You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wiki-changes@httpd.apache.org by Apache Wiki <wi...@apache.org> on 2007/07/10 16:02:18 UTC

[Httpd Wiki] Update of "UseLDAPToPasswordProtectAFolder" by RiciLake

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The following page has been changed by RiciLake:
http://wiki.apache.org/httpd/UseLDAPToPasswordProtectAFolder

The comment on the change is:
Some more cleanup, particularly the necessity for AuthzLDAPAuthoritative off

------------------------------------------------------------------------------
  == Use LDAP to password protect a Folder ==
  
  
- In this How-To guide, we will show you how to add LDAP authentication to your Apache web server.
+ In this How-To guide, we will show you how to add LDAP authentication to your Apache 2.2 web server.
  
  
  === Prerequisites ===
@@ -16, +16 @@

  ||Apache HTTP Server|| ||http://httpd.apache.org/download.cgi|| ||Apache HTTP Server...||
  
  
- Ok, for the purpose of this document, we will show you how to add the required statements, to a !VirtualHost.
+ Here we will show you how to add the required statements in a !VirtualHost.
- [[BR]]
- This is an example !VirtualHost stanza
+ This is the example !VirtualHost stanza
  
  {{{
  <VirtualHost *:80>
@@ -52, +51 @@

  
  Some of the statements may look familiar to you, as you may have used them for authentication in the past.
  [[BR]]
- [[BR]]In the example below we will be using a specific account in LDAP to allow Apache to 'bind' to LDAP in order to authenticate all incoming requests.  For this you will need to create one such account, we use the example 'apacheldap' below.  
+ [[BR]]In the example below we will be using a specific account in LDAP to allow Apache to 'bind' to LDAP in order to authenticate all incoming requests.  For this you will need to create one such account, we use the example 'apacheldap' below. Do not use an administrative account for this purpose; only read access is required.  
  [[BR]]  
  === LDAP Directives ===
  [[BR]]
@@ -60, +59 @@

  [[BR]]
  [[BR]]
  
- ||!AuthType Basic|| ||This line tells apache to use Basic authentication.  This is essentially a Plain Text authentication session.||
+ ||!AuthType Basic|| ||This line tells apache to use Basic authentication.  This sends the user's password in plain text and should normally only be used with SSL.||
- ||!AuthName LDAP_Auth_Test|| ||This is basically the realm name that will be displayed in the login box presented by your browser.||
+ ||!AuthName LDAP_Auth_Test|| ||This is the realm name that will be displayed in the login box presented by your browser.||
  ||!AuthBasicProvider ldap|| ||This line instructs apache to use only LDAP for authentication.  You can have multiple entries on one line, if you want to use multiple methods, but that is beyond the scope of this document.||
- ||AuthzLDAPAuthoritative OFF|| ||Having this switched 'ON' would prevent over authz modules from authenticating users.  This is not a real issue in this example, but we will leave it switched off for simplicity's sake.||
+ ||AuthzLDAPAuthoritative OFF|| ||Having this switched 'ON' would prevent other authorization modules from authenticating users.  This is necessary to allow the 'require valid-users' below to work, since we are only using LDAP to authenticate in this example.||
  ||AuthLDAPBindDN|| ||Bind to the LDAP server for all operations using a specific user ID.  In this case we will use ''cn=apacheldap,dc=mydomain,dc=com'' (this is the account we mentioned earlier in the document).||
  ||AuthLDAP!BindPassword|| ||Bind to the LDAP server for all operations using a specific password.  In this case '' 'letmein' ''||
  ||AuthLDAPURL !ldap://localhost/dc=mydomain,dc=com?cn?sub|| ||This line tells Apache which server and path to use to authenticate against.  In this example, Apache will check the local LDAP server, in tree ''dc=mydomain,dc=com'', and it will then search for cn fields, recursively.  If we use ''cn=apacheldap,dc=mydomain,dc=com'' as an example, you will notice that the cn for the apacheldap account in ''apacheldap''.  This means when prompted by your browser for a username, you should enter your canonical name.  You can set this to sn, gn, etc and then you will be required to login as your first name, or surname.||
- ||Require valid-user|| ||This line instructs Apache to ensure the username entered in the browser matches that of one in the LDAP tree.||
+ ||Require valid-user|| ||This line instructs Apache to give access to anyone whose identity has been authenticated. Using the authnorization component of mod_authnz_ldap, you could restrict access further, for example to members of an LDAP group.||
  
  
  === Steps ===