Child pages
  • Apache LDAP configuration
Skip to end of metadata
Go to start of metadata

Apache HTTPD can authenticate to NCSA LDAP by using the mod_authnz_ldap module. Below are some example configurations using this module.

Apache 2.2 Examples

Allow access to any valid user:

AuthType Basic 
AuthBasicProvider "ldap"
AuthBasicAuthoritative On
AuthLDAPBindAuthoritative Off
AuthName "NCSA LDAP login"
AuthLDAPURL ldaps://ldap.ncsa.illinois.edu:636/ou=people,dc=ncsa,dc=illinois,dc=edu?uid?sub?(&(objectClass=inetorgperson)(!(memberOf=cn=all_disabled_usr,ou=groups,dc=ncsa,dc=illinois,dc=edu)))
AuthZLDAPAuthoritative Off
Require valid-user

 

Allow access to a specific LDAP group:

AuthType Basic 
AuthName "NCSA [groupname] login"
AuthBasicProvider "ldap"
AuthBasicAuthoritative On
AuthLDAPBindAuthoritative Off
AuthzLDAPAuthoritative on
AuthLDAPURL ldaps://ldap.ncsa.illinois.edu:636/ou=people,dc=ncsa,dc=illinois,dc=edu?uid?sub?(&(objectClass=inetorgperson)(!(memberOf=cn=all_disabled_usr,ou=groups,dc=ncsa,dc=illinois,dc=edu)))
Require ldap-group cn=[groupname],ou=groups,dc=ncsa,dc=illinois,dc=edu

Multiple groups can be specified by repeating the Require ldap-group line for each group that should have access.

Note that Apache caches LDAP queries for 10 minutes, so if you're testing things it could take ten minutes for your LDAP change to show up.

 

Apache 2.4 Example

Allow access to any NCSA user who is not disabled:

LDAPTrustedGlobalCert CA_BASE64 /var/www/conf/ldap.ncsa.illinois.edu.crt
<Directory "/var/www/html/data">
    Options all
    AllowOverride None
    AuthType Basic
    AuthBasicProvider "ldap"
    AuthBasicAuthoritative On
    AuthLDAPBindAuthoritative Off
    AuthName "NCSA LDAP Login"
    AuthLDAPURL ldaps://ldap.ncsa.illinois.edu:636/ou=people,dc=ncsa,dc=illinois,dc=edu?uid?sub?(&(objectClass=inetorgperson)(!(memberOf=cn=all_disabled_usr,ou=groups,dc=ncsa,dc=illinois,dc=edu)))
    Require valid-user
</Directory>

To create the SSL certificate file (used at top of previous example) you can run the following:

openssl s_client -showcerts -connect ldap.ncsa.illinois.edu:636 </dev/null 2>/dev/null|openssl x509 -outform PEM > /var/www/conf/ldap.ncsa.illinois.edu.crt
  • No labels