Monday, March 7, 2011

apache & openldap group authentication

For Apache 2.2, check your mod-enabled and mods-available directory. Make certain your ls in mods-available have the following symlinked from mods-enabled; e.g.:

 alias.load -> ../mods-available/alias.load
 auth_basic.load -> ../mods-available/auth_basic.load
 authnz_ldap.load -> /etc/apache2/mods-available/authnz_ldap.load
 authz_default.load -> ../mods-available/authz_default.load
 authz_user.load -> ../mods-available/authz_user.load
 ldap.load -> ../mods-available/ldap.load

In your site-available file, load these two loaded mods, with the following:

 LoadModule ldap_module           /usr/lib/apache2/modules/mod_ldap.so
 LoadModule authnz_ldap_module    /usr/lib/apache2/modules/mod_authnz_ldap.so

In the directory structure where you'd like to have LDAP authentication to take place, add the following stanza:

 AuthBasicProvider ldap
 AuthType Basic
 AuthzLDAPAuthoritative on
 AuthName "restricted site access"
 AuthLDAPURL ldap://www.xxx.yyy.zzz/ou=users,dc=your,dc=com?uid
 AuthLDAPGroupAttribute memberUid
 AuthLDAPGroupAttributeIsDN off
 Require ldap-group cn=agroup,ou=groups,dc=your,dc=com
 Require ldap-user adude anotherdude
 Satisfy any

If you have a round-robin LDAP setup, place the FQDN of your OpenLDAP server in the AuthLDAPURL section. The uid condition means that your authentication control is via uid. AuthLDAPGroupAttribute and its allied Require ldap-group, states that you're checking for membership in a specific group "agroup", and those members have the attribute "memberUid". You can tack on an individual user (or users on the same line), by specifying "Require ldap-user". And, To allow for both groups and users, have the "Satisfy any" directive set; otherwise no one will be able to log on and use your web-resource.