mod_authnz_ldap (and enabled with a2enmod authnz_ldap under Debian+Ubuntu)
In your httpd.conf or your htaccess file, add the following:
# Access control for this directory
AuthName "Password Required"
AuthLDAPURL "ldap://localhost:389/OU=Users,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
Require ldap-group CN=somegroup,OU=someou,OU=Groups,DC=example,DC=com
This example is for connecting to an MS Active Directory server. For an OpenLDAP server, you may find that you don't need the BindDN/Pass options and you need uid instead of sAMAccountName (or possibly just "ldap://localhost/DC=domain,DC=tld").
If you look at other sites online, you'll find that a lot of users say they have to fiddle the config to get it working. Some of the common things I saw were:
- Setting "AuthzLDAPAuthoritative off"
- Specifying at least one container under the base DN (as in my example)
- Tweaking the GroupAttribute and GroupIsDN options
- Using a DN for the AuthLDAPBindDN (UPN used in my example)
- Enabling SSL or TLS
- Multiple domain controllers (simply specify them separated by spaces in your URL)
- Filters with "Require ldap-filter"
... As you can see there can be a lot of tweaking for specific sites. But all-in-all, the basic configuration is quite simple. If your LDAP server allows anonymous searches, you really only need the AuthLDAPURL line and it can be as simple as "ldap://localhost/DC=example,DC=com".
Post a Comment