Recently I need to setup LDAP authentication on Apache Httpd. I tried the usual wayto find out how – googleing. I found that a lot of good posts do not work any more as 2.2 had gone through a major refactoring on the Authn and Authz module.
Here are some highlights ( for full version changes made in 2.2 see new features):
- mod_access has been renamed mod_authz_host.
- mod_auth is now split into mod_auth_basic and mod_authn_file
- mod_auth_dbm is now called mod_authn_dbm
For LDAP related, I found Christophe Gravier’s post in users@httpd very useful. I put it here:
If you're using apache >= 2.2 and you want to:
1/ allow "any" authenticated user to enter (whatever his group membership is (i.e. no authorization control), you must "bypass" the authz_ldap authorization module by setting "AuthzLDAPAuthoritative" to off (else apache searches for require ldap-user or ldap-group directives)
AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap:///ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword ""
SSLRequireSSL
require valid-user
2/ allow a limited list of known users of the directory (need require ldap-user directive and not require ldap-user)
AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative *on*
AuthLDAPURL "ldap:///ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword ""
SSLRequireSSL
require *ldap-user* myuser_uid
3/ allow a group of user (authorization based on group membership).
AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative *on*
AuthLDAPURL "ldap:///ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword ""
SSLRequireSSL
require *ldap-group* my_group_full_dn