Difference between revisions of "Apache 2 - LDAP access"

(Created page with "This explain how to use LDAP to secure some part(s) of a website. =LDAP authentication= ==Modules and options lips== List of apache 2.2.x modules with roles and recommend...")
 
Line 114: Line 114:
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
apt-get install libapache2-mod-ldap-userdir
 
apt-get install libapache2-mod-ldap-userdir
apt-get install libapache2-mod-vhost-ldap libapache2-mod-webauthldap
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 130: Line 129:
 
service apache2 restart
 
service apache2 restart
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
  
  
Line 136: Line 136:
 
You can use the following settings inside a “.htaccess” or “VirtualHost” configuration:
 
You can use the following settings inside a “.htaccess” or “VirtualHost” configuration:
  
Edit configuration
+
 
 +
Edit V.Host configuration
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Line 205: Line 206:
 
[…]
 
[…]
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
 +
 +
 +
 +
=References=
 +
 +
* My co-worker help and website: Julien Rialland
 +
 +
* Official wiki: https://help.ubuntu.com/community/OpenLDAPServer

Revision as of 18:59, 8 June 2014

This explain how to use LDAP to secure some part(s) of a website.


LDAP authentication

Modules and options lips

List of apache 2.2.x modules with roles and recommended values:

  • AuthType
Role This tells Apache which authentication module you want to use
Value basic
Mandatory Yes


  • AuthName
Role Authentication window name
Value “Authentication to my service”
Mandatory Yes


  • AuthBasicProvider
Role This tells Apache which authentication module you want to use
Value ldaps
Mandatory Yes


  • AuthzLDAPAuthoritative
Role Tells Apache whether or not a failed authentication request can be passed to other Apache modules
Value off
Mandatory Yes


  • AuthLDAPBindDN
Role The distinguished name (DN) of service account.

This user will be used to scan the LDAP and perform real user authentication

Value UID=myUser,OU=myGroup,DC=myServer

uid=svn,ou=applications,dc=dev,dc=daxiongmao,dc=eu

Mandatory No


  • AuthLDAPBindPassword
Role The password for the user account configured via the AuthLDAPBindDN directive
Value
Mandatory No


  • AuthLDAPURL
Role URL that tells:
  • Where the directory server is,
  • Where to look for users at,
  • What user attribute is used to identify a user
Value ldaps://myServer:636/OU=group&,OU=group2,DC=myServer?attribute

ldap://myServer:389/OU=group&,OU=group2,DC=myServer?attribute

ldap://192.168.1.2:389/cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com

ldap://localhost:389/ou=people,dc=vehco,dc=com?uid

Mandatory Yes


Modules

Installation: 

apt-get install libapache2-mod-ldap-userdir


You have to enable to the following modules: 

a2enmod ldap authnz_ldap


Restart server to apply changes: 

service apache2 restart


Configuration

You can use the following settings inside a “.htaccess” or “VirtualHost” configuration:


Edit V.Host configuration 

vim /etc/apache2/sites-available/myServer


Adjust your virtual-host like that: 

# LDAP protected directory
<Directory /var/www/ssl/secure>
   Options Indexes FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   allow from all

   AuthType basic
   AuthName "Secure area"
   ###########################
   # Choose a LDAP provider
   ###########################
   # If "localhost" then use LDAP. 
   AuthBasicProvider ldap
   AuthLDAPUrl "ldap://localhost:389/{LDAP ou=,dc=}?uid"
   # If remote URL then use LDAP over SSL 
   #AuthBasicProvider ldaps
   #AuthLDAPUrl "ldaps://myServer:636/{LDAP ou=,dc=}?uid"
   
   Require valid-user

   # example
   # AuthLDAPBindDN "cn=admin,dc=dev,dc=daxiongmao,dc=eu"
   # AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
   # AuthLDAPUrl "ldaps://myServer:636/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"

</Directory>


Secure all the website

You have to adjust you document root like that: 

<VirtualHost _default_:443>

	# Restrict access to document root
	DocumentRoot /var/www/daxiongmao-ssl
	<Directory />
		Options FollowSymLinks
		AllowOverride None
		Order allow,deny
		deny from all
	</Directory>
	<Directory /var/www/daxiongmao-ssl>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
		
		AuthType basic
		AuthName "Secure area"	
		AuthBasicProvider ldap
		AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
		Require valid-user
	</Directory>
[…]



References

  • My co-worker help and website: Julien Rialland
Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=Apache_2_-_LDAP_access&oldid=628"