LDAPWiki: Apache Web Server and LDAP

Overview#

So many people have been asking about configuration of Apache Web Server with various LDAP servers, we put this How To page together to hopefully help.

Assumptions#

First, we assume that the Apache Web Server is version 2.0 or greater, if not, we recommend you upgrade. We also assume and will not go into details about how you would implement security once you have LDAP authentication configured as there are way too many methods to do this on Apache's Web Server.

What is Required#

Credentials to Login and search for Users (You might be able to get by without this, but you could have issues)
A configured and running Apache Web Server.
A configured and running LDAP server.

The Basics#

The Apache Web Server Module, mod_authnz_ldap

, provides authentication front-ends such as mod_auth_basic to authenticate users through an LDAP directory.

On many Apache Binaries will have the mod_authnz_ldap module compiled with the binary. Otherwise you may have to compile your Apache Web Server with one of the following LDAP SDKs:

OpenLDAP SDK (both 1.x and 2.x)
Novell LDAP SDK
iPlanet (Netscape) SDK.

LDAP Authentication#

The mod_authnz_ldap

module provides LDAP Authentication by:

searching for an entry in the directory that matches the username that the HTTP client passes.
If a single unique match is found, then mod_authnz_ldap attempts to bind to the LDAP server using the DN of the entry plus the password provided by the HTTP client.

It is important security feature that the module performs a bind as any other method could bypass security features implemented within the LDAP server like:

Intruder detection
Password Expiration Rules
various other commonly implemented features

Example Authentication #

In this example we will check the LDAP server to see if the user can successfully bind (LDAP term for login) and if the user can, we will let tell Apache he is "good-to-go".

Configuration in Apache#

Depending on where you put the mod_authnz_ldap

configuration will determine which servers or locations are "protected". In this example we are protecting the Web URL "/private".

<Location /private>
	order allow,deny
	allow from all
	AuthName "AuthRequired"
        AuthType Basic
        AuthBasicProvider ldap
	AuthzLDAPAuthoritative on
	AuthLDAPURL "ldap://ldap.willeke.com:389/ou=People,dc=willeke,dc=com?cn?sub?(objectClass=inetOrgPerson)"
	AuthLDAPBindDN  "cn=apacheProxy,ou=administration,dc=willeke,dc=com"
	AuthLDAPBindPassword "secret"
	require valid-user
</Location>

Here is how the configuration breaks down:

order allow,deny and allow from all, we will not cover as they are normal to Apache
AuthName - Sets the name of the authorization realm for a directory. This realm is given to the client so that the user knows which username and password to send. AuthName takes a single argument; if the realm name contains spaces, it must be enclosed in quotation marks. It must be accompanied by AuthType and Require directives, and directives such as AuthUserFile and AuthGroupFile to work.
AuthType - selects the type of user authentication for a directory. The authentication types available are Basic (implemented by mod_auth_basic) and Digest (implemented by mod_auth_digest).
AuthBasicProvider - each authorization module listed in AuthBasicProvider will attempt to verify the user, and if the user is not found in any provider, access will be denied.
AuthzLDAPAuthoritative - When this is set to on, no other "AuthBasicProvider" will be consulted and if the user fails the LDAP authorization, the user is denied. Note: overrides any additional providers listed in "AuthBasicProvider"
AuthLDAPURL - This is a LDAP URL that defines the following:
- the LDAP Server - ldap.willeke.com
- The LDAP Port - 389
- The baseDN to perform the search - ou=People,dc=willeke,dc=com
- The Attribute for the search - cn - The value for the userName that is provided must match this LDAP attribute name
- The LDAP Search Scopes - The value are sub, one and base.
- The LDAP SearchFilter - (objectClass=inetOrgPerson) - Used to qualify what LDAP objects we want to find.
AuthLDAPBindDN - The LDAP entry that will be used to locate the users.
AuthLDAPBindPassword - The password for the user specified above.
require valid-user - This directive selects which authenticated users can access a resource. The "valid-user" value implies if the user can bind, then they are allowed.

LDAP Authorization#

In addtion to Authentication the integration of Apache Web Server with LDAP can provide Authorization.

In the example, we showed the directive of "require valid-user". Which in effect, says anyone is authorized.

We can specify other "require" directives that will require authorization requirements.

Authorization Examples#

As an example, if we configure a location as:

<Location /admin>
	order allow,deny
	allow from all
	AuthName "AuthRequired"
        AuthType Basic
        AuthBasicProvider ldap
	AuthzLDAPAuthoritative on
	AuthLDAPURL "ldap://ldap.willeke.com:389/ou=People,dc=willeke,dc=com?cn?sub?(objectClass=inetOrgPerson)"
	AuthLDAPBindDN  "cn=apacheProxy,ou=administration,dc=willeke,dc=com"
	AuthLDAPBindPassword "secret"
	Require ldap-attribute ldapRole=Admin
</Location>

The "Require ldap-attribute ldapRole=Admin" directive implies the user must pocess a value in the LDAP Attribute "ldapRole" of "Admin" or the user will receive a 403 Forbidden response.

Some other examples for Authorization:

Require ldap-dn cn=Barbara Jenson, o=Airius - the user must be the DN specified.
Require ldap-filter (&(isManager=true)(department=marketing)) - The user must satisfy the LDAP SearchFilter. This could be any LDAP Filters Syntax and Operators
Require ldap-group cn=Administrators, o=Airius - The user must be a member of the group "cn=Administrators, o=Airius"
Require ldap-user bjenson fuser jmanager - Must be one of the usersNames as matches the "?cn?" value that was provided in the "AuthLDAPURL"

More capabilities#

Yes there are more capabilities for the Apache Web Server and LDAP, Do we do not recommend you implement this module or LDAP pools until you get the basic LDAP Authentication working.

LDAP connection pool and an LDAP cache#

If you need LDAP pools and/or caching you will need to look at the the Apache Module mod_ldap

Do not implement this module or LDAP pools until you get the basic LDAP Authentication working.

SSL or TLS for LDAP#

If you require support for LDAP over SSL (requires the Netscape SDK) or TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).

To implement SSL or TLS see the mod_ldap directives LDAPTrustedClientCert, LDAPTrustedGlobalCert|target='_blank'] and LDAPTrustedMode.

Do not implement these directives until you get the basic LDAP Authentication working.

More Information#

There might be more information for this subject on one of the following: