LDAP Authentication with Apache2 & .htaccess Files

Protecting web accessible directories with .htaccess and htpasswd files is a relatively simple process, it works great but when you’re maintaining 300 different htpasswd files all over the place it can become a slight ballache. If you have a LDAP server configured and in place, a nice alternative is to point all your .htaccess files to your LDAP server to handle the authentication.

Before you continue reading, this article assumes you already have the following in place:

* Apache2 server installed and configured
* OpenLDAP server installed and configured

First we need LDAP support for Apache2, so enable it & restart apache:

beer:~# a2enmod authnz_ldap
Considering dependency ldap for authnz_ldap:
Enabling module ldap.
Enabling module authnz_ldap.
Run '/etc/init.d/apache2 restart' to activate new configuration!
beer:~# /etc/init.d/apache2 restart
Restarting web server: apache2 ... waiting .
beer:~#

Next configure your Apache2 virtual host file with the following:


ServerAdmin bartender@example.com
ServerName beer.example.com
DocumentRoot /var/www/

Options FollowSymLinks
AllowOverride None


Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order deny,allow
Deny from all
Allow from 10.100.0.1

ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined


Your vhost configuration does not have to look exactly like the above, but just make sure that you have the AllowOverride All option set as this tells Apache to enable .htaccess files. I’ve also restricted access to 10.100.0.1 and disabled index listings, call me paranoid but I see nothing wrong with adding as many security layers as possible.

Next, assuming you are trying to protect the /var/www directory, dump a .htaccess file into that directory with the following contents:

Order deny,allow
Deny from All
AuthName "Restricted - Barmen Only"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://127.0.0.1/ou=people,dc=example,dc=com?uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-user dave
Satisfy any

The above config allows the user dave to authenticate, all other users are denied access. You can append additional user names to the Require ldap-user line or you could just allow all users in a specific LDAP group like so:

Order deny,allow
Deny from All
AuthName "Restricted - Barmen Only"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://127.0.0.1/ou=people,dc=example,dc=com?uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=barmen,ou=group,dc=example,dc=com
Require ldap-attribute gidNumber=1234
Satisfy any

Now all users in the barmen LDAP group will be able to authenticate and access this web directory. Remember to update the GID above with the GID of the barmen group.

You can also combine these 2 methods, for example to allow all users in the barmen group and also user fred (who is not in the barmen group) just use the following:

Require ldap-group cn=barmen,ou=group,dc=example,dc=com
Require ldap-attribute gidNumber=1234

More Here

Courtesy:http://writequit.co.za/2011/01/05/ldap-apache-htaccess/