How To Integrate Active Directory Authentication in Apache on Ubuntu 20.04

This guide will show you how to configure Active Directory authentication in Apache on Ubuntu 20.04. These instruction can also be applied if you are running Ubuntu 18.04, Debian 9, or Debian 10 on your system.
 

Prerequisites

To follow this tutorial along, you will need one (physical or virtual) machine installed with Ubuntu 20.04. 
 
We have also created a video to avoid any confusion while performing these configuration steps:
 
 
Login to your Ubuntu system and set correct hostname and timezone with below command:
sudo hostnamectl set-hostname your_server_name.domain
sudo timedatectl set-timezone America/New_York

Install Apache

You can install Apache on your Ubuntu/Debian with below command:
sudo apt -y install apache2

Configure Apache

We will create a directory under /var/www/html to store our web contents.
sudo mkdir -p /var/www/html/private
 
We will create AD-ldap.conf file under /etc/apache2/conf-available location like an example below:
sudo nano /etc/apache2/conf-available/AD-ldap.conf
 
add configuration directives like an example below:
<Location /private>
AuthName "Active Directory Authentication"
AuthType Basic
AuthBasicAuthoritative Off
AuthBasicProvider ldap
AuthLDAPURL ldap://Your_AD_IP:3268/?userPrincipalName?sub
AuthLDAPBindDN your_AD_user@domain
AuthLDAPBindPassword your_AD_user_password
Require valid-user
</Location>
Make sure you replace highlighted text with yours.
 
By default Windows Active Directory doesn't allow anonymous lookup for LDAP database, so we have to put  AuthLDAPBinDN and AuthLDAPBindPassword directive to allow Apache to search Active Directory for users credentials.
 
Make sure you keep port 3268 in your configuration, because LDAP communication to a Active Directory global catalog server occurs over TCP 3268 port, and if you try to connect LDAP using port like 389 or 686, your Apache authentication will fail.
 
Save and close the editor when you are finished.

The actual AD-ldap.conf file in our environment looks like below:
 

Verify your Apache configuration file syntax with below command:
sudo apache2ctl configtest
This will return Syntax OK in the output if everything was setup correctly. If there is any error, fix them first then move to next step.

Execute below command to activate your Apache configuration:
sudo a2enmod ssl
sudo a2enmod authnz_ldap
sudo a2enconf AD-ldap.conf
sudo a2ensite 000-default.conf default-ssl.conf
 
Restart Apache to make changes effect:
sudo systemctl restart apache2
 
We will create a simple index.html page under /var/www/html/private directory to test our Apache and Active Directory authentication functionality.
sudo nano /var/www/html/private/index.html
 
Add below simple html code in it:
<html>
<head>
<title>Index Page</title>
</head>
<body>
<h2>This is simple Index Page, testing Apache with Active Directory authentication.</h2>
</body>
</html>
Save and close the editor when you are finished.
 

Test Apache & Active Directory Authentication

Open up your preferred web browser, and navigate to:
 
http://your_server_name-OR_IP/private 
 
or
 
https://your_server_name-OR_IP/private 
 
You will get credentials popup as shown in screenshot below:


Enter your Active Directory username and password like example below:
 

Upon successful login with your AD credentials, you should see the webpage like an example below:


Check your Apache access_log with below command:
tail -f /var/log/apache2/access.log
 
You will see your Active Directory username in logs as shown in screenshot below:
 
 
At this stage, you have successfully implemented Active Directory authentication in your Apache.

Troubleshooting

If you get 500 Internal Server Error in browser, you should check the Apache error_log using tail -f /var/log/apache2/error.log to identify the root cause.
 

Conclusion

By leveraging the central user management of Windows Active Directory, you don’t need to worry about usernames or passwords for your Apache web server anymore.

No comments:

Comments with links will not be published.

Powered by Blogger.