Tuesday, 9 June 2009

Apache and LDAP users


Apache 2.2
mod_authnz_ldap (and enabled with a2enmod authnz_ldap under Debian+Ubuntu)

In your httpd.conf or your htaccess file, add the following:
    # Access control for this directory
AuthBasicProvider ldap
AuthType Basic
AuthName "Password Required"

AuthLDAPURL "ldap://localhost:389/OU=Users,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)" NONE

AuthLDAPBindDN readonly@example.com
AuthLDAPBindPassword plaintextpassword

Require ldap-group CN=somegroup,OU=someou,OU=Groups,DC=example,DC=com

This example is for connecting to an MS Active Directory server. For an OpenLDAP server, you may find that you don't need the BindDN/Pass options and you need uid instead of sAMAccountName (or possibly just "ldap://localhost/DC=domain,DC=tld").

If you look at other sites online, you'll find that a lot of users say they have to fiddle the config to get it working. Some of the common things I saw were:

  1. Setting "AuthzLDAPAuthoritative off"

  2. Specifying at least one container under the base DN (as in my example)

  3. Tweaking the GroupAttribute and GroupIsDN options

  4. Using a DN for the AuthLDAPBindDN (UPN used in my example)

  5. Enabling SSL or TLS

  6. Multiple domain controllers (simply specify them separated by spaces in your URL)

  7. Filters with "Require ldap-filter"

... As you can see there can be a lot of tweaking for specific sites. But all-in-all, the basic configuration is quite simple. If your LDAP server allows anonymous searches, you really only need the AuthLDAPURL line and it can be as simple as "ldap://localhost/DC=example,DC=com".

- Arch

Popular Posts