====== Apache setup for Simple Sign On ======

If you have different AD domains will be merged into on domain. All users, projects and customers are merged from cloud.example.com Active Directory.

===== Envirnment =====

The merged organization units are located in ''%%ou=Cloud,dc=example,dc=com%%'' DN (Distinguished Name). But the Intranet users are in ''%%ou=Users,ou=Accounts,dc=example,dc=com%%'' DN located. To prevent the apache ldap module searching the whole AD, two LDAP URL's must be defined.

The configuration is shown in next picture:

{{:images:two-ldapurl-config.png?direct&600|LDAP urls}}

The trick is to configure two ''%%AuthnProviderAlias%%'' directives. Each one is configured two authenticate to a defined Distinguished Name (DN). see above picture.

===== Apache 2.4 setup =====

File, ''%%/etc/apache2/custom.d/authint_ap.conf%%'':

<code>
AuthType Basic
AuthName "Subversion"
AuthLDAPRemoteUserIsDN off
AuthLDAPGroupAttributeIsDN on
AuthLDAPDereferenceAliases always
AuthBasicProvider ad-accounts ad-cloud
Require valid-user
</code>
File, ''%%/etc/apache2/conf.d/authn_aliases.conf%%'':

<code>
<AuthnProviderAlias ldap ad-accounts>
    AuthLDAPUrl "ldaps://vdcs002.example.com:636/ou=Accounts,dc=example,dc=com?name?sub?(objectclass=*)"
    AuthLDAPBindDN "cn=SVC_SVN,ou=AdmServiceAccounts,ou=Admins,dc=example,dc=com"
    AuthLDAPBindPassword "password"
</AuthnProviderAlias>
<AuthnProviderAlias ldap ad-cloud>
        AuthLDAPURL "ldaps://vdcs002.example.com:636/OU=Cloud,DC=example,DC=com?name?sub?(objectclass=*)"
    AuthLDAPBindDN "cn=SVC_SVN,ou=AdmServiceAccounts,ou=Admins,dc=example,dc=com"
    AuthLDAPBindPassword "password"
</AuthnProviderAlias>
</code>
===== Apache 2.2 setup =====

The only difference to apache 2.4 setup is, SSL is not working because of the modified LDAP module (for OTP authentication in Trivadis). Everythin else is equal!

File, ''%%/etc/apache2/custom.d/authint_ap.conf%%'':

<code>
AuthType Basic
AuthName "Subversion"
AuthLDAPRemoteUserIsDN off
AuthLDAPGroupAttributeIsDN on
AuthLDAPDereferenceAliases always
AuthBasicProvider ad-accounts ad-cloud
Require valid-user
</code>
File, ''%%/etc/apache2/conf.d/authn_aliases.conf%%''

<code>
<AuthnProviderAlias ldap ad-accounts>
    AuthLDAPUrl "ldap://vdcs002.example.com:636/ou=Accounts,dc=example,dc=com?name?sub?(objectclass=*)"
    AuthLDAPBindDN "cn=SVC_SVN,ou=AdmServiceAccounts,ou=Admins,dc=example,dc=com"
    AuthLDAPBindPassword "password"
</AuthnProviderAlias>
<AuthnProviderAlias ldap ad-cloud>
        AuthLDAPURL "ldap://vdcs002.example.com:636/OU=Cloud,DC=example,DC=com?name?sub?(objectclass=*)"
    AuthLDAPBindDN "cn=SVC_SVN,ou=AdmServiceAccounts,ou=Admins,dc=example,dc=com"
    AuthLDAPBindPassword "password"
</AuthnProviderAlias>
</code>