Benchmarks Online

Skip Navigation Links


Page One

Campus Computing News

The UNT Computer-Based Training Website has been Revised and Updated

Current UNT Online Training Contents

Installing and Using GroupWise 6.5 CD-ROM Training from Thomson NETg

GroupWise Junk Mail Tutorial: Bulk Tag Explanation

RFID Interest Group Forming

Summer Hours

Today's Cartoon

RSS Matters

The Network Connection

Link of the Month

WWW@UNT.EDU

Short Courses

IRC News

Staff Activities

Subscribe to Benchmarks Online
    

WWW@UNT.EDU

Apache 2.1 Failings:
 mod_authnz_ldap and mod_authn_file
 Part III

By Shannon Eric Peevey, UNT Central Web Support

Introduction

In last month's article, we talked about configuring Apache 2.1 with mod_authn_file and mod_authz_groupfile to authenticate/authorize clients to access the /publish directory. In this month's article, we are going to configure Apache 2.1 to work with a Lightweight Directory Access Protocol, or LDAP, database.

mod_authnz_ldap

We have already built our instance of Apache with LDAP support, (see "Apache 2.1 Failings: mod_authnz_ldap and mod_authn_file Part I"), and discussed configuring authentication/authorization using mod_authn_file/mod_authz_groupfile, (see "Apache 2.1 Failings: mod_authnz_ldap and mod_authn_file Part II"), so this month, we can focus our attention on configuring the server to use LDAP for authentication/authorization.

First, make a second copy of the <Location> container that we setup to work with mod_authn_file last month, and comment out the first copy of the <Location> container. (Using pound signs (#), of course). The second copy should look like this.

Alias /publish /usr/local/apache21/htdocs

<Location /publish>

AuthType Basic

AuthName "Stinky monkey!!"

AuthBasicProvider file

 

### begin of mod_authn_file ####

AuthUserFile /usr/local/apache21/access/service.pwd

AuthGroupFile /usr/local/apache21/access/htgroup.wwwroot

### end of mod_authn_file ####

 

require group admin

 

Dav On

Options None

ForceType text/plain

</Location>

Now, remove the beginning/end comments, and the AuthUserFile/AuthGroupFile statements. After doing this, your new <Location> container should look like this:

Alias /publish /usr/local/apache21/htdocs

<Location /publish>

AuthType Basic

AuthName "Stinky monkey!!"

AuthBasicProvider file


require group admin


Dav On

Options None

ForceType text/plain

</Location>

Next, we:

1.Change the value of AuthBasicProvider from "file" to "ldap"
 

2. Add an AuthLDAPURL directive with the protocol, Fully-Qualified Domain Name of your LDAP server, port, baseDN, and search criteria, in the following format:

AuthLDAPURL protocol://FQDN:port/baseDN?search_criteria

In our example, the AuthLDAPURL looks like this:

AuthLDAPURL ldap://ldap.example.com:389/ou=people,o=example?uid

 

protocol = ldap

FQDN = ldap.example.com

port = 389

baseDN = ou=people,o=example

search_criteria = uid

 

This example AuthLDAPURL will begin searching the container ou=people,o=example in the LDAP database found on ldap.example.com for an uid equal to the value input by the end-user.

3. Add an AuthLDAPBindDN directive, (if necessary). (Will bind as anonymous if not given).

4. Add an AuthLDAPBindPassword directive, (if necessary).

5. Change the require directive to include the new authorization attribute, which is specific to mod_authnz_ldap, and the container that defines the users with rights to access an object.

The new authorization attribute that we use in this example is "ldap-group", but could be any of the values that are listed at:

http://httpd.apache.org/docs-2.1/mod/mod_authnz_ldap.html#requiredirectives

In our example, we have set the ldap-group container to: cn=admin,ou=groups,o=example

Change yours accordingly.

A final note on the require directives, (which I touched on in my Apache 2.0 article). When I submitted a patch to fix what I had considered a bug, (require group directives did not accept groups split by whitespace, but required that multiple require directives be used), the developers informed me that it was not a bug in mod_auth_ldap, but actually was part of the plan for the future of require directives. Therefore, it is important to note that we will need to split multiple LDAP groups, across multiple require directives, and quite possibly the other require values as well. (ldap-user, ldap-attribute, etc., and is probably not localized to the LDAP module).

Now that we have added the appropriate lines to our new <Location> directive, we should have something that looks like this:

Alias /publish /usr/local/apache21/htdocs

<Location /publish>

AuthType Basic

AuthName "Stinky monkey!!"

