Using LDAP for Apache Authentication

刘伟

　　
This method authenticates using Apache 2.0/2.2 and the LDAP
authentication modules on Linux (supplied by default with most Linux
distros) and an LDAP server.
LDAP can be used to authenticate user accounts on Linux and other
computer systems as well as web site logins.
　　
Try this out with your Apache server authenticating to our open LDAP server
using our Three Stooges example.

Apache LDAP modules:

　　
Note that the following configurations work if the LDAP modules are enabled:

• Apache 2.0 (Red Hat Enterprise 4/CentOS4): mod_ldap
  ,
  mod_auth_ldap
  
• Apache 2.2 (Red Hat Enterprise 5/CentOS 5): mod_ldap
  ,
  mod_authnz_ldap
  

　　
These are turned on by default. See /etc/httpd/conf/httpd.conf

• Apache 2.0:
  

  LoadModule ldap_module modules/mod_ldap.so LoadModule auth_ldap_module modules/mod_auth_ldap.so

  
  
• Apache 2.2:
  

  LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

  
  

Apache Authentication Configuration:

Apache 2.0:
　　
Authenticate to an Open LDAP server. (No bind name/password required to access LDAP server)



File: httpd.conf
(portion)

.. ... <Directory /var/www/html > AuthType Basic AuthName "Stooges Web Site: Login with email address" AuthLDAPURL ldap://ldap.yo-linux.com:389/o=stooges?mail require valid-user </Directory> ... ..

or create the file /var/www/html/.htaccess

AuthName "Stooges Web Site: Login with email address" AuthType Basic AuthLDAPURL ldap://ldap.your-domain .com:389/o=stooges?mail require valid-user

　　
Point your browser to http://localhost/


Login with the user id "LFine@isp.com" and password "larrysecret".


You will be asked to use a user id (email address) and password to enter the site.


　　
Bind with a bind DN: (password protected LDAP repository)



File: httpd.conf
(portion)

.. ... <Directory /var/www/html > AuthType Basic AuthName "Stooges Web Site: Login with email address" AuthLDAPEnabled on AuthLDAPURL ldap://ldap.your-domain .com:389/o=stooges?mail AuthLDAPBindDN "cn=StoogeAdmin,o=stooges" AuthLDAPBindPassword secret1 require valid-user </Directory> ... ..

Examples:

• 
  require valid-user
  : Allow all users if authentication (password) is correct.
  
• 
  require user greg phil bob
  : Allow only greg phil bob to login.
  
• 
  require group accounting
  : Allow only users in group "accounting" to authenticate.
  

　　
This example specified the use of the email address as a login id. If using
user id's specify:



AuthLDAPURL ldap://ldap.your-domain
.com:389/o=stooges?uid


Apache 2.2:
　　
Authenticate using Apache httpd 2.2 AuthzLDAP:

　　
User Authentication:



File: httpd.conf
(portion)

.. ... <Directory /var/www/html > AuthType Basic AuthName "Stooges Web Site: Login with user id" AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL ldap://ldap.your-domain .com:389/o=stooges?uid?sub AuthLDAPBindDN "cn=StoogeAdmin,o=stooges" AuthLDAPBindPassword secret1 require ldap-user lary curley moe joe bob mary </Directory> ... ..

　　
There are two configurations for the directive AuthzLDAPAuthoritative
:



AuthzLDAPAuthoritative on
(default)

AuthzLDAPAuthoritative on ... require ldap-user lary curley moe joe bob mary

AuthzLDAPAuthoritative off

AuthzLDAPAuthoritative off ... require valid-user

This configuration allows a waterfall of other authentication methods to be employed along side LDAP.
　　
Group Authentication:



LDAP LDIF file:

dn: cn=users,ou=group,o=stooges cn: users objectClass: top objectClass: posixGroup gidNumber: 100 memberUid: larry memberUid: moe

　　Apache Configuration:

... <Directory /var/www/html > Order deny,allow Deny from All AuthType Basic AuthName "Stooges Web Site: Login with user id" AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL ldap://ldap.your-domain .com:389/o=stooges?uid?sub AuthLDAPBindDN "cn=StoogeAdmin,o=stooges" AuthLDAPBindPassword secret1 AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-group cn=users,ou=group,o=stooges Require ldap-attribute gidNumber=100 Satisfy any </Directory> ...

Note:

• Allow users (LDAP attribute: memberUid
  ) in group gidNumber: 100
  of objectClass: posixGroup
  which match to the login uid
  , authentication approval.
  
  
  The directive AuthLDAPGroupAttribute
  identifies the attribute to match with the login uid
  .
  
• AuthLDAPGroupAttributeIsDN:
  
  
  
  • on (default): Use DN (Distinguished name) cn=Moe Howard,ou=MemberGroupA,o=stooges
    
  • off: Use username moe
    
  
  
  
• Multiple Require ldap-group ...
  statements may be included to allow multiple groups.
  
• Multiple Require ldap-attribute ...
  statements may be included to allow multiple groups.
  
• The directive Satisfy any
  is required if testing multiple conditions. Only one positive in any of the conditions is required to authenticate.
  Thus you can combine the following authorization schemes as well:
  
  
  
  • Require ldap-user
    
  • Require ldap-dn
    
  • Require ldap-attribute
    
  • Require ldap-filter
    
  
  
  

　　

Concurrent File and LDAP authentication:

　　
Apache can use both File and LDAP authentication concurently.
This is sometimes required to run cron jobs with a login where you do
not want to use a system login or login managed by a directory server in
another department.

<Directory /ABC> Order deny,allow Deny from All AuthType Basic AuthBasicProvider file ldap AuthName "Directory services login" AuthBasicAuthoritative  off AuthUserFile /srv/htpasswd AuthGroupFile /dev/null AuthzLDAPAuthoritative off AuthLDAPURL "ldap://ldap.megacorp.com:389/ou=person,o=megacorp.com,c=us?uid?sub" #  This user created for local cron jobs. It is not a system user and allows #  the cron job to perform its task. #  This user is not in the LDAP directory but in the password file /srv/htpasswd Require user cronuserjobx Require ldap-user usera userb </Directory>

Note:

• 
  AuthBasicProvider file ldap
  - Check password "file" authentication then LDAP
  
• 
  AuthBasicAuthoritative  off
  - Allows fall back to another auth scheme, in this case LDAP
  
• 
  AuthzLDAPAuthoritative off
  - Allows fall back to other auth scheme besides LDAP, in this case file
  

Debugging Apache Authentication:

　　
Set LogLevel debug
when debugging authentication.
This will log all the LDAP connection events and the LDAP attributes requested.


　　
Authenticating with Microsoft Active directory using Microsoft's "Unix services for Windows":



AuthLDAPURL ldap://ldap.your-domain
.com:389/ou=Employees,ou=Accounts,dc=sos,dc=com?sAMAccountName?sub
　　
Also note that encrypted connections will use the URL prefix "ldaps://
" and the added directives:

• LDAPTrustedCA directory-path/filename
  
• LDAPTrustedCAType type
  
  
  Where the "type" is one of:
  
  
  
  • DER_FILE: file in binary DER format
    
  • BASE64_FILE: file in Base64 format
    
  • CERT7_DB_PATH: Netscape certificate database file
    
  
  
  

　　
Restart Apache after editing the configuration file: service httpd restart
for configuration changes to take effect.


See /var/log/httpd/error_log
for configuration errors.