Difference between revisions of "Apache 2 - LDAP access"
Line 187: | Line 187: | ||
=References= | =References= | ||
− | * My co-worker help | + | * My co-worker help: Julien Rialland |
* Official wiki: https://help.ubuntu.com/community/OpenLDAPServer | * Official wiki: https://help.ubuntu.com/community/OpenLDAPServer |
Revision as of 10:51, 9 June 2014
This explain how to use LDAP to secure some part(s) of a website.
Contents
LDAP authentication
Modules and options lips
List of apache 2.2.x modules with roles and recommended values:
- AuthType
Role | This tells Apache which authentication module you want to use |
Value | basic |
Mandatory | Yes |
- AuthName
Role | Authentication window name |
Value | “Authentication to my service” |
Mandatory | Yes |
- AuthBasicProvider
Role | This tells Apache which authentication module you want to use |
Value | ldaps |
Mandatory | Yes |
- AuthzLDAPAuthoritative
Role | Tells Apache whether or not a failed authentication request can be passed to other Apache modules |
Value | off |
Mandatory | Yes |
- AuthLDAPBindDN
Role | The distinguished name (DN) of service account.
This user will be used to scan the LDAP and perform real user authentication |
Value | UID=myUser,OU=myGroup,DC=myServer
uid=svn,ou=applications,dc=dev,dc=daxiongmao,dc=eu |
Mandatory | No |
- AuthLDAPBindPassword
Role | The password for the user account configured via the AuthLDAPBindDN directive |
Value | |
Mandatory | No |
- AuthLDAPURL
Role | URL that tells:
|
Value | ldaps://myServer:636/OU=group&,OU=group2,DC=myServer?attribute
ldap://myServer:389/OU=group&,OU=group2,DC=myServer?attribute ldap://192.168.1.2:389/cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com ldap://localhost:389/ou=people,dc=vehco,dc=com?uid |
Mandatory | Yes |
Modules
Installation:
apt-get install libapache2-mod-ldap-userdir
You have to enable to the following modules:
a2enmod ldap authnz_ldap
Restart server to apply changes:
service apache2 restart
Configuration
You can use the following settings inside a “.htaccess” or “VirtualHost” configuration:
Edit V.Host configuration
vim /etc/apache2/sites-available/myServer
Adjust your virtual-host like that:
# LDAP protected directory
<Directory /var/www/ssl/secure>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType basic
AuthName "Secure area"
Require valid-user
###### Choose a LDAP provider
# If "localhost" then use LDAP.
AuthBasicProvider ldap
AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
# If remote URL then use LDAP over SSL
AuthBasicProvider ldaps
AuthLDAPUrl "ldaps://dev.daxiongmao.eu:636/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
######
# LDAP URL pattern:
# AuthLDAPUrl "ldaps://myServer:636/{LDAP ou=},{LDAP server DC=}?uid"
</Directory>
This example can be set in:
- <Location> - to protect a specific part or alias of the website
- <Directory> - to protect a specific directory or the whole virtual host if set in root directory "/var/www/myServer"
References
- My co-worker help: Julien Rialland
- Official wiki: https://help.ubuntu.com/community/OpenLDAPServer