Configuring LDAP based authentication for apache
To configure LDAP based authentication for apache use:
- Install mod_authz_ldap package using 'yum -y install mod_authz_ldap'
- In CentOS 7 the package name is changed to mod_ldap
- For the appropriate Location or VirtualHost configure authentication using:
- Options all
- AllowOverride All
- Order deny,allow
- Allow from All
- AuthType Basic
- AuthName "Test1 SVN repository"
- AuthBasicProvider ldap
- AuthzLDAPAuthoritative on
- AuthLDAPURL ldap://ldap.virtual-labs.ac.in:389/ou=people,dc=virtual-labs,dc=ac,dc=in?uid
- AuthLDAPGroupAttribute memberUid
- AuthLDAPGroupAttributeIsDN off
- Require ldap-group cn=admin,ou=groups,dc=virtual-labs,dc=ac,dc=in
- Require ldap-attribute gidNumber=501
- #Satisfy any
- In CentOS 7 'AuthzLDAPAuthoritative on' line is not required.
- Satisfy any ensures that only one of the require line needs to succed for authentication to succeed. Hence we can allow additional users using following:
- Require valid-user
- Require ldap-user <Username>
- Require ldap-dn <DN>
- Require ldap-attribute <attribute=value>
- Require ldap-filter <filter-condition>
- where if any of the above match succeeds authentication would be considered as successful.
Note for above settings to work, server must be able to resolve ldap.virtual-labs.ac.in to IP address. A simple way of achieving this is by adding '10.4.12.152 ldap.virtual-labs.ac.in' mapping to '/etc/hosts' file.
More information about LDAP authentication for apache is available at http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html
Authenticating with bind DN
The LDAP authentication works by search followed by bind. So anonymous users should be able to search the ldap to convert the given uid to dn, so that LDAP authentication module can later try to bind with given dn. Hence if anonymous users are not allowed to search then the above configuration may not be enough.. (Refer http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authenphase)
To check whether anonymous user can search based on 'uid' to get 'dn' try:
ldapsearch -LLL -x -h <ldap_server> -b 'dc=virtual-labs,dc=ac,dc=in' '(uid=<uid>)' dn
by replacing <ldap_server> with server FQDN or IP and <uid> with uid of some user. If you do not see any dn line then given ldap server does not permits unauthenticated search. This is known for ldap server which comes with deepofix debian mail server package.
To authenticate in such cases an LDAP bind dn and corresponding password has to be specified in configuration file as:
Options all AllowOverride All Order deny,allow Allow from All AuthType Basic AuthName "Test1 SVN repository" AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL ldap://ldap.virtual-labs.ac.in:389/ou=people,dc=virtual-labs,dc=ac,dc=in?uid AuthLDAPBindDN uid=<uid>,ou=People,dc=virtual-labs,dc=ac,dc=in AuthLDAPBindPassword "<password>" AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-group cn=admin,ou=groups,dc=virtual-labs,dc=ac,dc=in Require ldap-attribute gidNumber=501 Satisfy any
so that apache LDAP authentication module first binds with DN given as AuthLDAPBindDN and given password so that it can perform the search with the given filter. Then a bind is tried for resulting dn with the password supplied by the user.
Authentication only from unknown or untrusted IPs
Sometimes it may be desired to configure authentication only from unknown or untrusted IPs. This can be achieved using:
<Location /> Options all Order allow,deny Allow from <IP1> Allow from <IP2> AuthType Basic AuthName "Auth" AuthBasicProvider ldap AuthLDAPURL <LDAP server LDAP URI> Require valid-user Satisfy any </Location>