Topic: Apache 2.4 LDAP configuration

[Mark3024]

Hi Team, I’m having a hard time setting up my ldap syntax for Apache. I want to be able to restrict site access using AD and limit it to just a secure group.

Domain: mydomain.dom.org
Organisational unit: MM/Users/MM_Secure/
User Group: Sop_Admin
Server: Win 2019

<vhost :*80>

<location /localhost>

Authtype Basic
Authname “Please seek admin approval if you can’t get in:”
Ldap://myldapsrv.mydomain.don.org/OU=MM_Secure,OU=Users,OU=MM,DC=mydomain,DC=dom,DC=org

Require ldap-group CN=Sop_Admin,OU=MM_Secure,OU=Users,OU=MM,DC=mydomain,DC=dom,DC=org

</location>

</vhost>

I can get it to work if I’m using file for authentication. But when I’m using ldap, it prompts the message but once logged in, it pops “there’s an error connecting to server”

Access/Error logs show error 400 and 500. Most of the time it’s 500.

My colleague and I agreed that it might be an issue with how we are calling ldap

[Mark3024]

- Anybody, please help:

Here's my logs:

error.log:
[Fri May 13 13:32:17.830279 2022] [authz_core:error] [pid 9560:tid 1256] [client ::1:62204] AH01630: client denied by server configuration: C:/temp/IMR_Site/Apache_2_4/Apache24_MarkTest/docs, referer: http://localhost/

Access.log:
::1 - - [13/May/2022:13:32:17 +0930] "GET / HTTP/1.1" 403 199
::1 - - [13/May/2022:13:32:17 +0930] "GET /favicon.ico HTTP/1.1" 403 199
::1 - - [13/May/2022:13:33:17 +0930] "-" 408 -

Here's my full ldap block in httpd.conf:

<Directory "${SRVROOT}/htdocs">

AuthType Basic
AuthName "Mark LDAP Restricted"
AuthBasicProvider ldap
AuthLDAPURL ldap://myldapsrv.mydomain.dom.org/OU=MM_Secure,OU=Users,OU=MM,DC=mydomain,DC=dom,DC=org
Require ldap-group CN=Sop_Admin,OU=MM_Secure,OU=Users,OU=MM,DC=mydomain,DC=dom,DC=org

</Directory>

[tangent]

Sorry that no one has responded to your post so far.

I presume you've searched the site for LDAP to AD related posts; this one might be helpful https://www.apachelounge.com/viewtopic.php?t=8623

AD doesn't support anonymous queries, so your LDAP auth will require a bind DN and associated password. You'll also need to configure for LDAPS, unless you want those bind credentials being passed in clear on your network. However security wise, the bind account only needs rights to search the target LDAP group, which your domain admins should be able to set up.

[Mark3024]

Thank you so much for the update. I will try this asap and provide feedback.

[Mark3024]

Hi Tangent,

Is there a special way a "bindDn" needs to be created? I found the guide below but we are not using any PAN-OS environment:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POC4CAO

[tangent]

This all rather depends on the design and layout of your organisation's Active Directory tree.

The bind DN should be defined by your AD domain admins decision on the location of what should be classed as a "service account". Service accounts typically have restricted rights compared to normal user accounts, e.g. access permissions, password policy, etc. If your security people allow it, you'll most likely want a non-expiring password policy assigned to said service account.

There's any amount of wisdom out on the net over best practice for configuring service accounts, e.g. https://www.dnsstuff.com/active-directory-service-accounts

Sorry I can't be more specific.

[Mark3024]

Thanks Tangent!

[James Blond]

Hi,
there are some example in the RTFM https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html

the base dn should look like