Difference between revisions of "Apache 2 - LDAP access"
Line 156: | Line 156: | ||
AuthType basic | AuthType basic | ||
AuthName "Secure area" | AuthName "Secure area" | ||
− | ##### | + | Require valid-user |
− | + | ||
− | + | ###### Choose a LDAP provider | |
# If "localhost" then use LDAP. | # If "localhost" then use LDAP. | ||
AuthBasicProvider ldap | AuthBasicProvider ldap | ||
− | AuthLDAPUrl "ldap:// | + | AuthLDAPUrl "ldap://myServer:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid" |
+ | |||
# If remote URL then use LDAP over SSL | # If remote URL then use LDAP over SSL | ||
− | + | AuthBasicProvider ldaps | |
− | + | AuthLDAPUrl "ldaps://myServer:636/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid" | |
− | + | ###### | |
− | |||
− | # | + | # LDAP URL pattern: |
− | + | # AuthLDAPUrl "ldaps://myServer:636/{LDAP ou=},{LDAP server DC=}?uid" | |
− | |||
− | # AuthLDAPUrl "ldaps://myServer:636/ou= | ||
</Directory> | </Directory> |
Revision as of 10:45, 9 June 2014
This explain how to use LDAP to secure some part(s) of a website.
Contents
LDAP authentication
Modules and options lips
List of apache 2.2.x modules with roles and recommended values:
- AuthType
Role | This tells Apache which authentication module you want to use |
Value | basic |
Mandatory | Yes |
- AuthName
Role | Authentication window name |
Value | “Authentication to my service” |
Mandatory | Yes |
- AuthBasicProvider
Role | This tells Apache which authentication module you want to use |
Value | ldaps |
Mandatory | Yes |
- AuthzLDAPAuthoritative
Role | Tells Apache whether or not a failed authentication request can be passed to other Apache modules |
Value | off |
Mandatory | Yes |
- AuthLDAPBindDN
Role | The distinguished name (DN) of service account.
This user will be used to scan the LDAP and perform real user authentication |
Value | UID=myUser,OU=myGroup,DC=myServer
uid=svn,ou=applications,dc=dev,dc=daxiongmao,dc=eu |
Mandatory | No |
- AuthLDAPBindPassword
Role | The password for the user account configured via the AuthLDAPBindDN directive |
Value | |
Mandatory | No |
- AuthLDAPURL
Role | URL that tells:
|
Value | ldaps://myServer:636/OU=group&,OU=group2,DC=myServer?attribute
ldap://myServer:389/OU=group&,OU=group2,DC=myServer?attribute ldap://192.168.1.2:389/cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com ldap://localhost:389/ou=people,dc=vehco,dc=com?uid |
Mandatory | Yes |
Modules
Installation:
apt-get install libapache2-mod-ldap-userdir
You have to enable to the following modules:
a2enmod ldap authnz_ldap
Restart server to apply changes:
service apache2 restart
Configuration
You can use the following settings inside a “.htaccess” or “VirtualHost” configuration:
Edit V.Host configuration
vim /etc/apache2/sites-available/myServer
Adjust your virtual-host like that:
# LDAP protected directory
<Directory /var/www/ssl/secure>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType basic
AuthName "Secure area"
Require valid-user
###### Choose a LDAP provider
# If "localhost" then use LDAP.
AuthBasicProvider ldap
AuthLDAPUrl "ldap://myServer:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
# If remote URL then use LDAP over SSL
AuthBasicProvider ldaps
AuthLDAPUrl "ldaps://myServer:636/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
######
# LDAP URL pattern:
# AuthLDAPUrl "ldaps://myServer:636/{LDAP ou=},{LDAP server DC=}?uid"
</Directory>
Secure all the website
You have to adjust you document root like that:
<VirtualHost _default_:443>
# Restrict access to document root
DocumentRoot /var/www/daxiongmao-ssl
<Directory />
Options FollowSymLinks
AllowOverride None
Order allow,deny
deny from all
</Directory>
<Directory /var/www/daxiongmao-ssl>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType basic
AuthName "Secure area"
AuthBasicProvider ldap
AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
Require valid-user
</Directory>
[…]
References
- My co-worker help and website: Julien Rialland
- Official wiki: https://help.ubuntu.com/community/OpenLDAPServer