Blog

Authenticating Apache 2 (Red Hat Enterprise Linux 5) to Open Directory

By Iain Morris posted on February 6th, 2009

Apple’s Mac OS X Server Apache install includes some cool modules to interface directly with Open Directory, if you host your sites on a Mac OS X Server box.  If you are working on a Linux system, one of the easiest solutions is to engage the ldap modules to get authentication and authorization.

You’ll need to make sure your Apache install has the support for LDAP installed.  If you are compiling from source,  –enable-ldap –enable-authnz-ldap –with-ldap all need to be there.  Distributions like Red Hat Enterprise Linux 5 or any of its binary-equivalents (CentOS, Fedora, etc) include this functionality out of the rpm.

To test if it works, add an .htaccess file to one of your web directories (be sure AllowOverrides is enabled in your httpd.conf or vhost conf file).  To this file, add:

AuthName "LDAP Test"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPGroupAttributeIsDN off
AuthLDAPURL ldap://your.server.here/dc=your,dc=searchbase,dc=here
AuthLDAPGroupAttribute memberUid
Require ldap-group cn=yourgroupname,cn=groups,dc=your,dc=searchbase,dc=here

Just change the entries to your ldap search base and insert a group name for who should be allowed access.

Notice I had to specifically note “memberUid” to get this to work. If you do a search with dscl or ldapsearch, you’ll see the user attributes under the group you wish to allow.

This is only a taste of what you can do with this powerful module.  You can limit access to single users, use search strings to key off very specific ldap attributes (for instance, I only want to allow Kerio users or iPhone-issued users to see something), the sky is the limit.  Play around with it, and you’ll find it is actually more powerful than Apple’s own auth setup.

You should be aware this will send LDAP queries in the clear over the wire between the webserver and your ldap server.  You can use the module in ldap tls/ssl setups as well.  I’ll add that in a future entry.  Also very important, if your website is not under SSL, your users’ names and passwords will be in the clear as well.  Please protect login and passwords with SSL if any security is needed!

0 Comments

Posted in System Administration, Tips and Tricks

Comments are closed.