Table of Contents

Apache setup for Simple Sign On

If you have different AD domains will be merged into on domain. All users, projects and customers are merged from cloud.example.com Active Directory.

Envirnment

The merged organization units are located in ou=Cloud,dc=example,dc=com DN (Distinguished Name). But the Intranet users are in ou=Users,ou=Accounts,dc=example,dc=com DN located. To prevent the apache ldap module searching the whole AD, two LDAP URL's must be defined.

The configuration is shown in next picture:

LDAP urls

The trick is to configure two AuthnProviderAlias directives. Each one is configured two authenticate to a defined Distinguished Name (DN). see above picture.

Apache 2.4 setup

File, /etc/apache2/custom.d/authint_ap.conf: 

AuthType Basic
AuthName "Subversion"
AuthLDAPRemoteUserIsDN off
AuthLDAPGroupAttributeIsDN on
AuthLDAPDereferenceAliases always
AuthBasicProvider ad-accounts ad-cloud
Require valid-user

File, /etc/apache2/conf.d/authn_aliases.conf: 

<AuthnProviderAlias ldap ad-accounts>
    AuthLDAPUrl "ldaps://vdcs002.example.com:636/ou=Accounts,dc=example,dc=com?name?sub?(objectclass=*)"
    AuthLDAPBindDN "cn=SVC_SVN,ou=AdmServiceAccounts,ou=Admins,dc=example,dc=com"
    AuthLDAPBindPassword "password"
</AuthnProviderAlias>
<AuthnProviderAlias ldap ad-cloud>
        AuthLDAPURL "ldaps://vdcs002.example.com:636/OU=Cloud,DC=example,DC=com?name?sub?(objectclass=*)"
    AuthLDAPBindDN "cn=SVC_SVN,ou=AdmServiceAccounts,ou=Admins,dc=example,dc=com"
    AuthLDAPBindPassword "password"
</AuthnProviderAlias>

Apache 2.2 setup

The only difference to apache 2.4 setup is, SSL is not working because of the modified LDAP module (for OTP authentication in Trivadis). Everythin else is equal!

File, /etc/apache2/custom.d/authint_ap.conf: 

AuthType Basic
AuthName "Subversion"
AuthLDAPRemoteUserIsDN off
AuthLDAPGroupAttributeIsDN on
AuthLDAPDereferenceAliases always
AuthBasicProvider ad-accounts ad-cloud
Require valid-user

File, /etc/apache2/conf.d/authn_aliases.conf 

<AuthnProviderAlias ldap ad-accounts>
    AuthLDAPUrl "ldap://vdcs002.example.com:636/ou=Accounts,dc=example,dc=com?name?sub?(objectclass=*)"
    AuthLDAPBindDN "cn=SVC_SVN,ou=AdmServiceAccounts,ou=Admins,dc=example,dc=com"
    AuthLDAPBindPassword "password"
</AuthnProviderAlias>
<AuthnProviderAlias ldap ad-cloud>
        AuthLDAPURL "ldap://vdcs002.example.com:636/OU=Cloud,DC=example,DC=com?name?sub?(objectclass=*)"
    AuthLDAPBindDN "cn=SVC_SVN,ou=AdmServiceAccounts,ou=Admins,dc=example,dc=com"
    AuthLDAPBindPassword "password"
</AuthnProviderAlias>