There are two modules available for Apache that handle authentication through LDAP: mod_authnz_ldap, which ships with Apache itself, and mod_authz_ldap, which is an external module.
The following example configurations assume you have the directory server on the same host as Apache and listening on the default ldap port, 389. If this isn’t the case, then change the value of the AuthzLDAPServer or AuthLDAPURL directive as appropriate. Also, change instances of “dc=example,dc=com” to the DN for your particular domain. No SSL/TLS is used in these examples.
The first example allows any user in the directory server to authenticate. This configuration assumes you use the default “uid” attribute to hold the login name of your users.
<Location "/files">
AuthType Basic
AuthName "Secure Area"
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL "ldap://localhost:389/ou=People,dc=example,dc=com)"
Require valid-user
</Location>
If you need a user account to query the LDAP server you can add the following to bind as that user.
AuthLDAPBindDN ”uid=tux,ou=Special Users,dc=example,dc=com” AuthLDAPBindPassword ”secret”
Change the DN to the correct user, and also replace secret with your password.
<Location "/files">
AuthType Basic
AuthName "Secure Area"
AuthzLDAPAuthoritative On
AuthzLDAPMethod ldap
AuthzLDAPProtocolVersion 3
AuthzLDAPServer localhost:389
AuthzLDAPUserBase ou=People,dc=example,dc=com
AuthzLDAPUserKey uid
Require valid-user
</Location>
If you need a user account to query the LDAP server you can add the following to bind as that user.
AuthzLDAPBindDN "uid=tux,ou=Special Users,dc=example,dc=com"
AuthzLDAPBindPassword secret
Change the DN to the correct user, and also replace secret with your password.
The second example allows any user in the directory server to authenticate provided that they are a member of a specified group. This configuration assumes you use the default “uid” attribute to hold the login name of your users, the default “cn” attribute to hold the name of your groups and the default “uniquemember” attribute to hold the full DN of users who are members of the group.
<Location "/files">
AuthType Basic
AuthName "Secure Area"
AuthzLDAPAuthoritative On
AuthzLDAPMethod ldap
AuthzLDAPProtocolVersion 3
AuthzLDAPServer localhost:389
AuthzLDAPUserBase ou=People,dc=example,dc=com
AuthzLDAPUserKey uid
AuthzLDAPGroupBase ou=Groups,dc=example,dc=com
AuthzLDAPGroupKey cn
AuthzLDAPMemberKey uniquemember
AuthzLDAPSetGroupAuth ldapdn
Require group MyGroup
</Location>
If the attribute specified by AuthzLDAPMemberKey only holds the login names of group members, rather than the full DN, change the AuthzLDAPSetGoupAuth directive to:
AuthzLDAPSetGroupAuth user
This method only allows for checking group membership to a single group. Fedora Directory Server also does not have the concept of dynamically generated memberOf attributes on objects.
The third example authenticates users by verifying that they are part of a Role.
This example uses mod_authnz_ldap and require-attribute
The concept of Roles is a replacement for the concept of groups in LDAP. It is a dynamic property on objects in the LDAP database, and as such more generic than the memberOf concept.
<Location "/files">
AuthType Basic
AuthName "Secure Area"
AuthBasicProvider "ldap"
AuthLDAPURL "ldap://localhost:389/ou=People,dc=example,dc=com)"
# these are OR'd
require ldap-attribute nsRole=cn=group1,ou=People,dc=example,dc=com
require ldap-attribute nsRole=cn=group2,ou=People,dc=example,dc=com
</Location>
This example demonstrates authorizing Apache 2.0 over SSL.
Notes
Apache 2.0 needs to use mod_auth_ldap as mod_authz_ldap does not support SSL.
Apache 2.2 has been re-worked you will need to view the associated directives on their website. mod_authnz_ldap
These global directives need to be placed in httpd.conf :
LDAPTrustedCA /etc/openldap/cacerts/ldap-ca.pem
LDAPTrustedCAType BASE64_FILE
The location section may be added directly into your httpd.conf as well:
<Location /mypath> AuthLDAPAuthoritative On AuthLDAPEnabled On AuthType Basic AuthName "LDAP Login" AuthLDAPURL "ldaps://ldap.example.com:636/ou=users,dc=example,dc=com?uid?sub)" require valid-user
</Location>
This example combines both authz_ldap_module and authnz_ldap_module on Apache 2.2.
This allows a user to have access to a URL if they have your_attribute_name=whatever_you_want.