This is very useful if you have to use authentication on some web pages but want to use an ldap server you already have running instead of having to migrate or make different users in an htpasswd file. My example is doing this on a remote client machine that will be connecting to a remote ldap server.

a2enmod ldap  
a2enmod authnz_ldap  

Add the following to enable auth on the /var/www/secure directory. If you want auth on the whole /var/www, add the necessary auth lines below to the Directory section defining the /var/www directory

<Directory /var/www/secure>  
    AuthType Basic
    AuthName "Super Duper Secure Area"
    AuthBasicProvider ldap
    AuthLDAPURL ldap://ldap.server.net:389/dc=server,dc=net
    AuthLDAPBindDN "cn=binduser"
    AuthLDAPBindPassword secret
    require valid-user
</Directory>  

The BindDN and BindPassword are only for if you need to use another user account to actually authenticate your users. This is usually a good idea.

Also, the default attribute used to authenticate is the uid. If you would like to change this, check out the apache documentation located here.

Handling Groups

You can also require ldap-group which lets you lock down access to specific ldap defined groups.
For my configuration, I can’t just do the normal ldap-group line without telling apache that my group members are listed in the group using the memberUid designation (normal if your groups are posix based). More on this weirdness here.

I would have to add the following lines:

AuthLDAPGroupAttributeIsDN off  
AuthLDAPGroupAttribute memberUid  
require ldap-group cn=groupname,ou=Groups,dc=example,dc=net  

Auth against Active Directory

At work we use AD and so we have to utilize LDAP for most of our web services. Sadly, we use a crapton of Basic Auth all over the place. What's unique here is that our attributes are not exactly normal:

AuthType Basic  
AuthName "Super Duper Secure Area"  
AuthBasicProvider ldap  
#AuthzLDAPAuthoritative on
AuthLDAPURL ldaps://ldap.company.net:636/dc=company,dc=net?sAMAccountName TLS  
AuthLDAPBindDN "COMPANYDOMAIN\binduser"  
AuthLDAPBindPassword bindpassword  
require valid-user  

To do this, since we are using a self-signed certificate, we had to throw a file in conf-enabled/conf.d:

<IfModule ldap_module>  
     LDAPTrustedMode TLS
     LDAPVerifyServerCert Off
</IfModule>  
Blog Logo

Mario Loria


Published

Image

./scriptthe.net

Because 127.0.0.1 gets old after a while.

Back to Overview