Difference between revisions of "Configuring LDAP based authentication for apache"

From Notes_Wiki
m
Line 5: Line 5:
To configure LDAP based authentication for apache use:
To configure LDAP based authentication for apache use:
#Install mod_authz_ldap package using '<tt>yum -y install mod_authz_ldap</tt>'
#Install mod_authz_ldap package using '<tt>yum -y install mod_authz_ldap</tt>'
#:In CentOS 7 the package name is changed to mod_ldap
#For the appropriate Location or VirtualHost configure authentication using:
#For the appropriate Location or VirtualHost configure authentication using:
#:<pre>
#:<pre>
Line 22: Line 23:
#::  #Satisfy any
#::  #Satisfy any
#:</pre>
#:</pre>
#:In CentOS 7 '<tt>AuthzLDAPAuthoritative on</tt>' line is not required.
Note:
Note:
*Satisfy any ensures that only one of the require line needs to succed for authentication to succeed. Hence we can allow additional users using following:
*Satisfy any ensures that only one of the require line needs to succed for authentication to succeed. Hence we can allow additional users using following:

Revision as of 14:45, 2 April 2016

<yambe:breadcrumb self="LDAP authentication for apache">Apache web server configuration</yambe:breadcrumb> <yambe:breadcrumb self="LDAP authentication for apache">LDAP servers</yambe:breadcrumb>

Configuring LDAP based authentication for apache

To configure LDAP based authentication for apache use:

  1. Install mod_authz_ldap package using 'yum -y install mod_authz_ldap'
    In CentOS 7 the package name is changed to mod_ldap
  2. For the appropriate Location or VirtualHost configure authentication using:
    Options all
    AllowOverride All
    Order deny,allow
    Allow from All
    AuthType Basic
    AuthName "Test1 SVN repository"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPURL ldap://ldap.virtual-labs.ac.in:389/ou=people,dc=virtual-labs,dc=ac,dc=in?uid
    AuthLDAPGroupAttribute memberUid
    AuthLDAPGroupAttributeIsDN off
    Require ldap-group cn=admin,ou=groups,dc=virtual-labs,dc=ac,dc=in
    Require ldap-attribute gidNumber=501
    #Satisfy any
    In CentOS 7 'AuthzLDAPAuthoritative on' line is not required.

Note:

  • Satisfy any ensures that only one of the require line needs to succed for authentication to succeed. Hence we can allow additional users using following:
    • Require valid-user
    • Require ldap-user <Username>
    • Require ldap-dn <DN>
    • Require ldap-attribute <attribute=value>
    • Require ldap-filter <filter-condition>
    where if any of the above match succeeds authentication would be considered as successful.

Note for above settings to work, server must be able to resolve ldap.virtual-labs.ac.in to IP address. A simple way of achieving this is by adding '10.4.12.152 ldap.virtual-labs.ac.in' mapping to '/etc/hosts' file.

More information about LDAP authentication for apache is available at http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html


Authenticating with bind DN

The LDAP authentication works by search followed by bind. So anonymous users should be able to search the ldap to convert the given uid to dn, so that LDAP authentication module can later try to bind with given dn. Hence if anonymous users are not allowed to search then the above configuration may not be enough.. (Refer http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authenphase)

To check whether anonymous user can search based on 'uid' to get 'dn' try:

ldapsearch -LLL -x -h <ldap_server> -b 'dc=virtual-labs,dc=ac,dc=in' '(uid=<uid>)' dn

by replacing <ldap_server> with server FQDN or IP and <uid> with uid of some user. If you do not see any dn line then given ldap server does not permits unauthenticated search. This is known for ldap server which comes with deepofix debian mail server package.

To authenticate in such cases an LDAP bind dn and corresponding password has to be specified in configuration file as:

   Options all
   AllowOverride All
   Order deny,allow
   Allow from All
   AuthType Basic
   AuthName "Test1 SVN repository"
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative on
   AuthLDAPURL ldap://ldap.virtual-labs.ac.in:389/ou=people,dc=virtual-labs,dc=ac,dc=in?uid
   AuthLDAPBindDN uid=<uid>,ou=People,dc=virtual-labs,dc=ac,dc=in
   AuthLDAPBindPassword "<password>"
   AuthLDAPGroupAttribute memberUid
   AuthLDAPGroupAttributeIsDN off
   Require ldap-group cn=admin,ou=groups,dc=virtual-labs,dc=ac,dc=in
   Require ldap-attribute gidNumber=501
   Satisfy any

so that apache LDAP authentication module first binds with DN given as AuthLDAPBindDN and given password so that it can perform the search with the given filter. Then a bind is tried for resulting dn with the password supplied by the user.


Authentication only from unknown or untrusted IPs

Sometimes it may be desired to configure authentication only from unknown or untrusted IPs. This can be achieved using:

   <Location />
       Options all
       Order allow,deny
       Allow from <IP1>
       Allow from <IP2>
       AuthType Basic
       AuthName "Auth"
       AuthBasicProvider ldap
       AuthLDAPURL <LDAP server LDAP URI>
       Require valid-user
       Satisfy any
   </Location>


<yambe:breadcrumb self="LDAP authentication for apache">Apache web server configuration</yambe:breadcrumb> <yambe:breadcrumb self="LDAP authentication for apache">LDAP servers</yambe:breadcrumb>