How to authenticate Apache from LDAP

From Alex Luigi Ricobon's wiki

Jump to: navigation, search

If you have a functional LDAP server configured as described in my first tutorial, it’s a good idea to configure Apache to authenticate and authorize users using the LDAP server.

In order to authenticate users using a LDAP server, you have to load some modules in Apache. On openSuSE 10.2 this is done by editing the /etc/sysconfig/apache2 file. Search for APACHE_MODULES=”…” and add at the end of the list ldap authnz_ldap

If you want to grant access to the /anyuser directory to all users that are stored on the LDAP server, you should edit /etc/apache2/httpd.conf and add the following lines: 

<Directory /www/anyuser>
AuthBasicProvider ldap
AuthType Basic
AuthName "Password protected directory"
	AuthLDAPURL ldap://ldapserver.exemplu.ro:389/dc=exemplu,dc=ro
AuthLDAPBindDN "cn=root,dc=exemplu,dc=ro"
AuthLDAPBindPassword "secret"
AuthZLDAPAuthoritative on
	require valid-user
</Directory>

Let’s explain a little bit what we’ve wrote in the conf file:

• AuthBasicProvider ldap – tell Apache to use LDAP authentication

• AuthType Basic – basic authentication

• AuthName "Password protected directory" – information that will appear in the authentication pop-up

• AuthLDAPURL ldap://ldapserver.exemplu.ro:389/dc=exemplu,dc=ro – LDAP server URL (it can be locahlost if LDAP and Apache are on the same machine), port and BaseDN

• AuthLDAPBindDN "cn=root,dc=exemplu,dc=ro" – LDAP bind name

• AuthLDAPBindPassword "secret" – LDAP bind password

• AuthZLDAPAuthoritative on – tell Apache that LDAP is also used for authorization

• require valid-user – any authenticated user is authorized


If you want to grant access to the /someusers directory only to certain users that are stored on the LDAP server, you should edit /etc/apache2/httpd.conf and add the following lines: 

<Directory /www/someusers>
AuthBasicProvider ldap
AuthType Basic
AuthName "Password protected directory"
	AuthLDAPURL ldap://ldapserver.exemplu.ro:389/dc=exemplu,dc=ro
AuthLDAPBindDN "cn=root,dc=exemplu,dc=ro"
AuthLDAPBindPassword "secret"
AuthZLDAPAuthoritative on
	require john joe jane
</Directory>


If the users that are authorized to access a folder change frequently, it is advised to authenticate users belonging to a LDAP group. It is easier to add and remove users from the group than to edit the httpd.conf file. For this purpose, let’s create a LDAP group called apacheusers and add users to it: 

smbldap-groupadd apacheusers
smbldap-groupmod –m john,joe,jane apacheusers

Now edit /etc/apache2/httpd.conf and add the following lines: 

<Directory /www/ldapgroup>
AuthBasicProvider ldap
AuthType Basic
AuthName "Password protected directory"
	AuthLDAPURL ldap://ldapserver.exemplu.ro:389/dc=exemplu,dc=ro
AuthLDAPBindDN "cn=root,dc=exemplu,dc=ro"
AuthLDAPBindPassword "secret"
AuthZLDAPAuthoritative on
	AuthLDAPGroupAttribute memberUid
     	AuthLDAPGroupAttributeIsDN off
     	require ldap-group cn=apacheusers,ou=Groups,dc=exemplu,dc=ro
</Directory>

The secrets in order to successfully authenticate users from a group are:

• AuthLDAPGroupAttribute memberUid – tell Apache the LDAP user attribute field in the group (we’ve used here the PosixGroup Object from OpenLDAP)

• AuthLDAPGroupAttributeIsDN off – tell Apache to use the “uid” of the user to search in the “memberUid” field of the group instead of using the whole DN (this being the most common mistake)


After adding the modules and editing httpd.conf, restart the Apache server: 

rcapache2 restart
Retrieved from "http://www.alex.ricobon.ro/wiki/index.php?title=How_to_authenticate_Apache_from_LDAP"
Personal tools