Apache 2 - LDAP access


This explain how to use LDAP to secure some part(s) of a website.


LDAP authentication

Modules and options lips

List of apache 2.2.x modules with roles and recommended values:

  • AuthType
Role This tells Apache which authentication module you want to use
Value basic
Mandatory Yes


  • AuthName
Role Authentication window name
Value “Authentication to my service”
Mandatory Yes


  • AuthBasicProvider
Role This tells Apache which authentication module you want to use
Value ldaps
Mandatory Yes


  • AuthzLDAPAuthoritative
Role Tells Apache whether or not a failed authentication request can be passed to other Apache modules
Value off
Mandatory Yes


  • AuthLDAPBindDN
Role The distinguished name (DN) of service account.

This user will be used to scan the LDAP and perform real user authentication

Value UID=myUser,OU=myGroup,DC=myServer

uid=svn,ou=applications,dc=dev,dc=daxiongmao,dc=eu

Mandatory No


  • AuthLDAPBindPassword
Role The password for the user account configured via the AuthLDAPBindDN directive
Value
Mandatory No


  • AuthLDAPURL
Role URL that tells:
  • Where the directory server is,
  • Where to look for users at,
  • What user attribute is used to identify a user
Value ldaps://myServer:636/OU=group&,OU=group2,DC=myServer?attribute

ldap://myServer:389/OU=group&,OU=group2,DC=myServer?attribute

ldap://192.168.1.2:389/cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com

ldap://localhost:389/ou=people,dc=vehco,dc=com?uid

Mandatory Yes


Modules

Installation: 

apt-get install libapache2-mod-ldap-userdir


You have to enable to the following modules: 

a2enmod ldap authnz_ldap


Restart server to apply changes: 

service apache2 restart


Configuration

You can use the following settings inside a “.htaccess” or “VirtualHost” configuration:


Edit V.Host configuration 

vim /etc/apache2/sites-available/myServer


Adjust your virtual-host like that: 

# LDAP protected directory
<Directory /var/www/ssl/secure>
   Options Indexes FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   allow from all

   AuthType basic
   AuthName "Secure area"
   Require valid-user

   ###### Choose a LDAP provider
   # If "localhost" then use LDAP. 
   AuthBasicProvider ldap
   AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid" 

   # If remote URL then use LDAP over SSL 
   AuthBasicProvider ldaps
   AuthLDAPUrl "ldaps://dev.daxiongmao.eu:636/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"   
   ######

   # LDAP URL pattern:
   # AuthLDAPUrl "ldaps://myServer:636/{LDAP ou=},{LDAP server DC=}?uid"

</Directory>


This example can be set in:

  • <Location> - to protect a specific part or alias of the website
  • <Directory> - to protect a specific directory or the whole virtual host if set in root directory "/var/www/myServer"




References

  • My co-worker help: Julien Rialland
Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=Apache_2_-_LDAP_access&oldid=696"