HOWTO Apache2 and mod auth ldap
From Gentoo Linux Wiki
| Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc |
|
|
|
Main Modules
Addons & Tunnels Tips Configuring Other |
| edit |
[edit] Prerequisites
I'm going to assume you've got an Apache webserver and an OpenLDAP server up and running. If you don't, please install them. For further information on how to install and configure them, go to HOWTO LDAPv3 and HOWTO Install Apache2
[edit] Procedure
This article is no longer up to date and needs maintenance. For people who tried this and have problems now, you may want to look at this Blog: http://www.ng-lab.org/webapp/v5/drupal/?q=node/74. --212.126.165.190 09:04, 30 January 2008 (UTC)
First, you must install the mod_auth_ldap package. Check the USE flags to make sure it installs to the correct version of Apache you're using:
# USE="apache2" emerge -pv mod_auth_ldap These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild N ] net-www/mod_auth_ldap-3.3 USE="apache2 berkdb gdbm -disk-cache -mem-cache" 518 kB # emerge mod_auth_ldap
Warning: this is now a USE-flag for apache. I'll try to update this wiki later. The useflag is ldap btw. --83.160.243.42 14:25, 11 August 2007 (UTC) Ewoud
After installation, you should edit your /etc/conf.d/apache2 file. Change the APACHE_OPTS value in it, adding '-D AUTH_LDAP' to it. It looks like this on my install:
APACHE2_OPTS="-D SSL -D SSL_DEFAULT_VHOST -D PHP5 -D USERDIR -D AUTH_LDAP"
Now, you have to restart Apache:
# /etc/init.d/apache2 restart
[edit] Setting Permissions
[edit] Restricting access to users
Now it gets a little tricky. It all depends on how you're planning to administer your users. Let's say that in a given directory you want to give access to any valid user registered on your LDAP server. The .htaccess file on that directory should look like this:
| File: .htaccess |
AuthName "Realm" AuthType Basic LDAP_Server localhost LDAP_Port 389 Base_DN "dc=example,dc=com" UID_Attr uid require valid-user |
Of course, you have to adjust the values to suit your LDAP server. For example, in case you're using Secure LDAP, the port should be 636 (by default).
[edit] Restricting access to specific users
Now, on another directory, you want only Bill and Joe to have access. Your .htaccess file should look like this:
| File: .htaccess |
AuthName "Another Realm" AuthType Basic LDAP_Server localhost LDAP_Port 389 Base_DN "dc=example,dc=com" UID_Attr uid require user bill joe |
This way, only users with uid=bill or uid=joe will be able to access the directory.
[edit] Restricting access to a group of users
But if the list of users with access to this directory changes a lot, you'll see yourself constantly altering the file. Since you probably don't want that, it's better to create a group in your LDAP server and assign users to that group. It is much easier to maintain. So, to give access to a group, do this:
| File: .htaccess |
AuthName "Third Realm" AuthType Basic LDAP_Server localhost LDAP_Port 389 Base_DN "dc=example,dc=com" UID_Attr uid require group cn=MyGroup,ou=Groups |
Notice that you don't have to put the entire DN of the Group on the file. In the above example, it automatically searches for cn=MyGroup,ou=Groups,dc=example,dc=com
Also, for a 'require group' to work, it must be stored in LDAP following the pattern shown below:
dn: cn=MyGroup,ou=Groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: MyGroup description: Testing LDAP require group functionality uniquemember: uid=bill,ou=People,dc=example,dc=com uniquemember: uid=joe,ou=People,dc=example,dc=com
[edit] Restricting access to users selected by LDAP filter
And, if you want, you can apply any filter you want to find users. Like this:
| File: .htaccess |
AuthName "Last Realm" AuthType Basic LDAP_Server localhost LDAP_Port 389 Base_DN "dc=example,dc=com" UID_Attr uid require filter "(&(telephonenumber=1234)(roomnumber=123))" |
[edit] Extras
There are three other directives that can be configured:
- AuthLDAPAuthoritative: Set this directive to off if you want mod_auth_ldap to let another module attempt authenticating the user in case of failure. This allows you to set a fallback authentication system.
- Bind_DN and Bind_Pass: If your LDAP server doesn't allow anonymous bind, you should set a DN and password capable of authenticating to your LDAP server in order to have access to user data.
Also, you should know that I've only tested authentication with users whose passwords were stored in crypt format. I'm not sure if any other form of hashing is supported.
[edit] Meaning of each USE Flag
- apache2: Chooses Apache2 support when a package supports both Apache1 and Apache2
- berkdb: Adds support for sys-libs/db (Berkeley DB for MySQL)
- disk-cache: Enables support for disk cache.
- gdbm: Adds support for sys-libs/gdbm (GNU database libraries)
- mem-cache: Enables support for memory cache.
[edit] Troubleshooting
The module name is changed to mm_auth_ldap_module in mod_auth_ldap v3.x. Look at these references to correctly complete your installation.
http://bugs.gentoo.org/show_bug.cgi?id=114453 http://www.muquit.com/muquit/software/mod_auth_ldap/README3.4.txt
[edit] External References
http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html
http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html
