Apache Authentication

Basic Authentication

Apache has a basic authentication built in that uses the htpasswd command that creates a local file on the file system with which users can authenticate to a particular web directory.

#1. Create a directory to place password protection on.  For this example I will call the directory authtest

#2.  Place an index.html file with something simple. Mine says: Welcome Authenticated User

#3. Create a file with the usernames and encrypted passwords of users that are allowed to access the website:

htpasswd -c /etc/httpd/conf/allowed.users user1

New Password: Enter password twice

To add a second user, run the htpasswd command again for the same file but without the -c option. That option creates the file and using it will blow away all added usernames and passwords.

htpasswd /etc/httpd/conf/allowed.users user2

#4.  Create a directory section in your httpd.conf file for the newly created directory.

<Directory “/path/to/docroot/authtest”>
Options All
AllowOverride All (Minimally you will need AuthConfig for .htaccess files to be enabled)
Order allow,deny
Allow from all
AuthType Basic
AuthName “Authenticated Users”
AuthUserFile /etc/httpd/conf/allowed.users
Require valid-user
</Directory>
The 4 bolded lines are what enables Apache authentication on a directory. You can either put them in the Directory section as demonstrated above or you can put them in a .htaccess file.  For the .htaccess file to work AllowOverride must be set at a minimum to AuthConfig or All.  AuthName is what is presented to the user when they browse to the password protected website.  allowed.users is the file that is created with htpasswd command which stores the usernames and encrypted passwords.

#5. Check your apache configuration files for errors: httpd -t

#6. Reload apache: (On RHEL/CentOS): service httpd reload
#7. Browse to the website and you should be prompted for a user name and password. Upon successful authentication, you should see the index.html file you created.

AD/LDAP Anonymous Authentication

#1. Create a directory under your document root.  Let’s call it ldaptest.

#2. Within ldaptest directory create an index.html file with just some basic text.  Mine looks like: Hello LDAP authenticated user.

#3. Edit httpd.conf file and add the following:

<Directory “/path/to/docroot/ldaptest”>
Options All
AllowOverride All (Minimally you will need AuthConfig for .htaccess files to be enabled)
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName “Restricted LDAP Access”
AuthLDAPURL “ldap://domaincontroller.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)” NONE
Require ldap-user dlopez
</Directory>
#4. Check apache configuration files for errors: httpd -t
#5. If no errors, reload apache: (on RHEL/CentOS): service httpd reload
#6. Now browse to the ldaptest directory and enter AD users credentials. Note this will not work unless your AD allows queries from anonymous users!!

AD/LDAP Non-Anonymous Authentication

Note: Some of this information was taken from the following URL: http://www.jejik.com/articles/2007/06/apache_and_subversion_authentication_with_microsoft_active_directory/

#1. Create a directory under your document root.  Let’s call it ldaptest.

#2. Within ldaptest directory create an index.html file with just some basic text.  Mine looks like: Hello LDAP authenticated user.

#3. Edit httpd.conf file and add the following:

<Directory “/path/to/docroot/ldaptest”>
Options All
AllowOverride All (Minimally you will need AuthConfig for .htaccess files to be enabled)
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName “Restricted LDAP Access”
AuthLDAPURL “ldap://domaincontroller.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)” NONE
AuthLDAPBindDN “queryuser@example.com”
AuthLDAPBindPassword “queryuser’s password”
Require ldap-user dlopez
</Directory>

If port 389 does not work for you for some reason, try port 3268. Peter Harvey-Rice let me know by e-mail about the difference between ports 389 and 3289.

Port 389 talks to the local AD server, and can see the local AD tree. Port 3289 talks to the ‘Global Directory’ on the AD server – if the option is enabled, and can see the whole forest if you have more than one tree in the directory – of course the other trees would be on other servers – but the info is consolidated into one forest.

AuthBasicProvider ldap and AuthType Basic tell Apache to use LDAP for authentication. AuthzLDAPAuthorative off tells Apache that LDAP does not have the final word over who gets access and who doesn’t. This is one of the differences between mod_auth_ldap and mod_authnz_ldap. In our case, LDAP just passes some information back to Apache and mod_authz_user has the final decision over who gets access and who does not. TheAuthName directive sets the title that the users will see on their login popup. Next up is the AuthLDAPUR:. It’s built up as such:

1.     “protocol://hostname:port/base?attribute?scope?filterNONE

base is the BaseDN you want to search under. Usually just your domain name (above it’s example.com) will do. The LDAP attribute is what you try to match to the username that the user typed in. Browse through LDAP to see what possibilities are available. The sAMAccountName is the name that Windows users use to login to their system. The scope parameter tells LDAP how deep to search beneath the BaseDN. Do yourself a favour and leave it on “sub” (all the way). The filter determines what kind of objects should be returned. In my example I play safe again and say “all objects”.

Officially the baseattributescope and filter are all optional variables but Active Directory refused to play ball if I did not specify everything. Alex Belbey contributes that NONE specified the kind of connection to use. In this case an unsecured connection (as opposed to e.g. an SSL or TLS encrypted connection).

NONE
stablish an unsecure connection on the default LDAP port. This is the same as ldap:// on port 389.
SSL
Establish a secure connection on the default secure LDAP port. This is the same as ldaps://
TLS/STARTTLS
Establish an upgraded secure connection on the default LDAP port. This connection will be initiated on port 389 by default and then upgraded to a secure connection on the same port.
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s