Basic Authentication

Apache has a basic authentication built in that uses the htpasswd command that creates a local file on the file system with which users can authenticate to a particular web directory.

#1. Create a directory to place password protection on.  For this example I will call the directory authtest

#2.  Place an index.html file with something simple. Mine says: Welcome Authenticated User

#3. Create a file with the usernames and encrypted passwords of users that are allowed to access the website:

htpasswd -c /etc/httpd/conf/allowed.users user1

New Password: Enter password twice

To add a second user, run the htpasswd command again for the same file but without the -c option. That option creates the file and using it will blow away all added usernames and passwords.

htpasswd /etc/httpd/conf/allowed.users user2

#4.  Create a directory section in your httpd.conf file for the newly created directory.

#5. Check your apache configuration files for errors: httpd -t

AD/LDAP Anonymous Authentication

#1. Create a directory under your document root.  Let’s call it ldaptest.

#2. Within ldaptest directory create an index.html file with just some basic text.  Mine looks like: Hello LDAP authenticated user.

#3. Edit httpd.conf file and add the following:

<Directory “/path/to/docroot/ldaptest”>

Options All

AllowOverride All (Minimally you will need AuthConfig for .htaccess files to be enabled)

Order allow,deny

Allow from all

AuthBasicProvider ldap

AuthType Basic

AuthzLDAPAuthoritative off

AuthName “Restricted LDAP Access”

AuthLDAPURL “ldap://domaincontroller.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)” NONE

Require ldap-user dlopez

</Directory>

#4. Check apache configuration files for errors: httpd -t

#5. If no errors, reload apache: (on RHEL/CentOS): service httpd reload

#6. Now browse to the ldaptest directory and enter AD users credentials. Note this will not work unless your AD allows queries from anonymous users!!

AD/LDAP Non-Anonymous Authentication

Note: Some of this information was taken from the following URL: http://www.jejik.com/articles/2007/06/apache_and_subversion_authentication_with_microsoft_active_directory/

#1. Create a directory under your document root.  Let’s call it ldaptest.

#2. Within ldaptest directory create an index.html file with just some basic text.  Mine looks like: Hello LDAP authenticated user.

#3. Edit httpd.conf file and add the following:

If port 389 does not work for you for some reason, try port 3268. Peter Harvey-Rice let me know by e-mail about the difference between ports 389 and 3289.

Port 389 talks to the local AD server, and can see the local AD tree. Port 3289 talks to the ‘Global Directory’ on the AD server – if the option is enabled, and can see the whole forest if you have more than one tree in the directory – of course the other trees would be on other servers – but the info is consolidated into one forest.

AuthBasicProvider ldap and AuthType Basic tell Apache to use LDAP for authentication. AuthzLDAPAuthorative off tells Apache that LDAP does not have the final word over who gets access and who doesn’t. This is one of the differences between mod_auth_ldap and mod_authnz_ldap. In our case, LDAP just passes some information back to Apache and mod_authz_user has the final decision over who gets access and who does not. TheAuthName directive sets the title that the users will see on their login popup. Next up is the AuthLDAPUR:. It’s built up as such:

1.     “protocol://hostname:port/base?attribute?scope?filter” NONE

base is the BaseDN you want to search under. Usually just your domain name (above it’s example.com) will do. The LDAP attribute is what you try to match to the username that the user typed in. Browse through LDAP to see what possibilities are available. The sAMAccountName is the name that Windows users use to login to their system. The scope parameter tells LDAP how deep to search beneath the BaseDN. Do yourself a favour and leave it on “sub” (all the way). The filter determines what kind of objects should be returned. In my example I play safe again and say “all objects”.

Officially the base, attribute, scope and filter are all optional variables but Active Directory refused to play ball if I did not specify everything. Alex Belbey contributes that NONE specified the kind of connection to use. In this case an unsecured connection (as opposed to e.g. an SSL or TLS encrypted connection).

NONE

stablish an unsecure connection on the default LDAP port. This is the same as ldap:// on port 389.

SSL

Establish a secure connection on the default secure LDAP port. This is the same as ldaps://

TLS/STARTTLS

Establish an upgraded secure connection on the default LDAP port. This connection will be initiated on port 389 by default and then upgraded to a secure connection on the same port.