How To Set Up Active Directory Authentication in Apache on CentOS7

This guide will show you how to configure Active Directory authentication in Apache running on CentOS, RHEL Linux. These instruction can also be applied if you are running Oracle Linux on your system.

 

Prerequisites

To follow this tutorial along, you will need one (physical or virtual) machine installed with CentOS or RHEL 7/8 Linux. 

 

We have also created a video to avoid confusion while performing these configuration steps:

 

 

To being with the process, login to your Linux system, and set correct hostname and timezone like an example below:

sudo hostnamectl set-hostname your_server_name.domain
sudo timedatectl set-timezone America/New_York 

Install Apache

You can install Apache on your CentOS/RHEL7 with below command:

sudo yum -y install httpd mod_ssl mod_ldap

For CentOS/RHEL8 with below command:

sudo dnf -y install httpd mod_ssl mod_ldap

Configure Apache

We will create a directory under /var/www/html location to store our web contents: 

sudo mkdir -p /var/www/html/private

 

We will create an AD-ldap.conf file under /etc/httpd/conf.d location to enable Active Directory authentication like an example below:

sudo nano /etc/httpd/conf.d/AD-ldap.conf

 

add configuration directives like an example below:

<Location /private>
AuthName "Active Directory Authentication"
AuthType Basic
AuthBasicAuthoritative off
AuthBasicProvider ldap
AuthLDAPURL ldap://Your_AD_IP:3268/?userPrincipalName?sub
AuthLDAPBindDN your_AD_username@domain
AuthLDAPBindPassword your_AD_user_password
Require valid-user
</Location>

Make sure you replace highlighted text with yours.

 

By default Windows Active Directory doesn't allow anonymous lookup for LDAP database, so we have to put  AuthLDAPBinDN and AuthLDAPBindPassword directive to allow Apache to search your Active Directory for users credentials. 

 

Make sure you keep port 3268 in your configuration, because LDAP communication to a Active Directory global catalog server occurs over TCP 3268 port, and if you try to connect LDAP using port like 389 or 686, your Apache authentication will fail.

 

Save and close the editor when you are finished.

With this configuration, we secures everything under /private, providing access to all valid active directory users.

The actual AD-ldap.conf file in our environment looks like below:

 

Verify your Apache configuration file syntax with below command:

sudo apachectl configtest

This will return Syntax OK in the output if everything was setup correctly. If there is any error, fix them first then move to next step.

Execute below command to check Apache status:

sudo systemctl status httpd

 

If Apache is already running, restart it with below command:

sudo systemctl restart httpd

 

If Apache is not running, type below command to start and make it persistent on reboot:

sudo systemctl start httpd
sudo systemctl enable httpd

We will create a simple index.html page under /var/www/html/private directory to test Apache & Active Directory authentication functionality

sudo nano /var/www/html/private/index.html

 

Add below simple html code in it:

<html>
<head>
<title>Index Page</title>
</head>
<body>
<h2>This is simple Index Page, testing Apache with Active Directory authentication.</h2>
</body>
</html>

Save and close the editor when you are finished.

 

Test Apache & Active Directory Authentication

Open up your preferred web browser, and navigate to:

 

http://your_server_name-OR_IP/private 

 

or

 

https://your_server_name-OR_IP/private

 

You will get credentials popup as shown in screenshot below:

Enter your Active Directory username and password like example below:

 

Upon successful login with your AD credentials, you should see the webpage like an example below:

Check your Apache access_log with below command:

sudo tail -f /var/log/httpd/access_log

 

You will see your Active Directory username in access_log as shown in screenshot below:

 

 

At this stage you have successfully implemented Active Directory authentication in Apache.

 

Troubleshooting

If you get 500 Internal Server Error in browser, you should check the Apache error_log using sudo tail -f /var/log/httpd/error_log to identify the root cause.

 

Conclusion

By leveraging the central user management of Windows Active Directory, you don’t need to worry about usernames or passwords for your Apache web server anymore.