Difference between revisions of "Configuring LDAP based authentication for apache"
m |
m |
||
(12 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Apache web server configuration]] > [[Configuring LDAP based authentication for apache]] | |||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[Configuring LDAP based authentication for apache]] | |||
=Configuring LDAP based authentication for apache= | =Configuring LDAP based authentication for apache= | ||
To configure LDAP based authentication for apache use: | To configure LDAP based authentication for apache use: | ||
#Install mod_authz_ldap package using '<tt>yum -y install mod_authz_ldap</tt>' | #Install mod_authz_ldap package using '<tt>yum -y install mod_authz_ldap</tt>' | ||
#:In CentOS 7 the package name is changed to mod_ldap | |||
#For the appropriate Location or VirtualHost configure authentication using: | #For the appropriate Location or VirtualHost configure authentication using: | ||
#:<pre> | #:<pre> | ||
Line 8: | Line 12: | ||
#:: AllowOverride All | #:: AllowOverride All | ||
#:: Order deny,allow | #:: Order deny,allow | ||
#:: | #:: Allow from All | ||
#:: AuthType Basic | #:: AuthType Basic | ||
#:: AuthName "Test1 SVN repository" | #:: AuthName "Test1 SVN repository" | ||
Line 18: | Line 22: | ||
#:: Require ldap-group cn=admin,ou=groups,dc=virtual-labs,dc=ac,dc=in | #:: Require ldap-group cn=admin,ou=groups,dc=virtual-labs,dc=ac,dc=in | ||
#:: Require ldap-attribute gidNumber=501 | #:: Require ldap-attribute gidNumber=501 | ||
#:: Satisfy any | #:: #Satisfy any | ||
#:</pre> | #:</pre> | ||
#:In CentOS 7 '<tt>AuthzLDAPAuthoritative on</tt>' line is not required. | |||
Note: | Note: | ||
*Satisfy any ensures that only one of the require line needs to succed for authentication to succeed. Hence we can allow additional users using following: | *Satisfy any ensures that only one of the require line needs to succed for authentication to succeed. Hence we can allow additional users using following: | ||
** Require ldap-user | ** Require valid-user | ||
** Require ldap-dn | ** Require ldap-user <Username> | ||
** Require ldap-attribute | ** Require ldap-dn <DN> | ||
** Require ldap-filter | ** Require ldap-attribute <attribute=value> | ||
** Require ldap-filter <filter-condition> | |||
*:where if any of the above match succeeds authentication would be considered as successful. | *:where if any of the above match succeeds authentication would be considered as successful. | ||
''Note for above settings to work, server must be able to resolve ldap.virtual-labs.ac.in to IP address. A simple way of achieving this is by adding '<tt>10.4.12.152 ldap.virtual-labs.ac.in</tt>' mapping to '<tt>/etc/hosts</tt>' file. '' | ''Note for above settings to work, server must be able to resolve ldap.virtual-labs.ac.in to IP address. A simple way of achieving this is by adding '<tt>10.4.12.152 ldap.virtual-labs.ac.in</tt>' mapping to '<tt>/etc/hosts</tt>' file. '' | ||
More information about LDAP authentication for apache is available at http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html | |||
=Authenticating with bind DN= | |||
'''The LDAP authentication works by search followed by bind. So anonymous users should be able to search the ldap to convert the given uid to dn, so that LDAP authentication module can later try to bind with given dn. Hence if anonymous users are not allowed to search then the above configuration may not be enough.'''. (Refer http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authenphase) | '''The LDAP authentication works by search followed by bind. So anonymous users should be able to search the ldap to convert the given uid to dn, so that LDAP authentication module can later try to bind with given dn. Hence if anonymous users are not allowed to search then the above configuration may not be enough.'''. (Refer http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authenphase) | ||
Line 46: | Line 56: | ||
AllowOverride All | AllowOverride All | ||
Order deny,allow | Order deny,allow | ||
Allow from All | |||
AuthType Basic | AuthType Basic | ||
AuthName "Test1 SVN repository" | AuthName "Test1 SVN repository" | ||
Line 63: | Line 73: | ||
=Authentication only from unknown or untrusted IPs= | |||
Sometimes it may be desired to configure authentication only from unknown or untrusted IPs. This can be achieved using: | |||
<pre> | |||
<Location /> | |||
Options all | |||
Order allow,deny | |||
Allow from <IP1> | |||
Allow from <IP2> | |||
AuthType Basic | |||
