Single sign-on with Linux clients and Active Directory LDAP, Part 2

Following up on my previous post, it turned out not to be as big of a deal as I’d originally expected to have Apache authenticate against AD and only allow users whose accounts weren’t disabled. In a nutshell, here’s what I did:

In your .htaccess file:

AuthBasicProvider ldap
AuthType basic
AuthName "AD LDAP Test"
AuthLDAPURL     "ldap://,DC=example,DC=com?sAMAccountName?sub?(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
AuthzLDAPAuthoritative On
AuthLDAPGroupAttribute member
AuthLDAPBindPassword password
Require ldap-group CN=Sysadmins,OU=Internal Groups,OU=Groups,DC=example,DC=com

The key here is this LDAP filter: (!(userAccountControl:1.2.840.113556.1.4.803:=2)). This is the bitwise “AND” of the userAccountControl field and the decimal number 2, which is Microsoft’s value for “account is disabled.” The codes are listed here:

In httpd.conf (or some other server config file – I did it in /etc/httpd/conf.d/mod_authz_ldap.conf inside the section), add this directive:

LDAPOpCacheEntries 0

This tells Apache not to cache the results of the LDAP op. If you don’t put this in there, the server will cache the result of the user’s login for whatever the TTL is, and the user will be able to login even after you disable the account (until the cache expires). There may be other ways around this issue, but this works for me.

This works pretty well so far. Now I can create a “SVN Users” group in Active Directory, put the people I want in that group, use the above method for authentication and everyone’s SVN login will be the same as their domain login. Single sign-on one step closer. Yay!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: