I did a small test of
mod_ldap today. It wasn’t terribly difficult, but most guides online seemed to overly complicate the matter.
In my test, I chose a directory located off of my website root that I wanted to restrict to only users with an LDAP account. (That’s any user…regardless of OU, Group, or hair color.)In this example, I’ll use
http://server/ldaptest as my protected location and
some.domain.com as my domain.
- First, I setup a dummy index page in
/var/www/html/ldaptest. (This location will vary obviously depending on your Apache installation)
- Next, I opened my
httpd.conffile (mine was in /etc/httpd/conf/httpd.conf) and made sure these two lines were present:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
This indicates that mod_ldap and mod_authnz_ldap (both necessary) are installed.
- Next, I added the following lines to
Deny from All
AuthName "Company.com Intranet"
AuthLDAPBindDN "CN=PortalReader,OU=Service Accounts,OU=IS,OU=FSA,DC=some,DC=domain,DC=com"
- I then restarted apache by issuing the command:
service httpd restart
Terms explained (as best I can):
/var/www/html/ldaptestis the directory location on the local server you want to set settings for.
Order deny,allowspecifies the order permissions are applied in. (This is typical.)
Deny from Allprohibits all non-authenticated users from proceeding.
AuthName "Company.com Intranet"simply provides a name for your service that the browser will show in its authentication prompt.
AuthTypeBasic specifies the type of authentication to be used for the directory.
AuthBasicProvider ldapspecifies who is going to handle the basic authentication.
AuthzLDAPAuthoritative offis required when using valid-user (see below)
AuthLDAPUrlis the location we are searching. This includes your domain controller and your domain.
Require valid-usertells mod_ldap to accept all valid domain users regardless of location.
AuthLDAPBindDN "CN=PortalReader,OU=Service Accounts..."tells mod_ldap the fully qualified location of the account to use to bind to your domain. This account needs read priviliges on your domain.
AuthLDAPBindPasswordis simply the password for your bind account.
That was all there was to it. I did have a couple of issues though:
- I didn’t get the DN (Distinguished Name) for the
AuthLDAPBindDNright the first time. In order to get the correct DN, I used
ADSIEditto find the actual object and copy the DN directly, putting it in quotes. (If you fail to use quotes, Apache will not start on the basis that you cannot have more than one value for that setting.)
- In order to determine that I was having the above problem, I had to set logging to the debug level. You do this by finding
httpd.confand setting it to
debug. Previously, I had warn set.
- Lastly, I didn’t watch the right log for errors at first. I defaulted to trying error_log, but in my particular case I was using SSL so the correct log was ssl_error_log.
This code allows ANY valid user in the specified domain to login. In order to use groups and things of that nature, I recommend you look at this guide.