HOWTO: Get Apache2 and PHP5 to work with Active Directory
Background: I am trying to get my webserver with apache2 and php5 authenticate users through active directory/ldap (which is running on a windows server 2003 machine), so that people can use the same passwords and logins as they do on the company domain to login to the internal website.
Written: 2006-01-23 through 2006-01-26
*** Note, all the stuff in red... DID NOT WORK OUT VERY WELL
Problems I ran into:
-------------------
First Attempt: mod_kerberos (http://modauthkerb.sourceforge.net/install.html) apache2 module to a SuSE 9.0 server machine.
LINUX:~/src/mod_auth_kerb-5.0-rc6 # ./configure --with-krb5=/usr/lib/heimdal --with-apache=/usr/local/include/apach --with-krb4=no
[...]
configure: error: No Kerberos enviroment found
LINUX:~/src/mod_auth_kerb-5.0-rc6 #
Okay. You gotta love how they spell environment there. So we'll google.
Query: apache "configure: error: No Kerberos enviroment found"
Result: No results (look at that spelling, that's how it really was.
Query: apache2 "configure: error: No Kerberos environment found"
Result: Your search - apache "configure: error: No Kerberos enviroment found" - did not match any documents.
Query: apache "configure: error: No Kerberos environment found"
Result: Your search - apache "configure: error: No Kerberos environment found" - did not match any documents.
Query: krb5_init_context "configure: error: No Kerberos enviroment found"
Result: http://blog.gmane.org/gmane.comp.apache.mod-auth-kerb.general
Which linked to: http://www.grolmsnet.de/kerbtut/
Which ultimately was not actually helpful.
After re-reading http://modauthkerb.sourceforge.net/install.html the instructions there, I think I need to go ahead and install a new kerberos development environment. I will use the one from MIT (http://web.mit.edu/kerberos/www/dist/index.html).
--
It actually turns out that the mod_auth_kerb is not what i wanted. mod_auth_kerb requires that the client browser be kerberos-enabled--which would force the users to install a plugin and have only the options of IE6 or Mozilla.
Co-Sign (http://www.umich.edu/~umweb/software/cosign/) as it turns out is a much better solution for what im trying to do, and it can use kerberos 5 as its user authentication mechanism.
--BELOW HERE IS WHERE THE STUFF THAT ACTUALLY WORKED BEGINS--
The information I found about mod_ssl was actually very helpful to me!
mod_ssl was giving me:
...mod_ssl.so: undefined symbol: X509_free
fix:
in the apache ./configure line, change:
"--enable-ssl=shared" or "--enable-ssl"
to
"--enable-ssl=static"
(as outlined
here and
here)
and we're off..
--
now we need to generate the ssl certs, there is an excellent guide at:
http://www.devside.net/web/server/linux
--
scratch all that... 15 hours of research and headaches later I came across this little fact...
PHP already has Active Directory / LDAP / OpenLDAP authentication capabilities and functionality! built right in!
resources: (listed in order of usefulness)
example code:
$login_err['ad'] = null;
// Connect to the directory server.
if (!$ad = ldap_connect('ldap://msactivedirectoryserver'))
$login_err['ad'] = 'Authentication Not Performed: Connection to Auth Server failed!';
if (!ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3))
$login_err['ad'] = 'Authentication Not Performed: Failed to set LDAP protocol version to 3';
if (!ldap_set_option($ad, LDAP_OPT_REFERRALS, 0))
$login_err['ad'] = 'Authentication Not Performed: Failed to set referrals option!';
if (ldap_bind($ad) && ldap_errno($ad) !== 0)
$login_err['ad'] = 'Authentication Not Performed: Connection to Auth Server failed!';
$user = 'login_name_here' . '@YourDomain';
$pass = 'password_here';
if (!$bd = ldap_bind($ad ,$user, $pass))
$login_err['ad'] = 'Authentication Failed: Login/Password Incorrect';
// Carry out directory server-specific tasks.
//check if login failed;
if ($login_err['ad'] != null)
return false;
// Close the connection
ldap_unbind($ad);
or you can download the sample file
here