If you already have a central directory of users installed (AD or
LDAP) you can configure most applications to use that directory instead
of a local database for each application and make the user management
much easier. Apache supports that so here are instructions on how to
password protect a site or location using LDAP directory.
In squeeze, the Apache LDAP module is already installed with the
Apache common package. You just need to enable the module and configure.
1. Enable the LDAP module
a2enmod authnz_ldap
2. Add Auth config variables to the site or directory that should be
password protected (ex. pico /etc/apache2/sites-enabled/000-default). In
this example, the “/protected” relative location will be password
protected. You can protect any Location or Directory using the same
method.
<Location /protected>
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthName "Password protected. Enter your AD username and password."
AuthLDAPURL "ldap://{host_or_ip}/CN=Users,DC=example,DC=org?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "{username}@example.org"
AuthLDAPBindPassword {password}
Require valid-user
</Location>
Replace {host_or_ip} with the AD/LDAP server hostname or IP
address. Change example.org to your domain. Enter username and password
for a user that has access to the domain.
The last line, “Require valid-user” will allow any user in the
directory to login. To allow only certain users, change that line to:
Require ldap-user user1 user2
To allow only users from a specific group, change “Require valid-user” to:
Require ldap-group CN={group},CN=Users,dc=example,dc=org
Replace {group} to the name of a group and type correct domain name instead of example.org.
3. Restart Apache
/etc/init.d/apache2 restart
P.S.: How to find AD DC server in local network:
On any computer, that has DNS configured to use AD's DNS server do:
Start -> Run -> nslookup
set type=all
_ldap._tcp.dc._msdcs.DOMAIN_NAME
Replace
DOMAIN_NAME with actual domain name i.e.
contoso.com.
