This page describes the process of getting Apache to Authenticate against LDAP server.
Currently there is no way to use Digest Authentication against LDAP. However if you will be using SSL this should not be a problem because the username / password would be sent over the ssl channel encrypted.
Ensure you have the following modules installed and configured in your apache server…
LoadModule authnz_ldap_module libexec/apache22/mod_authnz_ldap.so LoadModule ldap_module libexec/apache22/mod_ldap.so
- ldap_module – LDAP connection pooling and result caching services for use by other LDAP modules
- authnz_ldap_module – Allows an LDAP directory to be used to store the database for HTTP Basic authentication.
Put the following into the Directory or Location tag in your web server configuration file.
AuthLDAPBindDN and AuthLDAPBindPassword are not required if your server allows anonymous bind when doing the search. When it finds the entry it will perform a bind against it using the user provided password.
AuthType Basic AuthName LDAP AuthBasicProvider ldap Require valid-user AuthzLDAPAuthoritative on AuthLDAPBindDN "uid=ldapauthuser,ou=system,dc=yourdomain,dc=com" AuthLDAPBindPassword "xxx" AuthLDAPURL "ldap://localhost/ou=people,dc=yourdomain,dc=com"
Protecting Directories Based On Group Membership
There is a way to permission directory locations in Apache based on groups. If the user is a member of a group they are granted access to the location. This can be done by adding “Require ldap-group”. See Highlighted line below.
The following code located inside httpd.conf protects the /svn/group1 repository to only people that are in “cn=group1,ou=svngroups,dc=yourdomain,dc=com” group.
<Location /svn/group1> DAV svn SVNPath /var/db/svngroup1 AuthType Basic AuthName LDAP AuthBasicProvider ldap Require valid-user AuthLDAPBindDN "uid=ldapauthuser,ou=system,dc=yourdomain,dc=com" AuthLDAPBindPassword "password" AuthLDAPURL "ldap://localhost/ou=people,dc=yourdomain,dc=com?uid Require ldap-group cn=group1,ou=svngroups,dc=yourdomain,dc=com </Location>