Apache LDAP authentication

The most basic authentication can be configured on a Apache is access by file, but in this post we will see how to configure Apache to authenticate users against an LDAP.

The advantages are obvious, we can use a centralized authentication LDAP directory, either to validate us in applications or to access the web services of the company.

For the examples we have used a Ubuntu 12.04 and Apache 2.2, the first thing we have to do is install the necessary Apache modules and activate them:

Source   
sudo aptitude install libapache2-mod-ldap-userdir
sudo a2enmod authnz_ldap

Authentication is required to access a directory declared inside of virtual host in Apache, a basic configuration:

Source   
<Directory /var/www/>
AuthType Basic
AuthName "Authentication system: please insert username and password"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://s1.test.es:389/ou=Users,dc=zentyal?uid?sub
AuthLDAPBindDN "cn=ebox,dc=zentyal"
AuthLDAPBindPassword ly3sduWefe/BDu
require valid-user
</Directory>

What this does is:

1- Definition of provider authentication, authorization and message in the browser (AuthName):

Source   
AuthType Basic
AuthName "Authentication system: please insert username and password"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on

2- Defining users search path with the parameter:

Source   
AuthLDAPURL ldap://s1.test.es:389/ou=Users,dc=zentyal?uid?sub

The syntax of this parameter is:

Source   
AuthLDAPURL ldap://host:port/basedn?attribute?scope?filter [NONE|SSL|TLS|STARTTLS]

If we analyze the syntax:

host and port are evident

basedn is the path LDAP where users search

attribute, defines the attribute name that contains the user name (typically uid)

scope, can be one (to search a sublevel from basedn) or sub (to search all sublevels)

filter, optional search filter, for example: (&(objectClass=inetOrgPerson)(description=*#*test*))

[NONE|SSL|TLS|STARTTLS], optional parameter defining the connection type, default NONE.

3- Authenticate against LDAP concerned with parameters:

Source   
AuthLDAPBindDN "cn=ebox,dc=zentyal"
AuthLDAPBindPassword ly3sduWefe/BDu

AuthLDAPBindDN is the LDAP path to the user who is authenticated to access LDAP. If not defined is attempted anonymous access to LDAP.

AuthLDAPBindPassword is user password is pointed to by AuthLDAPBindDN.

4- Require valid user:

Source   
require valid-user

We simply require a user who has validated, although we could establish a list of potential users or a group of LDAP itself which must be the user, for example:

Source   
require ldap-group cn=Administrators,ou=Groups,dc=zentyal

The module documentation can be found in:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

A complete configuration example might be:

Source   
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
AuthType Basic
AuthName "Authentication system: please insert username and password"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://s1.test.es:389/ou=Users,dc=zentyal?uid?sub?(&(objectClass=inetOrgPerson)(description=*#*testldap*))
AuthLDAPBindDN "cn=ebox,dc=zentyal"
AuthLDAPBindPassword ly3sduWefe/BDu
require valid-user
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLCertificateFile /vol/certificados/completessl/www.company.es.crt
SSLCertificateKeyFile /vol/certificados/completessl/www.company.es.key
SSLCACertificateFile /vol/certificados/completessl/www.company.es.PositiveSSLCA.crt
</VirtualHost>

Leave a Reply