23
Jan
10

Getting Apache to Authenticate Against LDAP


This page describes the process of getting Apache to Authenticate against LDAP server.

Background

Limitations

Currently there is no way to use Digest Authentication against LDAP. However if you will be using SSL this should not be a problem because the username / password would be sent over the ssl channel encrypted.

Procedure

Ensure you have the following modules installed and configured in your apache server…

LoadModule authnz_ldap_module libexec/apache22/mod_authnz_ldap.so
LoadModule ldap_module libexec/apache22/mod_ldap.so
  • ldap_module – LDAP connection pooling and result caching services for use by other LDAP modules
  • authnz_ldap_module – Allows an LDAP directory to be used to store the database for HTTP Basic authentication.

Put the following into the Directory or Location tag in your web server configuration file.
AuthLDAPBindDN and AuthLDAPBindPassword are not required if your server allows anonymous bind when doing the search. When it finds the entry it will perform a bind against it using the user provided password.

AuthType Basic
AuthName LDAP
AuthBasicProvider ldap
Require valid-user
AuthzLDAPAuthoritative on
AuthLDAPBindDN "uid=ldapauthuser,ou=system,dc=yourdomain,dc=com"
AuthLDAPBindPassword "xxx"
AuthLDAPURL "ldap://localhost/ou=people,dc=yourdomain,dc=com"

Protecting Directories Based On Group Membership

There is a way to permission directory locations in Apache based on groups. If the user is a member of a group they are granted access to the location. This can be done by adding “Require ldap-group”. See Highlighted line below.

The following code located inside httpd.conf protects the /svn/group1 repository to only people that are in “cn=group1,ou=svngroups,dc=yourdomain,dc=com” group.

<Location /svn/group1>
DAV svn
SVNPath /var/db/svngroup1
AuthType Basic
AuthName LDAP
AuthBasicProvider ldap
Require valid-user
AuthLDAPBindDN "uid=ldapauthuser,ou=system,dc=yourdomain,dc=com"
AuthLDAPBindPassword "password"
AuthLDAPURL "ldap://localhost/ou=people,dc=yourdomain,dc=com?uid
Require ldap-group cn=group1,ou=svngroups,dc=yourdomain,dc=com
</Location>

References

Advertisements

0 Responses to “Getting Apache to Authenticate Against LDAP”



  1. Leave a Comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 74 other followers

January 2010
S M T W T F S
« Dec   Feb »
 12
3456789
10111213141516
17181920212223
24252627282930
31  

Blog Stats

  • 801,304 hits

%d bloggers like this: