title: Minimalist mod_authnz_ldap config link: https://onemoretech.wordpress.com/2009/07/18/minimalist-mod_authnz_ldap-config/ author: lembobro description: post_id: 284 created: 2009/07/18 05:35:37 created_gmt: 2009/07/18 05:35:37 comment_status: open post_name: minimalist-mod_authnz_ldap-config status: publish post_type: post

The base configuration here is the shipping httpd.conf for Apache 2.2 on CentOS 5.3, a pretty typical Red Hat style config that includes all the bells and whistles turned on out of the box already. Old time sysadmins really hate that because they are at heart “do it yourself-ers”. Guys like me love it, because it leaves us more time to get past the mundane.

This config uses Apache 2.2’s mod_authnz_ldap module to protect a web directory by requiring an LDAP user ID (’uid’) and password for access.

The only problem is that you need to be very careful not to trip over some eccentricity, bug or other weirdness introduced by various developers in the food chain along the way.

First, edit httpd.conf to enable protection for the target web directory. For example, a symlink from /u01/share/media to /var/www/html/media:

`

<Directory /var/www/html/media>
    AllowOverride AuthConfig
</Directory>

`

You could also use “AllowOverride All” here, but you should consider the security implications before you do.

Next, install an .htaccess file in the targe directory containing the following directives:

AuthName "Internal" AuthType Basic AuthBasicAuthoritative off AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL "ldap://ldap.example.com:389/dc=example,dc=com?uid" Require valid-user

So this is a really mininalist config. Any LDAP user attribute could be substituted for ‘uid’, for example ‘cn’. The module doc details how to use LDAP attribute or group filters for more fine grained security.

AuthBasicAuthoritative needs to be set to “off” whenever you’re using one of the alternative authentication modules like mod_authnz_ldap.

The AuthzLDAPAuthoritative directive is important. Don’t leave it out. If you do you’ll keep getting prompted with the login dialog no matter how many times you enter the correct ID and password. It isn’t your LDAP server either (well, it could be, but we’ll assume for now that’s OK).

Technically you shouldn’t need this directive. The Apache doc says its purpose is to “Prevent other authentication modules from authenticating the user if this one fails.” That makes no sense, of course, because if you use the above config you’ll clearly be authenticating through the mod_authnz_ldap module.

Although I haven’t found anything on the issue yet, my guess is that the problem is some interaction with RHEL’s pam subsystem. I’ll post as soon as I know something more.

Copyright 2004-2019 Phil Lembo