Introduction
In last month's
article, we talked about configuring Apache 2.1 with
mod_authn_file and mod_authz_groupfile to authenticate/authorize
clients to access the /publish directory. In this month's article, we
are going to configure Apache 2.1 to work with a Lightweight Directory
Access Protocol, or LDAP, database.
mod_authnz_ldap
We have already built our instance of
Apache with LDAP support, (see "Apache 2.1 Failings: mod_authnz_ldap
and mod_authn_file Part I"), and discussed configuring
authentication/authorization using mod_authn_file/mod_authz_groupfile,
(see "Apache 2.1 Failings: mod_authnz_ldap and mod_authn_file Part
II"), so this month, we can focus our attention on configuring the
server to use LDAP for authentication/authorization.
First, make a second copy of the
<Location> container that we setup to work with mod_authn_file last
month, and comment out the first copy of the <Location> container.
(Using pound signs (#), of course). The second copy should look like
this.
-
Alias /publish /usr/local/apache21/htdocs
-
<Location /publish>
-
AuthType Basic
-
AuthName "Stinky monkey!!"
-
AuthBasicProvider file
-
-
### begin of mod_authn_file ####
-
AuthUserFile /usr/local/apache21/access/service.pwd
-
AuthGroupFile /usr/local/apache21/access/htgroup.wwwroot
-
### end of mod_authn_file ####
-
-
require group admin
-
-
Dav On
-
Options None
-
ForceType text/plain
-
</Location>
Now, remove the beginning/end comments,
and the AuthUserFile/AuthGroupFile statements. After doing this, your
new <Location> container should look like this:
-
Alias /publish /usr/local/apache21/htdocs
-
<Location /publish>
-
AuthType Basic
-
AuthName "Stinky monkey!!"
-
AuthBasicProvider file
-
-
require group admin
-
-
Dav On
-
Options None
-
ForceType text/plain
-
</Location>
Next, we:
1.Change the value of AuthBasicProvider
from "file" to "ldap"
2. Add an AuthLDAPURL directive with the
protocol, Fully-Qualified Domain Name of your LDAP server, port,
baseDN, and search criteria, in the following format:
AuthLDAPURL protocol://FQDN:port/baseDN?search_criteria
In our example, the AuthLDAPURL looks
like this:
-
AuthLDAPURL ldap://ldap.example.com:389/ou=people,o=example?uid
-
-
protocol = ldap
-
FQDN = ldap.example.com
-
port = 389
-
baseDN = ou=people,o=example
-
search_criteria = uid
-
-
This example AuthLDAPURL will begin
searching the container ou=people,o=example in the LDAP database found
on ldap.example.com for an uid equal to the value input by the
end-user.
3. Add an AuthLDAPBindDN directive, (if
necessary). (Will bind as anonymous if not given).
4. Add an AuthLDAPBindPassword
directive, (if necessary).
5. Change the require directive to
include the new authorization attribute, which is specific to
mod_authnz_ldap, and the container that defines the users with rights
to access an object.
The new authorization attribute that we
use in this example is "ldap-group", but could be any of the values
that are listed at:
http://httpd.apache.org/docs-2.1/mod/mod_authnz_ldap.html#requiredirectives
In our example, we have set the ldap-group
container to: cn=admin,ou=groups,o=example
Change yours accordingly.
A final note on the require directives,
(which I touched on in my Apache 2.0 article). When I submitted a
patch to fix what I had considered a bug, (require group directives
did not accept groups split by whitespace, but required that multiple
require directives be used), the developers informed me that it was
not a bug in mod_auth_ldap, but actually was part of the plan for the
future of require directives. Therefore, it is important to note that
we will need to split multiple LDAP groups, across multiple require
directives, and quite possibly the other require values as well. (ldap-user,
ldap-attribute, etc., and is probably not localized to the LDAP
module).
Now that we have added the appropriate
lines to our new <Location> directive, we should have something that
looks like this:
-
Alias /publish /usr/local/apache21/htdocs
-
<Location /publish>
-
AuthType Basic
-
AuthName "Stinky monkey!!"
