Search:  
Gentoo Wiki

HOWTO_Apache2_and_mod_auth_ldap

This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Apache2 Series


Main


Modules


Addons & Tunnels


Tips


Configuring


Other

edit

Prerequisites

I'm going to assume you've got an Apache webserver and an OpenLDAP server up and running. If you don't, please install them. For further information on how to install and configure them, go to OpenLDAP and HOWTO Install Apache2

Procedure

 This article is no longer up to date and needs maintenance. 
 For people who tried this and have problems now, you may want to look at this Blog: 
 http://www.ng-lab.org/webapp/v5/drupal/?q=node/74. --212.126.165.190 09:04, 30 January 2008 (UTC)


First, you must install the mod_auth_ldap package. Check the USE flags to make sure it installs to the correct version of Apache you're using:

# USE="apache2" emerge -pv mod_auth_ldap

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  N    ] net-www/mod_auth_ldap-3.3  USE="apache2 berkdb gdbm -disk-cache -mem-cache" 518 kB

# emerge mod_auth_ldap

Warning: this is now a USE-flag for apache. I'll try to update this wiki later. The useflag is ldap btw. --83.160.243.42 14:25, 11 August 2007 (UTC) Ewoud

After installation, you should edit your /etc/conf.d/apache2 file. Change the APACHE_OPTS value in it, adding '-D AUTH_LDAP' to it. It looks like this on my install:

APACHE2_OPTS="-D SSL -D SSL_DEFAULT_VHOST -D PHP5 -D USERDIR -D AUTH_LDAP"

Now, you have to restart Apache:

# /etc/init.d/apache2 restart

Setting Permissions

Restricting access to users

Now it gets a little tricky. It all depends on how you're planning to administer your users. Let's say that in a given directory you want to give access to any valid user registered on your LDAP server. The .htaccess file on that directory should look like this:

File: .htaccess
AuthName "Realm"
AuthType Basic

LDAP_Server localhost
LDAP_Port 389

Base_DN "dc=example,dc=com"
UID_Attr uid
 
require valid-user

Of course, you have to adjust the values to suit your LDAP server. For example, in case you're using Secure LDAP, the port should be 636 (by default).

Restricting access to specific users

Now, on another directory, you want only Bill and Joe to have access. Your .htaccess file should look like this:

File: .htaccess
AuthName "Another Realm"
AuthType Basic

LDAP_Server localhost
LDAP_Port 389

Base_DN "dc=example,dc=com"
UID_Attr uid
 
require user bill joe

This way, only users with uid=bill or uid=joe will be able to access the directory.

Restricting access to a group of users

But if the list of users with access to this directory changes a lot, you'll see yourself constantly altering the file. Since you probably don't want that, it's better to create a group in your LDAP server and assign users to that group. It is much easier to maintain. So, to give access to a group, do this:

File: .htaccess
AuthName "Third Realm"
AuthType Basic

LDAP_Server localhost
LDAP_Port 389

Base_DN "dc=example,dc=com"
UID_Attr uid
 
require group cn=MyGroup,ou=Groups

Notice that you don't have to put the entire DN of the Group on the file. In the above example, it automatically searches for cn=MyGroup,ou=Groups,dc=example,dc=com

Also, for a 'require group' to work, it must be stored in LDAP following the pattern shown below:

dn: cn=MyGroup,ou=Groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
cn: MyGroup
description: Testing LDAP require group functionality
uniquemember: uid=bill,ou=People,dc=example,dc=com
uniquemember: uid=joe,ou=People,dc=example,dc=com

Restricting access to users selected by LDAP filter

And, if you want, you can apply any filter you want to find users. Like this:

File: .htaccess
AuthName "Last Realm"
AuthType Basic

LDAP_Server localhost
LDAP_Port 389

Base_DN "dc=example,dc=com"
UID_Attr uid
 
require filter "(&(telephonenumber=1234)(roomnumber=123))"

Extras

There are three other directives that can be configured:

Also, you should know that I've only tested authentication with users whose passwords were stored in crypt format. I'm not sure if any other form of hashing is supported.

Meaning of each USE Flag

Troubleshooting

The module name is changed to mm_auth_ldap_module in mod_auth_ldap v3.x. Look at these references to correctly complete your installation.

http://bugs.gentoo.org/show_bug.cgi?id=114453 http://www.muquit.com/muquit/software/mod_auth_ldap/README3.4.txt

External References

Retrieved from "http://www.gentoo-wiki.info/HOWTO_Apache2_and_mod_auth_ldap"

Last modified: Sun, 31 Aug 2008 23:08:00 +0000 Hits: 20,479