Apache Authentication Using LDAP


apache authentication using ldap

Lighweight Directory Access Protocol (LDAP) is a popular user management and authentication tool used by network administrators. It is mostly used in large enterprises and big businesses. In fact, even Apache allows you to control user authentication with LDAP. Let us look at Apache authentication using LDAP.

 

Apache Authentication Using LDAP

Here are the steps to configure Apache authentication using LDAP

 

1. Enable required Apache modules

First, we need to enable the LDAP modules for Apache. To do that, open your Apache server config file in a text editor.


$ sudo vi /etc/apache2/apache2.conf #Debian/Ubuntu systems
$ sudo vi /etc/httpd/conf/httpd.conf #RHEL/CentOS systems

 

Look for the following lines and uncomment them by removing the ‘#’ sign at their beginning. If you can’t find them, add these lines


LoadModule ldap_module /path/to/mod_ldap.so
LoadModule authnz_ldap_module /path/to/mod_authnz_ldap.so

 

Once you have enabled the required modules, you can point Apache Server at LDAP server using AuthLDAPUrl directive


AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid

It defines LDAP server, distinguished name (DN), and attributes to use in search. You can place this line in the <VirtualHost> block of your config file to apply the setting for a specific website of yours. If you have not enabled any virtual hosts, you can place them directly in the default config file.

Here are some examples of common use cases

 

Allow Any User

The following code gives access to current directory to all valid users in LDAP directory. In this case, Apache will require the browser to provide username & password, which will be checked against LDAP directory. Relace ldap.company.com with LDAP server address.

 


Order deny,allow
Deny from All
AuthName "Company.com Intranet"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid
Require valid-user
Satisfy any

 

In the above command,

  • AuthBasicProvider ldap – Tells Apache to use LDAP instead of basic file-based authentication
  • AuthzLDAPAuthoritative off – (not present from Apache 2.4) It was used to allow other authentication methods to be mixed with LDAP. By default, it is on. If you keep it on, authentication for Require valid-user will fail.

 

List of Users

If you want to give access to current directory, to users listed in require-ldap directive, then use the following code. Replace keithw and joeuser with your usernames


Order deny,allow
Deny from All
AuthName "Company.com Intranet"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid
Require ldap-user keithw joeuser
Satisfy any

 

Members of a group

If you want to give access to current directory, to users of groups listed in require-ldap directive, then use the following code. Replace group name (infosys) in bold below


Order deny,allow
Deny from All
AuthName "Company.com Intranet"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=infosys,ou=Group,dc=company,dc=com
Require ldap-attribute gidNumber=420
Satisfy any

 

For multiple groups, add one ‘Require ldap-group’ directive for each group.

 

That’s it! Apache Authentication using LDAP can be painful and frustrating, simply because your web browser only tells you if access is granted or not. There is no debugging support available. If you want, you can add LogLevel debug in the above code, to get verbose information at each step. Apache will record connection status, requested attributes and values, return values, if conditions were satisfied or not.

About Sreeram Sreenivasan

Sreeram Sreenivasan is the Founder of Ubiq, a business dashboard & reporting platform for small & medium businesses. Ubiq makes it easy to build business dashboards & reports for your business. Try it for free today!