This is very useful if you have to use authentication on some web pages but want to use an ldap server you already have running instead of having to migrate or make different users in an htpasswd file. My example is doing this on a remote client machine that will be connecting to a remote ldap server.

a2enmod ldap
a2enmod authnz_ldap

Add the following to enable auth on the /var/www/secure directory. If you want auth on the whole /var/www, add the necessary auth lines below to the Directory section defining the /var/www directory

<Directory /var/www/secure>
	AuthType Basic
    AuthName "Super Duper Secure Area"
    AuthBasicProvider ldap
    AuthLDAPURL ldap://ldap.server.net:389/dc=server,dc=net
    AuthLDAPBindDN "cn=binduser"
    AuthLDAPBindPassword secret
    require valid-user
</Directory>

The BindDN and BindPassword are only for if you need to use another user account to actually authenticate your users. This is usually a good idea.

Also, the default attribute used to authenticate is the uid. If you would like to change this, check out the apache documentation located here.

Handling Groups

You can also require ldap-group which lets you lock down access to specific ldap defined groups. For my configuration, I can’t just do the normal ldap-group line without telling apache that my group members are listed in the group using the memberUid designation (normal if your groups are posix based). More on this weirdness here.

I would have to add the following lines:

AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
require ldap-group cn=groupname,ou=Groups,dc=example,dc=net

Auth against Active Directory

At work we use AD and so we have to utilize LDAP for most of our web services. Sadly, we use a crapton of Basic Auth all over the place. What’s unique here is that our attributes are not exactly normal:

AuthType Basic
AuthName "Super Duper Secure Area"
AuthBasicProvider ldap
#AuthzLDAPAuthoritative on
AuthLDAPURL ldaps://ldap.company.net:636/dc=company,dc=net?sAMAccountName TLS
AuthLDAPBindDN "COMPANYDOMAIN\binduser"
AuthLDAPBindPassword bindpassword
require valid-user

To do this, since we are using a self-signed certificate, we had to throw a file in conf-enabled/conf.d:

<IfModule ldap_module>
     LDAPTrustedMode TLS
     LDAPVerifyServerCert Off
</IfModule>
Mario Loria is a builder of diverse infrastructure with modern workloads on both bare-metal and cloud platforms. He's traversed roles in system administration, network engineering, and DevOps. You can learn more about him here.