AuthName "Auth" | |||
AuthBasicProvider ldap | |||
AuthLDAPURL <LDAP server LDAP URI> | |||
Require valid-user | |||
Satisfy any | |||
</Location> | |||
</pre> | |||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Apache web server configuration]] > [[Configuring LDAP based authentication for apache]] | |||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[Configuring LDAP based authentication for apache]] |
Latest revision as of 15:28, 13 March 2022
Home > CentOS > CentOS 6.x > Apache web server configuration > Configuring LDAP based authentication for apache
Home > CentOS > CentOS 6.x > LDAP servers > Configuring LDAP based authentication for apache
Configuring LDAP based authentication for apache
To configure LDAP based authentication for apache use:
- Install mod_authz_ldap package using 'yum -y install mod_authz_ldap'
- In CentOS 7 the package name is changed to mod_ldap
- For the appropriate Location or VirtualHost configure authentication using:
- Options all
- AllowOverride All
- Order deny,allow
- Allow from All
- AuthType Basic
- AuthName "Test1 SVN repository"
- AuthBasicProvider ldap
- AuthzLDAPAuthoritative on
- AuthLDAPURL ldap://ldap.virtual-labs.ac.in:389/ou=people,dc=virtual-labs,dc=ac,dc=in?uid
- AuthLDAPGroupAttribute memberUid
- AuthLDAPGroupAttributeIsDN off
- Require ldap-group cn=admin,ou=groups,dc=virtual-labs,dc=ac,dc=in
- Require ldap-attribute gidNumber=501
- #Satisfy any
- In CentOS 7 'AuthzLDAPAuthoritative on' line is not required.
Note:
- Satisfy any ensures that only one of the require line needs to succed for authentication to succeed. Hence we can allow additional users using following:
- Require valid-user
- Require ldap-user <Username>
- Require ldap-dn <DN>
- Require ldap-attribute <attribute=value>
- Require ldap-filter <filter-condition>
- where if any of the above match succeeds authentication would be considered as successful.
Note for above settings to work, server must be able to resolve ldap.virtual-labs.ac.in to IP address. A simple way of achieving this is by adding '10.4.12.152 ldap.virtual-labs.ac.in' mapping to '/etc/hosts' file.
More information about LDAP authentication for apache is available at http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html
Authenticating with bind DN
The LDAP authentication works by search followed by bind. So anonymous users should be able to search the ldap to convert the given uid to dn, so that LDAP authentication module can later try to bind with given dn. Hence if anonymous users are not allowed to search then the above configuration may not be enough.. (Refer http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authenphase)
To check whether anonymous user can search based on 'uid' to get 'dn' try:
ldapsearch -LLL -x -h <ldap_server> -b 'dc=virtual-labs,dc=ac,dc=in' '(uid=<uid>)' dn
by replacing <ldap_server> with server FQDN or IP and <uid> with uid of some user. If you do not see any dn line then given ldap server does not permits unauthenticated search. This is known for ldap server which comes with deepofix debian mail server package.
To authenticate in such cases an LDAP bind dn and corresponding password has to be specified in configuration file as:
Options all AllowOverride All Order deny,allow Allow from All AuthType Basic AuthName "Test1 SVN repository" AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL ldap://ldap.virtual-labs.ac.in:389/ou=people,dc=virtual-labs,dc=ac,dc=in?uid AuthLDAPBindDN uid=<uid>,ou=People,dc=virtual-labs,dc=ac,dc=in AuthLDAPBindPassword "<password>" AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-group cn=admin,ou=groups,dc=virtual-labs,dc=ac,dc=in Require ldap-attribute gidNumber=501 Satisfy any
so that apache LDAP authentication module first binds with DN given as AuthLDAPBindDN and given password so that it can perform the search with the given filter. Then a bind is tried for resulting dn with the password supplied by the user.
Authentication only from unknown or untrusted IPs
Sometimes it may be desired to configure authentication only from unknown or untrusted IPs. This can be achieved using:
<Location /> Options all Order allow,deny Allow from <IP1> Allow from <IP2> AuthType Basic AuthName "Auth" AuthBasicProvider ldap AuthLDAPURL <LDAP server LDAP URI> Require valid-user Satisfy any </Location>
Home > CentOS > CentOS 6.x > Apache web server configuration > Configuring LDAP based authentication for apache
Home > CentOS > CentOS 6.x > LDAP servers > Configuring LDAP based authentication for apache