-
AuthBasicProvider ldap
-
-
### Beginning mod_auth_ldap ####
-
AuthLDAPURL ldap://ldap.example.com:389/ou=people,o=example?uid
-
AuthLDAPBindDN "mybinddn"
-
AuthLDAPBindPassword "mybindpasswd"
-
### End mod_auth_ldap ####
-
-
require ldap-group cn=admin,ou=groups,o=example
-
-
Dav On
-
Options None
-
ForceType text/plain
-
</Location>
Restart Apache,
and hit your site with your favourite browser: # lynx localhost/publish
It should prompt
you for authentication, and accept your LDAP credentials to access the
site. If you have problems accessing the site, set your LogLevel to
debug in the httpd.conf, restart, and try logging in again. With the
LogLevel set to debug, you will see helpful information like this:
ldap.c(364):
[client 127.0.0.1] [7405] auth_ldap authenticate: using URL ldap://ldap.example.com:389/ou=people,o=example?uid
[Wed Apr 13
06:20:07 2005] [debug] mod_authnz_ldap.c(436): [client 127.0.0.1]
[7405] auth_ldap authenticate: accepting speeves
[Wed Apr 13
06:20:07 2005] [debug] mod_authnz_ldap.c(673): [client 127.0.0.1]
[7405] auth_ldap authorise: require group: testing for group
membership in "cn=admin,ou=groups,o=example"
[Wed Apr 13
06:20:07 2005] [debug] mod_authnz_ldap.c(678): [client 127.0.0.1]
[7405] auth_ldap authorise: require group: testing for member: uid=speeves,ou=people,o=example
(cn=admin,ou=groups,o=example)
[Wed Apr 13
06:20:07 2005] [debug] mod_authnz_ldap.c(686): [client 127.0.0.1]
[7405] auth_ldap authorise: require group: authorisation successful
(attribute
member)
[Comparison true (adding to cache)][Compare True]
[Wed Apr 13
06:20:09 2005] [debug] mod_authnz_ldap.c(364): [client 127.0.0.1]
[7406] auth_ldap authenticate: using URL ldap://ldap.example.com:389/ou=people,o=example?uid
[Wed Apr 13
06:20:09 2005] [debug] mod_authnz_ldap.c(436): [client 127.0.0.1]
[7406] auth_ldap authenticate: accepting speeves
[Wed Apr 13
06:20:09 2005] [debug] mod_authnz_ldap.c(673): [client 127.0.0.1]
[7406] auth_ldap authorise: require group: testing for group
membership in "cn=admin,ou=groups,o=example"
[Wed Apr 13
06:20:09 2005] [debug] mod_authnz_ldap.c(678): [client 127.0.0.1]
[7406] auth_ldap authorise: require group: testing for member: uid=speeves,ou=people,o=example
(cn=admin,ou=groups,o=example)
[Wed Apr 13
06:20:09 2005] [debug] mod_authnz_ldap.c(686): [client 127.0.0.1]
[7406] auth_ldap authorise: require group: authorisation successful
(attribute
member)
[Comparison true (cached)][Compare True]
[Wed Apr 13
06:20:09 2005] [debug] mod_authnz_ldap.c(364): [client 127.0.0.1]
[7406] auth_ldap authenticate: using URL ldap://ldap.example.com:389/ou=people,o=example?uid
[Wed Apr 13
06:20:09 2005] [debug] mod_authnz_ldap.c(436): [client 127.0.0.1]
[7406] auth_ldap authenticate: accepting speeves
[Wed Apr 13
06:20:09 2005] [debug] mod_authnz_ldap.c(673): [client 127.0.0.1]
[7406] auth_ldap authorise: require group: testing for group
membership in "cn=admin,ou=groups,o=example"
[Wed Apr 13
06:20:09 2005] [debug] mod_authnz_ldap.c(678): [client 127.0.0.1]
[7406] auth_ldap authorise: require group: testing for member: uid=speeves,ou=people,o=example
(cn=admin,ou=groups,o=example)
[Wed Apr 13
06:20:09 2005] [debug] mod_authnz_ldap.c(686): [client 127.0.0.1]
[7406] auth_ldap authorise: require group: authorisation successful
(attribute member) [Comparison true (cached)][Compare True]
Conclusion
I hope that you
enjoyed this month's article as much as I have. We have covered a lot
of ground over the last few months, downloading and building Apache
2.1, configuring it to use either "file"-based
authentication/authorization, or LDAP, and, finally, our next step is
to combine both "file" and LDAP authentication, which will allow
Apache to authenticate/authorize users from either your htpasswd/htgroup
setup, or your LDAP database. See you then!!
