Difference between revisions of "Apache 2 - LDAP access"
(Created page with "This explain how to use LDAP to secure some part(s) of a website. =LDAP authentication= ==Modules and options lips== List of apache 2.2.x modules with roles and recommend...") |
|||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | [[Category:Linux]] | ||
| + | |||
This explain how to use LDAP to secure some part(s) of a website. | This explain how to use LDAP to secure some part(s) of a website. | ||
| Line 114: | Line 116: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
apt-get install libapache2-mod-ldap-userdir | apt-get install libapache2-mod-ldap-userdir | ||
| − | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 130: | Line 131: | ||
service apache2 restart | service apache2 restart | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | |||
| Line 136: | Line 138: | ||
You can use the following settings inside a “.htaccess” or “VirtualHost” configuration: | You can use the following settings inside a “.htaccess” or “VirtualHost” configuration: | ||
| − | Edit configuration | + | |
| + | Edit V.Host configuration | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| Line 155: | Line 158: | ||
AuthType basic | AuthType basic | ||
AuthName "Secure area" | AuthName "Secure area" | ||
| − | ##### | + | Require valid-user |
| − | + | ||
| − | + | ###### Choose a LDAP provider | |
# If "localhost" then use LDAP. | # If "localhost" then use LDAP. | ||
AuthBasicProvider ldap | AuthBasicProvider ldap | ||
| − | AuthLDAPUrl "ldap://localhost:389/ | + | AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid" |
| + | |||
# If remote URL then use LDAP over SSL | # If remote URL then use LDAP over SSL | ||
| − | + | AuthBasicProvider ldaps | |
| − | + | AuthLDAPUrl "ldaps://dev.daxiongmao.eu:636/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid" | |
| − | + | ###### | |
| − | |||
| − | # | + | # LDAP URL pattern: |
| − | + | # AuthLDAPUrl "ldaps://myServer:636/{LDAP ou=},{LDAP server DC=}?uid" | |
| − | |||
| − | # AuthLDAPUrl "ldaps://myServer:636/ou= | ||
</Directory> | </Directory> | ||
| Line 176: | Line 177: | ||
| − | + | This example can be set in: | |
| + | * <Location> - to protect a specific part or alias of the website | ||
| + | * <Directory> - to protect a specific directory or the whole virtual host if set in root directory "/var/www/myServer" | ||
| − | |||
| − | |||
| − | |||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | =References= | |
| − | + | ||
| − | + | * My co-worker help: Julien Rialland | |
| − | + | ||
| − | + | * Official wiki: https://help.ubuntu.com/community/OpenLDAPServer | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Latest revision as of 18:05, 10 June 2014
This explain how to use LDAP to secure some part(s) of a website.
Contents
LDAP authentication
Modules and options lips
List of apache 2.2.x modules with roles and recommended values:
- AuthType
| Role | This tells Apache which authentication module you want to use |
| Value | basic |
| Mandatory | Yes |
- AuthName
| Role | Authentication window name |
| Value | “Authentication to my service” |
| Mandatory | Yes |
- AuthBasicProvider
| Role | This tells Apache which authentication module you want to use |
| Value | ldaps |
| Mandatory | Yes |
- AuthzLDAPAuthoritative
| Role | Tells Apache whether or not a failed authentication request can be passed to other Apache modules |
| Value | off |
| Mandatory | Yes |
- AuthLDAPBindDN
| Role | The distinguished name (DN) of service account.
This user will be used to scan the LDAP and perform real user authentication |
| Value | UID=myUser,OU=myGroup,DC=myServer
uid=svn,ou=applications,dc=dev,dc=daxiongmao,dc=eu |
| Mandatory | No |
- AuthLDAPBindPassword
| Role | The password for the user account configured via the AuthLDAPBindDN directive |
| Value | |
| Mandatory | No |
- AuthLDAPURL
| Role | URL that tells:
|
| Value | ldaps://myServer:636/OU=group&,OU=group2,DC=myServer?attribute
ldap://myServer:389/OU=group&,OU=group2,DC=myServer?attribute ldap://192.168.1.2:389/cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com ldap://localhost:389/ou=people,dc=vehco,dc=com?uid |
| Mandatory | Yes |
Modules
Installation:
apt-get install libapache2-mod-ldap-userdir
You have to enable to the following modules:
a2enmod ldap authnz_ldap
Restart server to apply changes:
service apache2 restart
Configuration
You can use the following settings inside a “.htaccess” or “VirtualHost” configuration:
Edit V.Host configuration
vim /etc/apache2/sites-available/myServer
Adjust your virtual-host like that:
# LDAP protected directory
<Directory /var/www/ssl/secure>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType basic
AuthName "Secure area"
Require valid-user
###### Choose a LDAP provider
# If "localhost" then use LDAP.
AuthBasicProvider ldap
AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
# If remote URL then use LDAP over SSL
AuthBasicProvider ldaps
AuthLDAPUrl "ldaps://dev.daxiongmao.eu:636/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
######
# LDAP URL pattern:
# AuthLDAPUrl "ldaps://myServer:636/{LDAP ou=},{LDAP server DC=}?uid"
</Directory>
This example can be set in:
- <Location> - to protect a specific part or alias of the website
- <Directory> - to protect a specific directory or the whole virtual host if set in root directory "/var/www/myServer"
References
- My co-worker help: Julien Rialland
- Official wiki: https://help.ubuntu.com/community/OpenLDAPServer
