This is very useful if you have to use authentication on some web pages but want to use an ldap server you already have running instead of having to migrate or make different users in an htpasswd file. My example is doing this on a remote client machine that will be connecting to a remote ldap server.
a2enmod ldap a2enmod authnz_ldap
Add the following to enable auth on the /var/www/secure directory. If you want auth on the whole /var/www, add the necessary auth lines below to the Directory section defining the /var/www directory
<Directory /var/www/secure> AuthType Basic AuthName "Super Duper Secure Area" AuthBasicProvider ldap AuthLDAPURL ldap://ldap.server.net:389/dc=server,dc=net AuthLDAPBindDN "cn=binduser" AuthLDAPBindPassword secret require valid-user </Directory>
The BindDN and BindPassword are only for if you need to use another user account to actually authenticate your users. This is usually a good idea.
Also, the default attribute used to authenticate is the uid. If you would like to change this, check out the apache documentation located here.
You can also
require ldap-group which lets you lock down access to specific ldap defined groups.
For my configuration, I can’t just do the normal ldap-group line without telling apache that my group members are listed in the group using the memberUid designation (normal if your groups are posix based). More on this weirdness here.
I would have to add the following lines:
AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid require ldap-group cn=groupname,ou=Groups,dc=example,dc=net
Auth against Active Directory
At work we use AD and so we have to utilize LDAP for most of our web services. Sadly, we use a crapton of Basic Auth all over the place. What's unique here is that our attributes are not exactly normal:
AuthType Basic AuthName "Super Duper Secure Area" AuthBasicProvider ldap #AuthzLDAPAuthoritative on AuthLDAPURL ldaps://ldap.company.net:636/dc=company,dc=net?sAMAccountName TLS AuthLDAPBindDN "COMPANYDOMAIN\binduser" AuthLDAPBindPassword bindpassword require valid-user
To do this, since we are using a self-signed certificate, we had to throw a file in conf-enabled/conf.d:
<IfModule ldap_module> LDAPTrustedMode TLS LDAPVerifyServerCert Off </IfModule>