Difference between revisions of "Apache 2 - LDAP access"
(Created page with "This explain how to use LDAP to secure some part(s) of a website. =LDAP authentication= ==Modules and options lips== List of apache 2.2.x modules with roles and recommend...") |
|||
Line 114: | Line 114: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
apt-get install libapache2-mod-ldap-userdir | apt-get install libapache2-mod-ldap-userdir | ||
− | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 130: | Line 129: | ||
service apache2 restart | service apache2 restart | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
Line 136: | Line 136: | ||
You can use the following settings inside a “.htaccess” or “VirtualHost” configuration: | You can use the following settings inside a “.htaccess” or “VirtualHost” configuration: | ||
− | Edit configuration | + | |
+ | Edit V.Host configuration | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
Line 205: | Line 206: | ||
[…] | […] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | =References= | ||
+ | |||
+ | * My co-worker help and website: Julien Rialland | ||
+ | |||
+ | * Official wiki: https://help.ubuntu.com/community/OpenLDAPServer |
Revision as of 17:59, 8 June 2014
This explain how to use LDAP to secure some part(s) of a website.
Contents
LDAP authentication
Modules and options lips
List of apache 2.2.x modules with roles and recommended values:
- AuthType
Role | This tells Apache which authentication module you want to use |
Value | basic |
Mandatory | Yes |
- AuthName
Role | Authentication window name |
Value | “Authentication to my service” |
Mandatory | Yes |
- AuthBasicProvider
Role | This tells Apache which authentication module you want to use |
Value | ldaps |
Mandatory | Yes |
- AuthzLDAPAuthoritative
Role | Tells Apache whether or not a failed authentication request can be passed to other Apache modules |
Value | off |
Mandatory | Yes |
- AuthLDAPBindDN
Role | The distinguished name (DN) of service account.
This user will be used to scan the LDAP and perform real user authentication |
Value | UID=myUser,OU=myGroup,DC=myServer
uid=svn,ou=applications,dc=dev,dc=daxiongmao,dc=eu |
Mandatory | No |
- AuthLDAPBindPassword
Role | The password for the user account configured via the AuthLDAPBindDN directive |
Value | |
Mandatory | No |
- AuthLDAPURL
Role | URL that tells:
|
Value | ldaps://myServer:636/OU=group&,OU=group2,DC=myServer?attribute
ldap://myServer:389/OU=group&,OU=group2,DC=myServer?attribute ldap://192.168.1.2:389/cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com ldap://localhost:389/ou=people,dc=vehco,dc=com?uid |
Mandatory | Yes |
Modules
Installation:
apt-get install libapache2-mod-ldap-userdir
You have to enable to the following modules:
a2enmod ldap authnz_ldap
Restart server to apply changes:
service apache2 restart
Configuration
You can use the following settings inside a “.htaccess” or “VirtualHost” configuration:
Edit V.Host configuration
vim /etc/apache2/sites-available/myServer
Adjust your virtual-host like that:
# LDAP protected directory
<Directory /var/www/ssl/secure>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType basic
AuthName "Secure area"
###########################
# Choose a LDAP provider
###########################
# If "localhost" then use LDAP.
AuthBasicProvider ldap
AuthLDAPUrl "ldap://localhost:389/{LDAP ou=,dc=}?uid"
# If remote URL then use LDAP over SSL
#AuthBasicProvider ldaps
#AuthLDAPUrl "ldaps://myServer:636/{LDAP ou=,dc=}?uid"
Require valid-user
# example
# AuthLDAPBindDN "cn=admin,dc=dev,dc=daxiongmao,dc=eu"
# AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
# AuthLDAPUrl "ldaps://myServer:636/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
</Directory>
Secure all the website
You have to adjust you document root like that:
<VirtualHost _default_:443>
# Restrict access to document root
DocumentRoot /var/www/daxiongmao-ssl
<Directory />
Options FollowSymLinks
AllowOverride None
Order allow,deny
deny from all
</Directory>
<Directory /var/www/daxiongmao-ssl>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType basic
AuthName "Secure area"
AuthBasicProvider ldap
AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
Require valid-user
</Directory>
[…]
References
- My co-worker help and website: Julien Rialland
- Official wiki: https://help.ubuntu.com/community/OpenLDAPServer