Using WUR Authentication
At WUR we have a centrally administered Microsoft Active Directory server that provides authentication details for all internally registered users. Conveniently, it is presented via a semi-standard LDAP interface, allowing it to be used to provide identification and other information about users to anyone that can reach and authenticate against it.
The Basics
If you're intending to use the LDAP interface, you'll need the following command to work at all. Start by getting hold of ldapsearch, usually provided as part of package ldap-utils. This tool allows you to make requests to the LDAP.
Try the following command (using your own login details, e,g, user001):
ldapsearch -x -H ldaps://ldap.wurnet.nl -D <your_id>@wurnet.nl -W "(samaccountname=<your_id>)" -b "dc=wurnet,dc=nl"
Once you enter your password at the prompt, if all went well you should now be able to see your LDAP entry. You'll notice that your WUR ID is the sAMAccountName field, which is what we were searching for.
If that's working, then you're allowed to communicate with the AD. At this point you'll want to start writing down passwords in places to be able to use them, so you'll probably want to request a service account for whatever it is you're trying to authenticate to. Send a mail to servicedesk detailing what you're doing, and you should get a specific login you can use.
The reason for this is elementary - by setting up many small service accounts, if something becomes compromised then only the services that are using that login are affected. The more services using one service account, the harder it is to change it without causing unexpected issues. Both from an AD administration and a service administration perspective, this has benefits.
Apache
Apache (2.2+) has a filter associated with it to be able to use an LDAP backend. However, there's a couple of tweaks needed to make it work perfectly in a way that the AD expects. Forst, check that you have the following two modules loaded:
LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
You may need to install these - check your package manager. Next, you need to configure AuthLDAP to know how to communicate with the LDAP server. Here, we do this in the base directory to ensure it's applied to all sites on this apache instance; of course, pick what's best for you.
<Directory /> AuthLDAPURL "ldaps://ldap.wurnet.nl:3269/dc=wurnet,dc=nl?userPrincipalName?sub?(objectClass=*)" AuthzLDAPAuthoritative on AuthBasicProvider ldap AuthLDAPBindDN "CN=your_service_account,DC=wurnet,DC=nl" AuthLDAPBindPassword "your_impressively_secure_password" AuthLDAPGroupAttribute member </Directory>
Now, you should be able to add an ldap-filter to BasicAuth to be able to select users from the LDAP:
<Directory "/var/www/my_awesome_site">
SSLRequireSSL
AuthType Basic
Require valid-user
</Directory>
You *must* do this over SSL, otherwise you risk exposing all users passwords across the network. This will allow _all_ valid WUR users to log in.
If you want to filter down to a specific group of users, then you'll need a group in the LDAP. This can also be requested, within good reason, from Servicedesk. There's a reasonable chance that the group you need already exists, though. Either way, to filter for a group of users, use this instead:
<Directory "/var/www/my_awesome_site">
SSLRequireSSL
AuthType Basic
Require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=mygroup,DC=wurnet,DC=nl
</Directory>
The funky-looking memberof string comes from this document: https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx
Basically, it's a request that allows members of groups in your group to be correctly picked up. Without it, only the direct members of your LDAP group will be allowed, but child groups won't. Further fields can be found on the apache config page: https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#requser
