[Samba] Authenticating Apache Against Active Directory

Andrey Repin anrdaemon at yandex.ru
Tue May 12 08:17:40 MDT 2015

Greetings, Nico Kadel-Garcia!

>>     Using Nagios on Ubuntu 14.04.1 LTS. I'm attempting to authenticate
>> users against Samba 4.2.1. When I edit 'apache2.conf' with
>> <Directory />
>>         Options FollowSymLinks
>>         AllowOverride None
>>         Require all granted
>>         Allow from all
>>         AuthName "AD authentication"
>>         AuthBasicProvider ldap
>>         AuthType Basic
>>         AuthLDAPGroupAttribute member
>>         AuthLDAPGroupAttributeIsDN On
>>         AuthLDAPURL
>> ldap://dc1.domain.local/,dc=domain?sAMAccountName?sub?(objectClass=*)
>>         AuthLDAPBindDN cn=apache-connect,cn=Users,domain
>>         AuthLDAPBindPassword password
>>         require ldap-group cn=Nagios-Admins,cn=Users,domain

> Why are you bothering to use anything outside of Kerberos? Very few
> web projects actually need any group, uid, or other information and
> are much simplified by simply relying in the inherent Kerberos of a
> modern Samba server or AD based service. It also helps eliminate any
> need for LDAP credentials with which to issue LDAP queries, and lends
> itself much more easily to genuine "single-sign-on" solutions.

You don't need any LDAP credentials other than credentials supplied by
authenticating user.

        <IfModule authnz_ldap_module>
            Allow from all

            AuthName "Subversion repository"
            AuthType Basic
            AuthBasicProvider ldap

            AuthzLDAPAuthoritative on
            AuthLDAPURL ldap://,dc=example,dc=com?uid
            AuthLDAPGroupAttribute memberUid
            AuthLDAPGroupAttributeIsDN off

            # only developers may access the repository
            Require ldap-group cn=CVS,ou=Groups,dc=example,dc=com
            Require ldap-attribute gidNumber=600
            Satisfy all

            # And they should obey to SVN user permissions file
            <IfModule authz_svn_module>
                AuthzSVNAccessFile "/wwwroot/.svn/.registry"

With best regards,
Andrey Repin
Tuesday, May 12, 2015 17:13:42

Sorry for my terrible english...

More information about the samba mailing list