Fedora 34
Sponsored Link

Apache httpd : Basic Auth + LDAP
2021/05/18
 
Configure [mod_ldap] to use LDAP directory users on httpd Basic authentication.
On this example, it uses Active Directory like following environment for it.
Domain Server : Windows Server 2019
Domain Name : srv.world
Hostname : fd3s.srv.world
NetBIOS Name : FD3S01
Realm : SRV.WORLD
[1]
Username and password are sent with plain text on Basic Authentication, so Use secure connection with SSL/TLS setting, refer to here.
[2]
Create a user on Active Directory for binding Active Directory from httpd.
On this example, it creates [ldapuser], it's OK to grant [Domain Users] rights only for it.
[3] Install [mod_ldap].
[root@www ~]#
dnf -y install mod_ldap
[4] Configure Basic authentication + LDAP.
For example, set Basic Authentication to the directory [/var/www/html/auth-ldap].
[root@www ~]#
vi /etc/httpd/conf.d/authnz_ldap.conf
# create new

# on example below, it limits the range to search the directory only [LDAPUsers] OU

# so only users under the [LDAPUsers] OU can authenticate with this setting

# for [AuthLDAPBindDN] and [AuthLDAPBindPassword], specify the AD user for binding

<Directory "/var/www/html/auth-ldap">
    SSLRequireSSL
    AuthType Basic
    AuthName "LDAP Authentication"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://fd3s.srv.world:389/ou=LDAPUsers,dc=srv,dc=world?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN ldapuser@srv.world
    AuthLDAPBindPassword Password
    Require valid-user
</Directory>

[root@www ~]#
chgrp apache /etc/httpd/conf.d/authnz_ldap.conf

[root@www ~]#
chmod 640 /etc/httpd/conf.d/authnz_ldap.conf

[root@www ~]#
systemctl restart httpd

# create a test page

[root@www ~]#
mkdir /var/www/html/auth-ldap

[root@www ~]#
vi /var/www/html/auth-ldap/index.html
<html>
<body>
<div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">
Test Page for LDAP Authentication
</div>
</body>
</html>
[5] If SELinux is enabled, change policy like follows.
[root@www ~]#
setsebool -P httpd_can_network_connect on

[root@www ~]#
setsebool -P httpd_can_connect_ldap on

[6] Access to the test page from any client computer with web browser. Then authentication is required as settings, answer with any AD user.
[7] That's OK if authentication is successfully passed and test page is displayed normally.
Matched Content