Following up on my previous post, it turned out not to be as big of a deal as I’d originally expected to have Apache authenticate against AD and only allow users whose accounts weren’t disabled. In a nutshell, here’s what I did:
In your .htaccess file:
AuthBasicProvider ldap AuthType basic AuthName "AD LDAP Test" AuthLDAPURL "ldap://activedirectory.example.com/OU=Users,DC=example,DC=com?sAMAccountName?sub?(!(userAccountControl:1.2.840.113556.1.4.803:=2))" AuthzLDAPAuthoritative On AuthLDAPGroupAttribute member AuthLDAPBindDN ldapuser@example.com AuthLDAPBindPassword password Require ldap-group CN=Sysadmins,OU=Internal Groups,OU=Groups,DC=example,DC=com
The key here is this LDAP filter: (!(userAccountControl:1.2.840.113556.1.4.803:=2)). This is the bitwise “AND” of the userAccountControl field and the decimal number 2, which is Microsoft’s value for “account is disabled.” The codes are listed here: http://support.microsoft.com/kb/305144
In httpd.conf (or some other server config file – I did it in /etc/httpd/conf.d/mod_authz_ldap.conf inside the section), add this directive:
LDAPOpCacheEntries 0
This tells Apache not to cache the results of the LDAP op. If you don’t put this in there, the server will cache the result of the user’s login for whatever the TTL is, and the user will be able to login even after you disable the account (until the cache expires). There may be other ways around this issue, but this works for me.
This works pretty well so far. Now I can create a “SVN Users” group in Active Directory, put the people I want in that group, use the above method for authentication and everyone’s SVN login will be the same as their domain login. Single sign-on one step closer. Yay!
Evan Hoffman's Blog 