AuthBasicProvider ldap


### Beginning mod_auth_ldap ####

AuthLDAPURL ldap://ldap.example.com:389/ou=people,o=example?uid

AuthLDAPBindDN "mybinddn"

AuthLDAPBindPassword "mybindpasswd"

### End mod_auth_ldap ####


require ldap-group cn=admin,ou=groups,o=example


Dav On

Options None

ForceType text/plain

</Location>

Restart Apache, and hit your site with your favourite browser: # lynx localhost/publish

It should prompt you for authentication, and accept your LDAP credentials to access the site. If you have problems accessing the site, set your LogLevel to debug in the httpd.conf, restart, and try logging in again. With the LogLevel set to debug, you will see helpful information like this:

ldap.c(364): [client 127.0.0.1] [7405] auth_ldap authenticate: using URL ldap://ldap.example.com:389/ou=people,o=example?uid

[Wed Apr 13 06:20:07 2005] [debug] mod_authnz_ldap.c(436): [client 127.0.0.1] [7405] auth_ldap authenticate: accepting speeves

[Wed Apr 13 06:20:07 2005] [debug] mod_authnz_ldap.c(673): [client 127.0.0.1] [7405] auth_ldap authorise: require group: testing for group membership in "cn=admin,ou=groups,o=example"

[Wed Apr 13 06:20:07 2005] [debug] mod_authnz_ldap.c(678): [client 127.0.0.1] [7405] auth_ldap authorise: require group: testing for member: uid=speeves,ou=people,o=example (cn=admin,ou=groups,o=example)

[Wed Apr 13 06:20:07 2005] [debug] mod_authnz_ldap.c(686): [client 127.0.0.1] [7405] auth_ldap authorise: require group: authorisation successful (attribute

member) [Comparison true (adding to cache)][Compare True]

[Wed Apr 13 06:20:09 2005] [debug] mod_authnz_ldap.c(364): [client 127.0.0.1] [7406] auth_ldap authenticate: using URL ldap://ldap.example.com:389/ou=people,o=example?uid

[Wed Apr 13 06:20:09 2005] [debug] mod_authnz_ldap.c(436): [client 127.0.0.1] [7406] auth_ldap authenticate: accepting speeves

[Wed Apr 13 06:20:09 2005] [debug] mod_authnz_ldap.c(673): [client 127.0.0.1] [7406] auth_ldap authorise: require group: testing for group membership in "cn=admin,ou=groups,o=example"

[Wed Apr 13 06:20:09 2005] [debug] mod_authnz_ldap.c(678): [client 127.0.0.1] [7406] auth_ldap authorise: require group: testing for member: uid=speeves,ou=people,o=example (cn=admin,ou=groups,o=example)

[Wed Apr 13 06:20:09 2005] [debug] mod_authnz_ldap.c(686): [client 127.0.0.1] [7406] auth_ldap authorise: require group: authorisation successful (attribute

member) [Comparison true (cached)][Compare True]

[Wed Apr 13 06:20:09 2005] [debug] mod_authnz_ldap.c(364): [client 127.0.0.1] [7406] auth_ldap authenticate: using URL ldap://ldap.example.com:389/ou=people,o=example?uid

[Wed Apr 13 06:20:09 2005] [debug] mod_authnz_ldap.c(436): [client 127.0.0.1] [7406] auth_ldap authenticate: accepting speeves

[Wed Apr 13 06:20:09 2005] [debug] mod_authnz_ldap.c(673): [client 127.0.0.1] [7406] auth_ldap authorise: require group: testing for group membership in "cn=admin,ou=groups,o=example"

[Wed Apr 13 06:20:09 2005] [debug] mod_authnz_ldap.c(678): [client 127.0.0.1] [7406] auth_ldap authorise: require group: testing for member: uid=speeves,ou=people,o=example (cn=admin,ou=groups,o=example)

[Wed Apr 13 06:20:09 2005] [debug] mod_authnz_ldap.c(686): [client 127.0.0.1] [7406] auth_ldap authorise: require group: authorisation successful (attribute member) [Comparison true (cached)][Compare True]

Conclusion

I hope that you enjoyed this month's article as much as I have. We have covered a lot of ground over the last few months, downloading and building Apache 2.1, configuring it to use either "file"-based authentication/authorization, or LDAP, and, finally, our next step is to combine both "file" and LDAP authentication, which will allow Apache to authenticate/authorize users from either your htpasswd/htgroup setup, or your LDAP database. See you then!!

 

Return to top