From Fedora Directory Server

Contents 1 How to setup Apache to authenticate against Fedora Directory Server 1.1 Authenticate Users 1.1.1 mod_authnz_ldap 1.1.1.1 BindDn 1.1.2 mod_authz_ldap 1.1.2.1 BindDn 1.2 Authorize by Group 1.3 Authorize by Role 1.4 Authorize over SSL 1.5 Authorize using ldap-attribute

How to setup Apache to authenticate against Fedora Directory Server

There are two modules available for Apache that handle authentication through LDAP: mod_authnz_ldap, which ships with Apache itself, and mod_authz_ldap, which is an external module.

The following example configuations assume you have the directory server on the same host as Apache and listening on the default ldap port, 389. If this isn't the case, then change the value of the AuthzLDAPServer or AuthLDAPURL directive as appropriate. Also, change instances of "dc=example,dc=com" to the DN for your particular domain. No SSL/TLS is used in these examples.

Authenticate Users

The first example allows any user in the directory server to authenticate. This configuration assumes you use the default "uid" attribute to hold the login name of your users.

mod_authnz_ldap

<Location "/files">
  AuthType Basic
  AuthName "Secure Area"

  AuthzLDAPAuthoritative   On
  AuthLDAPURL              "ldap://localhost:389/ou=People,dc=example,dc=com"

  Require valid-user
</Location>

BindDn

If you need a user account to query the LDAP server you can add the following to bind as that user.

   AuthLDAPBindDN "uid=tux,ou=Special Users,dc=example,dc=com"
   AuthLDAPBindPassword "secret"

Change the DN to the correct user, and also replace secret with your password.

mod_authz_ldap

<Location "/files">
  AuthType Basic
  AuthName "Secure Area"

  AuthzLDAPAuthoritative   On
  AuthzLDAPMethod          ldap
  AuthzLDAPProtocolVersion 3
  AuthzLDAPServer          localhost:389

  AuthzLDAPUserBase        ou=People,dc=example,dc=com
  AuthzLDAPUserKey         uid

  Require valid-user
</Location>

BindDn

If you need a user account to query the LDAP server you can add the following to bind as that user.

AuthzLDAPBindDN "uid=tux,ou=Special Users,dc=example,dc=com"
AuthzLDAPBindPassword secret

Change the DN to the correct user, and also replace secret with your password.

Authorize by Group

The second example allows any user in the directory server to authenticate provided that they are a member of a specified group. This configuration assumes you use the default "uid" attribute to hold the login name of your users, the default "cn" attribute to hold the name of your groups and the default "uniquemember" attribute to hold the full DN of users who are members of the group.

<Location "/files">
  AuthType Basic
  AuthName "Secure Area"

  AuthzLDAPAuthoritative   On
  AuthzLDAPMethod          ldap
  AuthzLDAPProtocolVersion 3
  AuthzLDAPServer          localhost:389

  AuthzLDAPUserBase        ou=People,dc=example,dc=com
  AuthzLDAPUserKey         uid

  AuthzLDAPGroupBase       ou=Groups,dc=example,dc=com
  AuthzLDAPGroupKey        cn
  AuthzLDAPMemberKey       uniquemember
  AuthzLDAPSetGroupAuth    ldapdn

  Require group MyGroup
</Location>

If the attribute specified by AuthzLDAPMemberKey only holds the login names of group members, rather than the full DN, change the AuthzLDAPSetGoupAuth directive to:

  AuthzLDAPSetGroupAuth    user

This method only allows for checking group membership to a single group. Fedora Directory Server also does not have the concept of dynamically generated memberOf attributes on objects.

Authorize by Role

The third example authenticates users by verifying that they are part of a Role.

This example uses mod_authnz_ldap and require-attribute

The concept of Roles is a replacement for the concept of groups in LDAP. It is a dynamic property on objects in the LDAP database, and as such more generic than the memberOf concept.

<Location "/files">
  AuthType Basic
  AuthName "Secure Area"

  AuthBasicProvider "ldap"
  AuthLDAPURL          "ldap://localhost:389/ou=People,dc=example,dc=com"
  # these are OR'd
  require ldap-attribute nsRole=cn=group1,ou=People,dc=example,dc=com
  require ldap-attribute nsRole=cn=group2,ou=People,dc=example,dc=com
</Location>

Authorize over SSL

This example demonstrates authorizing Apache 2.0 over SSL.

Notes

Apache 2.0 needs to use mod_auth_ldap as mod_authz_ldap does not support SSL.

Apache 2.2 has been re-worked you will need to view the associated directives on their website. mod_authnz_ldap

These global directives need to be placed in httpd.conf :

LDAPTrustedCA /etc/openldap/cacerts/ldap-ca.pem
LDAPTrustedCAType BASE64_FILE

The location section may be added directly into your httpd.conf as well:

<Location /mypath>
       AuthLDAPAuthoritative On
       AuthLDAPEnabled On
       AuthType Basic
       AuthName "LDAP Login"
       AuthLDAPURL "ldaps://ldap.example.com:636/ou=users,dc=example,dc=com?uid?sub"
       require valid-user
</Location>

Authorize using ldap-attribute

This example combines both authz_ldap_module and authnz_ldap_module on Apache 2.2.

This allows a user to have access to a URL if they have your_attribute_name=whatever_you_want.

   <Location />
       AuthType Basic
       AuthName "FDS Rocks!"
       #this part provides authentication
       AuthzLDAPMethod ldap
       AuthzLDAPProtocolVersion 3
       AuthzLDAPServer ldap1.example.com
       AuthzLDAPUserBase ou=people,dc=example,dc=com
       AuthzLDAPUserKey uid
       AuthzLDAPAuthoritative Off
       #this part provides authorization
       AuthLDAPUrl ldap://ldap.example.com:389/ou=people,dc=example,dc=com
       require ldap-attribute your_attribute_name=whatever_you_want
   </Location>