Sunday, December 9, 2007

Apache HTTPD 2.2 with LDAP authentication

Recently I need to setup LDAP authentication on Apache Httpd. I tried the usual wayto find out how – googleing. I found that a lot of good posts do not work any more as 2.2 had gone through a major refactoring on the Authn and Authz module.

Here are some highlights ( for full version changes made in 2.2 see new features):

  • mod_access has been renamed mod_authz_host.
  • mod_auth is now split into mod_auth_basic and mod_authn_file
  • mod_auth_dbm is now called mod_authn_dbm

For LDAP related, I found Christophe Gravier’s post in users@httpd very useful. I put it here:

If you're using apache >= 2.2 and you want to:

1/ allow "any" authenticated user to enter (whatever his group membership is (i.e. no authorization control), you must "bypass" the authz_ldap authorization module by setting "AuthzLDAPAuthoritative" to off (else apache searches for require ldap-user or ldap-group directives)

AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap:///ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword ""
SSLRequireSSL
require valid-user


2/ allow a limited list of known users of the directory (need require ldap-user directive and not require ldap-user)

AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative *on*
AuthLDAPURL "ldap:///ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword ""
SSLRequireSSL
require *ldap-user* myuser_uid


3/ allow a group of user (authorization based on group membership).


AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative *on*
AuthLDAPURL "ldap:///ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword ""
SSLRequireSSL
require *ldap-group* my_group_full_dn

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)