apache22 LDAP auth

If you have a central auth directory, such as OpenLDAP, everything should authenticate against it, including your Web apps. Here’s how you set up a FreeBSD system to authenticate against your OpenLDAP directory. I did this on FreeBSD/i386 running 8.1-PRERELEASE, with Apache 2.2 and OpenLDAP 2.4. Before starting, make sure your OpenLDAP install is configured correctly. You should be able to successfully run ldapsearch(1) against your directory. If your base OpenLDAP install is busted, go no further.

Apache 2.2 includes two optional modules for LDAP authentication, mod_ldap and mod_authnz_ldap. mod_ldap controls how Apache manages its LDAP connections, such as the amount of memory set aside for caching LDAP queries and the size of the LDAP connection pool. mod_authnz_ldap manages the necessary authentication queries to perform LDAP authentication.

First, go to /usr/ports/www/apache22 and run “make config-recursive”. This will configure both the apache22 port and the ports required by apache22. Apache now requires /usr/ports/devel/apr1. Both apache22 and apr1 must support LDAP. For Apache, select LDAP and AUTHNZ_LDAP. For apr1, you only need to select LDAP.

If you have already installed Apache 2.2 and need to rebuild it, first back up your /usr/local/etc/apache22. Go to the port directory and run “make config” to configure apache22 for LDAP. Then run “make && make deinstall && make reinstall” to replace your existing Apache with one that supports LDAP. Follow the same process if you have to replace your existing devel/apr1.

Enable LDAP in your httpd.conf by loading the LDAP and LDAP auth modules.

LoadModule ldap_module libexec/apache22/mod_ldap.so
LoadModule authnz_ldap_module libexec/apache22/mod_authnz_ldap.so

If your error log shows the following on the reload, your apr1 is not configured to support LDAP. Try again.

httpd: Syntax error on line 105 of /usr/local/etc/apache22/httpd.conf: Cannot load /usr/local/libexec/apache22/mod_ldap.so into server: /usr/local/libexec/apache22/mod_ldap.so: Undefined symbol "apr_ldap_info"

Now configure the Web server to require LDAP auth. In this example, all users who access this site must be a member of my “rancid” LDAP group. This must be in a .


#basic auth setup
AuthType Basic
AuthName "IOS VCS"
AuthBasicProvider ldap

#ldap setup
AuthLDAPURL “ldap://ldap1.domain.com/ou=people,dc=domain,dc=com” STARTTLS
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
require ldap-group cn=rancid,ou=groups,dc=domain,dc=com

The first three lines are the standard Apache authentication, setting the type of authentication, the name that shows up in the password box, and the type of authentication used. The remainder is specific to LDAP.

The AuthLDAPURL option gives the location of the LDAP server and where we can find the group we’re interested in. We also specify STARTTLS here. (Does your LDAP server require SSL? If not, why?)

The rancid group is a POSIX group, with members identified by memberUID and not by full DN (e.g., uid=mwlucas,group=people,dc=domain,dc=com). By default, mod_authnz_ldap searches for group members by full DN. By setting the AuthLDAPGroupAttributeIsDN to off, I tell Apache not to use the full DN. By setting AuthLDAPGroupAttribute to memberUID, I tell Apache to search for the given username in the memberUID attribute of the group.

I don’t set require valid-user, because require ldap-group automatically verifies the user’s password before testing for group membership.