Re: Apache 2.2.4 / Auth LDAP / OpenLDAP 2.3.35 User authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Tony Stevenson schrieb:

Try this one:
http://wiki.apache.org/httpd/UseLDAPToPasswordProtectAFolder


Nice suggestion noodl  :)


I had a look at the wiki and I've decied to test this without
DAV first.

Any noodle, yes, I had a file based authentication for the DAV
container that was working perfectly. I just changed the auth
part to LDAP.

AuthType Basic
AuthzLDAPAuthoritative Off
AuthBasicProvider ldap
AuthName "DOMAIN DAV Upload"
AuthLDAPBindDN "cn=Manager,dc=domain,dc=org"
AuthLDAPBindPassword "mysecretpassword"
AuthLDAPURL
ldap://127.0.0.1:389/ou=DAV,dc=global,dc=domain,dc=org?cn?sub?(objectCla
ss=person)

Require ldap-user U000001


</Limit>
</Directory>


One thing you can try quickly is below, i.e. add the quotes around the CN
you want to require.

Require ldap-user "U000001"

I'm going to test that right away.

I don't often restrict based on user accounts, more often based on group
membership, allows for extensibility without needing a restart of Apache.

If you would rather use groups, here is what I typically use:

 AuthType Basic
 AuthName "**AUTH REALM NAME HERE**"
 AuthBasicProvider ldap
 AuthzLDAPAuthoritative on
 AuthLDAPGroupAttributeIsDN off
 AuthLDAPGroupAttribute memberUid
 AuthLDAPBindDN          cn=ldapusertobindas,dc=example,dc=com
 AuthLDAPBindPassword    bindpassword
 AuthLDAPURL ldap://localhost/dc=pc-tony,dc=com?uid
 require ldap-group cn=ldapgroup1,ou=groups,dc=example,dc=com


hth


Yeah, I've seen a lot of examples based on group authentication,
which I can't use since no user should see the uploaded files
of any other user and may not have access to it. Hence the setup

http://host.domain.com/U000001 ... /U000002 and so forth.

If there is a more elegant way to accomplish this with rewrites
or userdir, please let me know ;)


Cheers,
Tony

Thanks for the tips, I will rewrite my httpd.conf to auth
just the docroot with LDAP.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux