Apache LDAP AD Authentication Setup

I’m currently trying to get a knowledge base set up at my place of work. My Boss was asked to install TWiki and set it up with LDAP / AD (Active Directory) authentication. Since it going to have sensitive information about the company, it require base authentication to make sure that you are a company employee. These are enough reasons why we need to authenticating against Active Directory.

• Nobody likes to have different accounts. It’s a human thing to forget user names and passwords.
• There is no need to recreate each single account.
• Everything is centralised. If an account is disabled on the domain, access to the web server will be disabled as well.

I have setup intranet wiki based on TWiki on OpenSuSe/CentOS server. I have to configure TWiki system so that it get authenticated against our internal Windows Active Directory. Since there no good documentation about this topic PeterThoeny has suggested to document the steps.

• I used this installation guide TWikiOnRedHat as reference to install Twiki .
• I used this Twiki Apache Config Generator to generate initital configuration file.

In this document I not going to explain the steps required to install Twiki and I not going to explain steps required for initial Apache configuration. This documentation assumes the TWiki itself has been set up.

This document explains steps required to configure Apache Active Directory Authentication and also explains fall back to other authentication methods.

OS and Twiki version Information

• OS and Version : OpenSUSE-11.3 64-bit/ CentOS-5.6 64-bit
• Twiki Version : TWiki-5.0.1
• Perl Version : Perl-5.12.1
• Apache Version : Apache-2.2.15

Required Apache Modules

You need to load the following modules in Apache Server.

• Apache Module Name : mod_ldap, mod_authnz_ldap

Determine if the above two modules loaded in Apache

In OpenSUSE :
You can see the list of currectly loaded modules by running :
# a2enmod -l

(OR)

Open the /etc/sysconfig/apache2 file using favorite editor, search "APACHE_MODULES=" and see if the two modules (authnz_ldap and ldap) there in the list of modules.

If it is not there, then add the two modules (authnz_ldap and ldap) in the "APACHE_MODULES=" list and restart your apache by running :

# /etc/init.d/apache2 restart

In !CentOS :

You can see the list of currectly loaded modules by running :

# httpd -M

(OR)

Open the /etc/sysconfig/apache2 file using favorite editor, search "LoadModule" and see if the two modules (mod_ldap and mod_authnz_ldap) there in the list of modules.
# vim /etc/httpd/conf/httpd.conf

If it is not there, add the below two line in the "LoadModule" section in /etc/httpd/conf/httpd.conf file

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

Restart apache by running :
# /etc/init.d/httpd restart

Binding to Active Directory

Active Directory is LDAP (Lightweight Directory Access Protocol) compliant, meaning you can run queries to retrieve information about users and computers on the domain. You can use the client ldapsearch to browse its structure. However, you need to create a special user who binds to the domain controller to be able to get users details.

We need the following information to configure the Apache module to athenticate Twiki user against Active Directory.

• Active Directory Host Name
• Active Directory Listen Port
• Active Directory User Account
• CN - Common Name (Above User Account)
• OU - Organizational Unit (Above User Account)
• DN - Distinguished Name (Above User Account)

You can collect all the above infromation about you Active Directory server either yourself (If you already have user account AD) using your favorite LDAP browser, or ask your friendly LDAP admin.

1). I raised a request to my LDAP admin to create a read only user account in AD server (account without mailbox).

• AD user account : twikiad
• Password : xxxx

2). Get the host name (or IP address) of the LDAP AD server (e.g. ldap.my.domain.com) from your friendly LDAP admin

• AD Host Name : ldap.abcd.co.in

3). Get the LDAP listen port (e.g. 389) from your friendly LDAP admin.
In my configuration I am using Global Catalog Server portion of AD which allows searching for a user without knowing to which Organizational Unit (OU) they belong.

• Port : 3268

4). Check the connectivity between from your Apache server to Active Directory using telnet.

• $ telnet ldap.abcd.co.in 3268

If you find any connectivity problem ask your LDAP admin.

5). Next step is to get CN,OU,DN of user account. If you have all the infromation in step 1,2,3,4, then you can use tool like Active Directory Explorer to figure out yourself or If you don’t know it, ask your Active Directory administrator.

I used Active Directory Explorer to find the below information.

Common Name : CN=twikiad
Organizational Unit : OU=SR,OU=Ind,OU=Asi,OU=UA
Distinguished Name : DC=abcd,DC=co,DC=in

It looks like :
CN=twikiad,OU=SR,OU=Ind,OU=Asi,OU=UA,DC=abcd,DC=co,DC=in

Existing Apache Configuration

At the time of configuring ApacheLdap Authentication, the below is my twiki.conf file. That is I configured simple Apache Athentication. Using this method TWiki does not authenticate users internally. Instead it depends on the REMOTE_USER environment variable, which is set when you enable authentication in the webserver. In the next section I will show you what are configuration modification did to move from simple Apache Athentication to Apache Ldap Authentication.

