alias.load -> ../mods-available/alias.load auth_basic.load -> ../mods-available/auth_basic.load authnz_ldap.load -> /etc/apache2/mods-available/authnz_ldap.load authz_default.load -> ../mods-available/authz_default.load authz_user.load -> ../mods-available/authz_user.load ldap.load -> ../mods-available/ldap.load
In your site-available file, load these two loaded mods, with the following:
LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so
In the directory structure where you'd like to have LDAP authentication to take place, add the following stanza:
AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative on AuthName "restricted site access" AuthLDAPURL ldap://www.xxx.yyy.zzz/ou=users,dc=your,dc=com?uid AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-group cn=agroup,ou=groups,dc=your,dc=com Require ldap-user adude anotherdude Satisfy any
If you have a round-robin LDAP setup, place the FQDN of your OpenLDAP server in the AuthLDAPURL section. The uid condition means that your authentication control is via uid. AuthLDAPGroupAttribute and its allied Require ldap-group, states that you're checking for membership in a specific group "agroup", and those members have the attribute "memberUid". You can tack on an individual user (or users on the same line), by specifying "Require ldap-user". And, To allow for both groups and users, have the "Satisfy any" directive set; otherwise no one will be able to log on and use your web-resource.
No comments:
Post a Comment