;">
Test Page for LDAP Authentication
</h1>
</body>
</html>
[5] Access to the test page from any client computer with web browser. Then authentication is required as settings, answer with any AD user.
[6] That's OK if authentication is successfully passed and test page is displayed normally.
Matched Content