Here is our configuration in /etc/httpd/conf.d/hobbit-apache.conf that allows us to authenticate against AD. Took a lot of searching to find the solution, which was pretty obscure, so hopefully this helps. I've removed the default comments, so you may want to put them back or have your own.
Note the "AuthzLDAPAuthoritative Off" ... that was the kicker in getting it all to play nice.
<Directory "<xymon_install_path>/cgi-secure"> AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all AuthType Basic AuthBasicProvider ldap AuthGroupFile <absolute_path_to_group_file> AuthLDAPURL "ldap://<ip_address>/dc=example,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)" AuthName "Xymon Admin - Use your Windoze password" AuthzLDAPAuthoritative off Require valid-user Require group <defined_inside_of_AuthGroupFile> AuthLDAPBindDN "CN=_<BindUser>,OU=<Org>,OU=<Another_Org>,DC=example,DC=domain,DC=com" AuthLDAPBindPassword "<something_unwieldy>" </Directory>
Unix System Administrator Computer Science Corporation General Dynamics Land Systems 38500 Mound Rd. Sterling Heights, MI. 48310 Desk: (586) 825-8294 Oracle IM: moldvanm
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
RE: [hobbit] Password Protected Areas?
wiskbroom to: hobbit 11/13/2009 08:13 AM
Please respond to hobbit
Thank you Henrik!
To: hobbit at hswn.dk From: henrik at hswn.dk Date: Fri, 13 Nov 2009 09:34:00 +0000 Subject: Re: [hobbit] Password Protected Areas?
In <BAY133-W98025609B24B9A43D30FBB4AA0 at phx.gbl> <wiskbroom> writes:
Really? You know of a way in which I can auth against AD and based on page/pages in apache?
Pages and subpages are just physical directories below ~hobbit/server/www/ so you can setup standard Apache "<Directory ...>" definitions to impose access restrictions.
As for authenticating against an AD, you must use the Apache mod_auth_ldap module. If you google "apache auth active directory" it should give you some hints.
Regards, Henrik