Difference between revisions of "Configuring LDAP based authentication for apache"

From Notes_Wiki
m
m
Line 29: Line 29:


''Note for above settings to work, server must be able to resolve ldap.virtual-labs.ac.in to IP address. A simple way of achieving this is by adding '<tt>10.4.12.152  ldap.virtual-labs.ac.in</tt>' mapping to '<tt>/etc/hosts</tt>' file. ''
''Note for above settings to work, server must be able to resolve ldap.virtual-labs.ac.in to IP address. A simple way of achieving this is by adding '<tt>10.4.12.152  ldap.virtual-labs.ac.in</tt>' mapping to '<tt>/etc/hosts</tt>' file. ''
==Authenticating with bind DN==
'''The LDAP authentication works by search followed by bind. So anonymous users should be able to search the ldap to convert the given uid to dn, so that LDAP authentication module can later try to bind with given dn. Hence if anonymous users are not allowed to search then the above configuration may not be enough.'''.  (Refer http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authenphase)
To check whether anonymous user can search based on '<tt>uid</tt>' to get '<tt>dn</tt>' try:
<pre>
ldapsearch -LLL -x -h <ldap_server> -b 'dc=virtual-labs,dc=ac,dc=in' '(uid=<uid>)' dn
</pre>
by replacing &lt;ldap_server&gt; with server FQDN or IP and &lt;uid&gt; with uid of some user. If you do not see any dn line then given ldap server does not permits unauthenticated search. This is known for ldap server which comes with deepofix debian mail server package.
To authenticate in such cases an LDAP bind dn and corresponding password has to be specified in configuration file as:
<pre>
  Options all
  AllowOverride All
  Order deny,allow
  Deny from All
  AuthType Basic
  AuthName "Test1 SVN repository"
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative on
  AuthLDAPURL ldap://ldap.virtual-labs.ac.in:389/ou=people,dc=virtual-labs,dc=ac,dc=in?uid
  AuthLDAPBindDN uid=<uid>,ou=People,dc=virtual-labs,dc=ac,dc=in
  AuthLDAPBindPassword "<password>"
  AuthLDAPGroupAttribute memberUid
  AuthLDAPGroupAttributeIsDN off
  Require ldap-group cn=admin,ou=groups,dc=virtual-labs,dc=ac,dc=in
  Require ldap-attribute gidNumber=501
  Satisfy any
</pre>
so that apache LDAP authentication module first binds with DN given as AuthLDAPBindDN and given password so that it can perform the search with the given filter. Then a bind is tried for resulting dn with the password supplied by the user.




Back to [[Apache web server configuration]] or [[OpenLDAP server configuration]]
Back to [[Apache web server configuration]] or [[OpenLDAP server configuration]]

Revision as of 12:06, 30 November 2012

Configuring LDAP based authentication for apache

To configure LDAP based authentication for apache use:

  1. Install mod_authz_ldap package using 'yum -y install mod_authz_ldap'
  2. For the appropriate Location or VirtualHost configure authentication using:
    Options all
    AllowOverride All
    Order deny,allow
    Deny from All
    AuthType Basic
    AuthName "Test1 SVN repository"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPURL ldap://ldap.virtual-labs.ac.in:389/ou=people,dc=virtual-labs,dc=ac,dc=in?uid
    AuthLDAPGroupAttribute memberUid
    AuthLDAPGroupAttributeIsDN off
    Require ldap-group cn=admin,ou=groups,dc=virtual-labs,dc=ac,dc=in
    Require ldap-attribute gidNumber=501
    Satisfy any

Note:

  • Satisfy any ensures that only one of the require line needs to succed for authentication to succeed. Hence we can allow additional users using following:
    • Require ldap-user
    • Require ldap-dn
    • Require ldap-attribute
    • Require ldap-filter
    where if any of the above match succeeds authentication would be considered as successful.

Note for above settings to work, server must be able to resolve ldap.virtual-labs.ac.in to IP address. A simple way of achieving this is by adding '10.4.12.152 ldap.virtual-labs.ac.in' mapping to '/etc/hosts' file.


Authenticating with bind DN

The LDAP authentication works by search followed by bind. So anonymous users should be able to search the ldap to convert the given uid to dn, so that LDAP authentication module can later try to bind with given dn. Hence if anonymous users are not allowed to search then the above configuration may not be enough.. (Refer http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authenphase)

To check whether anonymous user can search based on 'uid' to get 'dn' try:

ldapsearch -LLL -x -h <ldap_server> -b 'dc=virtual-labs,dc=ac,dc=in' '(uid=<uid>)' dn

by replacing <ldap_server> with server FQDN or IP and <uid> with uid of some user. If you do not see any dn line then given ldap server does not permits unauthenticated search. This is known for ldap server which comes with deepofix debian mail server package.

To authenticate in such cases an LDAP bind dn and corresponding password has to be specified in configuration file as:

   Options all
   AllowOverride All
   Order deny,allow
   Deny from All
   AuthType Basic
   AuthName "Test1 SVN repository"
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative on
   AuthLDAPURL ldap://ldap.virtual-labs.ac.in:389/ou=people,dc=virtual-labs,dc=ac,dc=in?uid
   AuthLDAPBindDN uid=<uid>,ou=People,dc=virtual-labs,dc=ac,dc=in
   AuthLDAPBindPassword "<password>"
   AuthLDAPGroupAttribute memberUid
   AuthLDAPGroupAttributeIsDN off
   Require ldap-group cn=admin,ou=groups,dc=virtual-labs,dc=ac,dc=in
   Require ldap-attribute gidNumber=501
   Satisfy any

so that apache LDAP authentication module first binds with DN given as AuthLDAPBindDN and given password so that it can perform the search with the given filter. Then a bind is tried for resulting dn with the password supplied by the user.


Back to Apache web server configuration or OpenLDAP server configuration