Difference between revisions of "Apache 2 - LDAP access"

 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[Category:Linux]]
 +
 
This explain how to use LDAP to secure some part(s) of a website.
 
This explain how to use LDAP to secure some part(s) of a website.
  
Line 175: Line 177:
  
  
==Secure all the website==
+
This example can be set in:
 
+
* <Location> - to protect a specific part or alias of the website
You have to adjust you document root like that:
+
* <Directory> - to protect a specific directory or the whole virtual host if set in root directory "/var/www/myServer"
  
<syntaxhighlight lang="bash">
 
<VirtualHost _default_:443>
 
  
# Restrict access to document root
 
DocumentRoot /var/www/daxiongmao-ssl
 
<Directory />
 
Options FollowSymLinks
 
AllowOverride None
 
Order allow,deny
 
deny from all
 
</Directory>
 
<Directory /var/www/daxiongmao-ssl>
 
Options Indexes FollowSymLinks MultiViews
 
AllowOverride None
 
Order allow,deny
 
allow from all
 
 
AuthType basic
 
AuthName "Secure area"
 
AuthBasicProvider ldap
 
AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
 
Require valid-user
 
</Directory>
 
[…]
 
</syntaxhighlight>
 
  
  
Line 211: Line 189:
 
=References=
 
=References=
  
* My co-worker help and website: Julien Rialland  
+
* My co-worker help: Julien Rialland  
  
 
* Official wiki: https://help.ubuntu.com/community/OpenLDAPServer
 
* Official wiki: https://help.ubuntu.com/community/OpenLDAPServer

Latest revision as of 17:05, 10 June 2014


This explain how to use LDAP to secure some part(s) of a website.


LDAP authentication

Modules and options lips

List of apache 2.2.x modules with roles and recommended values:

  • AuthType
Role This tells Apache which authentication module you want to use
Value basic
Mandatory Yes


  • AuthName
Role Authentication window name
Value “Authentication to my service”
Mandatory Yes


  • AuthBasicProvider
Role This tells Apache which authentication module you want to use
Value ldaps
Mandatory Yes


  • AuthzLDAPAuthoritative
Role Tells Apache whether or not a failed authentication request can be passed to other Apache modules
Value off
Mandatory Yes


  • AuthLDAPBindDN
Role The distinguished name (DN) of service account.

This user will be used to scan the LDAP and perform real user authentication

Value UID=myUser,OU=myGroup,DC=myServer

uid=svn,ou=applications,dc=dev,dc=daxiongmao,dc=eu

Mandatory No


  • AuthLDAPBindPassword
Role The password for the user account configured via the AuthLDAPBindDN directive
Value
Mandatory No


  • AuthLDAPURL
Role URL that tells:
  • Where the directory server is,
  • Where to look for users at,
  • What user attribute is used to identify a user
Value ldaps://myServer:636/OU=group&,OU=group2,DC=myServer?attribute

ldap://myServer:389/OU=group&,OU=group2,DC=myServer?attribute

ldap://192.168.1.2:389/cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com

ldap://localhost:389/ou=people,dc=vehco,dc=com?uid

Mandatory Yes


Modules

Installation:

apt-get install libapache2-mod-ldap-userdir


You have to enable to the following modules:

a2enmod ldap authnz_ldap


Restart server to apply changes:

service apache2 restart


Configuration

You can use the following settings inside a “.htaccess” or “VirtualHost” configuration:


Edit V.Host configuration

vim /etc/apache2/sites-available/myServer


Adjust your virtual-host like that:

# LDAP protected directory
<Directory /var/www/ssl/secure>
   Options Indexes FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   allow from all

   AuthType basic
   AuthName "Secure area"
   Require valid-user

   ###### Choose a LDAP provider
   # If "localhost" then use LDAP. 
   AuthBasicProvider ldap
   AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid" 

   # If remote URL then use LDAP over SSL 
   AuthBasicProvider ldaps
   AuthLDAPUrl "ldaps://dev.daxiongmao.eu:636/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"   
   ######

   # LDAP URL pattern:
   # AuthLDAPUrl "ldaps://myServer:636/{LDAP ou=},{LDAP server DC=}?uid"

</Directory>


This example can be set in:

  • <Location> - to protect a specific part or alias of the website
  • <Directory> - to protect a specific directory or the whole virtual host if set in root directory "/var/www/myServer"




References

  • My co-worker help: Julien Rialland