Traditionally, in Apache\u2019s config file(s) you specify a directory you wish to have secured via the \u201cDirectory\u201d directive like so:<\/p>\n\n\n\n
\nAllowOverride None
Options ExecCGI Includes
Order allow,deny
Allow from all
AuthUserFile \/secure\/passwd\/file\/location
AuthType Basic
AuthName “Cool Security Name”
Require valid-user<\/p>\n<\/blockquote>\n\n\n\n
You then create your passwd file for Apache with the htpasswd utility, make sure the above path points to it, bounce Apache, and you\u2019re authenticating locally. Problem with this is that every time you need to add a new user to your environment, every instance like this has to be touched individually and you have to add the user (whether by copy\/paste or otherwise is irrelevant) in each.<\/p>\n\n\n\n
Enter LDAP.<\/p>\n\n\n\n
Fortunately, the configuration for such a change is quite easy; Simple textual changes to the httpd.conf to repoint from the local disk file to the LDAP store is all you need. First, make sure that your LDAP modules are properly loaded into Apache:<\/p>\n\n\n\n
LoadModule ldap_module modules\/mod_ldap.so<\/p>\n\n\n\n
LoadModule authnz_ldap_module modules\/mod_authnz_ldap.so<\/p>\n\n\n\n
This tells the Apache core to load up these at startup so that the directives you supply in the Directory stanza will be understood. Next, let\u2019s add the appropriate info into the Directory section:<\/p>\n\n\n\n
AllowOverride None
Options ExecCGI Includes
Order deny,allow
Deny from all
AuthName \u201cCool Security Name\u201d
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL ldap:\/\/cool.ldap.server\/dc=bob,dc=com?uid
AuthLDAPBindDN \u201ccn=admin,dc=bob,dc=com\u201d
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
AuthLDAPBindPassword\u00a0
Satisfy any<\/p>\n\n\n\n
This simple change (after an Apache restart) should give your Apache server security over that directory, authenticating against LDAP. Since your LDAP store is POSIX compliant for login, you have a few other things you can leverage in there as well. Among those, are the \u201cGroup\u201d field. That\u2019s right, instead of going out and adding individuals and\/or preventing them, you can specify an entire class of people (say LDAP_Logins for instance) that if the user belongs to that group, suddenly they have access to anything that is authenticating against LDAP.<\/p>\n\n\n\n
To add that ability, you can add groups to the stanza above like so:<\/p>\n\n\n\n
Require ldap-group cn=mygroup,ou=Group,dc=bob,dc=com
Require ldap-attribute gidNumber=500
(you place your group number in place of the \u201c500\u201d above)<\/em>
Now that you have the magic behind LDAP auth for Apache, you can add this to any Apache web server of the 2.x variety, and do your security centrally.<\/p>\n\n\n\nThe ease of addition for new users on your network is now as simple as adding the user to your LDAP store, placing them in the appropriate group. Once Apache was restarted the very first time to make this work, you never have to restart it for user additions. It will simply query LDAP, and LDAP will provide the credential response Apache needs to continue forward.<\/p>\n\n\n\n
Next time: Sudoers in LDAP!<\/p>\n","protected":false},"excerpt":{"rendered":"
Once you\u2019ve got your handy LDAP server authenticating users for login throughout your environment, inevitably you find yourself getting around to the question of authentication for all your backend tools\/services machines. Can you authenticate from Apache to that same auth store to reduce administration burden across the environment? Yes you can. Recall from part I […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[8],"tags":[],"class_list":["post-311","post","type-post","status-publish","format-standard","hentry","category-open-source"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/posts\/311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/comments?post=311"}],"version-history":[{"count":1,"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/posts\/311\/revisions"}],"predecessor-version":[{"id":312,"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/posts\/311\/revisions\/312"}],"wp:attachment":[{"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/media?parent=311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/categories?post=311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/questy.org\/index.php\/wp-json\/wp\/v2\/tags?post=311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}