<IfModule mod_perl.c>
    PerlSwitches -T
</IfModule>
ScriptAlias /twiki/bin "/var/www/twiki/bin"
Alias /twiki/pub "/var/www/twiki/pub"
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+(TWiki|Sandbox)/+.+
RewriteRule ^/+twiki/+pub/+(.*)$  /twiki/bin/viewfile/$1 [L,PT]
SetEnvIf Request_URI "twiki/pub/.*\.[hH][tT][mM][lL]?$" blockAccess
SetEnvIf Request_URI "twiki/pub/TWiki/.*\.[hH][tT][mM][lL]?$" !blockAccess
<Directory "/var/www/twiki/bin">
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess
    Options ExecCGI FollowSymLinks
    SetHandler cgi-script
    AuthUserFile /var/www/twiki/data/.htpasswd
    AuthName 'Please Enter you Username and Password to login.'
    AuthType Basic
    ErrorDocument 401 "Please use your correct username and password to login this wiki."
<FilesMatch "^(configure)$">
    SetHandler cgi-script
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1 xx.xx.xx.xx
</FilesMatch>
<FilesMatch "(attach|edit|manage|rename|save|view|upload|mail|logon|rest|.*auth).*">
   require valid-user
</FilesMatch>
</Directory>
<Directory "/var/www/twiki/pub">
    Options None
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess
    php_admin_flag engine off
    AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi
</Directory>
<Directory "/var/www/twiki/pub/Trash">
   deny from all
</Directory>
<Directory "/var/www/twiki/lib">
        deny from all
</Directory>
<Directory "/var/www/twiki/templates">
        deny from all
</Directory>
<Directory "/var/www/twiki/working">
        deny from all
</Directory>
<Directory "/var/www/twiki/tools">
        deny from all
</Directory>
<Directory "/var/www/twiki/locale">
        deny from all
</Directory>

In the above configuration, I removed the following line :

    AuthUserFile /var/www/twiki/data/.htpasswd
    AuthName 'Please Enter you Username and Password to login.'
    ErrorDocument 401 "Please use your correct username and password to login this wiki."

and added the below line :

    AuthName "Wiki: Enter Your AD Username/Password"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPBindDN "CN=twikiad,OU=SR,OU=Ind,OU=Asi,OU=UA,DC=abcd,DC=co,DC=in"
    AuthLDAPBindPassword twikiad@123
    AuthLDAPURL ldap://ldap.abcd.co.in:3268/DC=abcd,DC=co,DC=in?sAMAccountName?sub?(objectClass=*)
    AuthLDAPGroupAttributeIsDN off
    ErrorDocument 401 "Please use your AD username and password to login this wiki."

Modified Apache Configuration

Here is the modified twiki.conf file. You have to restart your apache. That's it. This configuration authenticated my Twiki user against our internal Active Directory server.

<IfModule mod_perl.c>
    PerlSwitches -T
</IfModule>
ScriptAlias /twiki/bin "/var/www/twiki/bin"
Alias /twiki/pub "/var/www/twiki/pub"
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+(TWiki|Sandbox)/+.+
RewriteRule ^/+twiki/+pub/+(.*)$  /twiki/bin/viewfile/$1 [L,PT]
SetEnvIf Request_URI "twiki/pub/.*\.[hH][tT][mM][lL]?$" blockAccess
SetEnvIf Request_URI "twiki/pub/TWiki/.*\.[hH][tT][mM][lL]?$" !blockAccess
<Directory "/var/www/twiki/bin">
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess
    Options ExecCGI FollowSymLinks
    SetHandler cgi-script
    AuthType Basic
    AuthName "Wiki: Enter Your AD Username/Password"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPBindDN "CN=twikiad,OU=SR,OU=Ind,OU=Asi,OU=UA,DC=abcd,DC=co,DC=in"
    AuthLDAPBindPassword twikiad@123
    AuthLDAPURL ldap://ldap.abcd.co.in:3268/DC=abcd,DC=co,DC=in?sAMAccountName?sub?(objectClass=*)
    AuthLDAPGroupAttributeIsDN off
    ErrorDocument 401 "Please use your AD username and password to login this wiki."
<FilesMatch "^(configure)$">
    SetHandler cgi-script
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1 xx.xx.xx.xx
</FilesMatch>
<FilesMatch "(attach|edit|manage|rename|save|view|upload|mail|logon|rest|.*auth).*">
   require valid-user
</FilesMatch>
</Directory>
<Directory "/var/www/twiki/pub">
    Options None
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess
    php_admin_flag engine off
    AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi
</Directory>
<Directory "/var/www/twiki/pub/Trash">
   deny from all
</Directory>
<Directory "/var/www/twiki/lib">
        deny from all
</Directory>
<Directory "/var/www/twiki/templates">
        deny from all
</Directory>
<Directory "/var/www/twiki/working">
        deny from all
</Directory>
<Directory "/var/www/twiki/tools">
        deny from all
</Directory>
<Directory "/var/www/twiki/locale">
        deny from all
</Directory>

Multiple Authentication

It is also possible to fall back to other authentication methods. See Multiple authentication providers.

Meaning that you can configure such way that:

1). First check username and password in Active Directory, if it is not there

2). then, fall back to other authentication methods

You can enable it by specifying multiple AuthBasicProvider providers:

In the avove configuration file modify :

AuthBasicProvider ldap

into

AuthBasicProvider ldap file

And also add your htpasswd file path like below and restart your Apache:

AuthUserFile /var/www/twiki/data/.htpasswd

In the above two line change your able to login in Twiki using both AD user and your local users.

-- Contributors: MohanLakshmanan - 2011-08-03

---

Comments & Questions about this Supplemental Document Topic

Hi,

I have done all these settings but its not working. I am on CentOs. If I comment line for .htpasswd and other 2 lines also as mentioned above and added lines for LDAP authentication still it authenticates users against .htpasswd i.e the users I have created before these changes.I have restarted apache after these changes. When I logout it comes on Twiki Login page and there it accepts user name and pasword for users which are already created and authenticates against .htpasswd file which is commented in twiki.config.This file was generated using TWiki:TWiki.ApacheConfigGenerator

Please advice.

Thank you,

Sachin

-- Sachin Wable - 2013-02-25

Sachin, please ask support questions in the Support forum.

-- Peter Thoeny - 2013-02-25

Please use the Support forum if you have questions about TWiki features. This comment section is about the documentation of this topic.