This is very useful if you have to use authentication on some web pages but want to use an ldap server you already have running instead of having to migrate or make different users in an htpasswd file. My example is doing this on a remote client machine that will be connecting to a remote ldap server.
a2enmod ldap
a2enmod authnz_ldap
Add the following to enable auth on the /var/www/secure directory. If you want auth on the whole /var/www, add the necessary auth lines below to the Directory section defining the /var/www directory
<Directory /var/www/secure>
AuthType Basic
AuthName "Super Duper Secure Area"
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.server.net:389/dc=server,dc=net
AuthLDAPBindDN "cn=binduser"
AuthLDAPBindPassword secret
require valid-user
</Directory>
The BindDN and BindPassword are only for if you need to use another user account to actually authenticate your users. This is usually a good idea.
Also, the default attribute used to authenticate is the uid. If you would like to change this, check out the apache documentation located here.
Handling Groups
You can also require ldap-group
which lets you lock down access to specific ldap defined groups.
For my configuration, I can’t just do the normal ldap-group line without telling apache that my group members are listed in the group using the memberUid designation (normal if your groups are posix based). More on this weirdness here.
I would have to add the following lines:
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
require ldap-group cn=groupname,ou=Groups,dc=example,dc=net
Auth against Active Directory
At work we use AD and so we have to utilize LDAP for most of our web services. Sadly, we use a crapton of Basic Auth all over the place. What’s unique here is that our attributes are not exactly normal:
AuthType Basic
AuthName "Super Duper Secure Area"
AuthBasicProvider ldap
#AuthzLDAPAuthoritative on
AuthLDAPURL ldaps://ldap.company.net:636/dc=company,dc=net?sAMAccountName TLS
AuthLDAPBindDN "COMPANYDOMAIN\binduser"
AuthLDAPBindPassword bindpassword
require valid-user
To do this, since we are using a self-signed certificate, we had to throw a file in conf-enabled/conf.d:
<IfModule ldap_module>
LDAPTrustedMode TLS
LDAPVerifyServerCert Off
</IfModule>